(CIO/Ira Winkler) One of the legacies of Edward Snowden’s treason is that companies are now concerned about the insider threat more than they ever were before. He demonstrates that a single person inside an organization can devastate the organization. While technology should have caught Snowden, there is also the realization that his coworkers and managers should have noticed indications of unusual activities.
The question then becomes how do you train employees to tactfully recognize the signs of a malicious insider, without creating widespread distrust within an organization. Back when I worked at NSA, one of my coworkers pointed out two documents that both describe a fellow employee who was 1) always interested in what their coworkers are doing, 2) volunteers for extra assignments, 3) always works late, and 4) never takes a vacation. One of the documents was from human resources on how to get promoted. The other was from the security department describing how to tell if your coworker is a spy.
Clearly NSA employees failed to determine which side of the spectrum Snowden fell on, while employees at his past employer, the CIA, accurately determined his predisposition to commit espionage. Snowden demonstrates that even within organizations that should know better, detecting a malicious insider is hit or miss. How then is an organization outside of the Intelligence Community supposed to make their employees aware of the concern, especially without inspiring a witchhunt?
The problem is real. Malicious insiders have wreaked havoc in organizations of all types. While the IT world focuses on stories of rogue administrators, insiders in all roles carry out thefts and other malicious actions. While some wrongdoers are very clever and are able to cover their actions very well, the reality is that just about all malicious insiders show indications of their intent. This is relevant to awareness programs as their coworkers are in the best position to see those indications.
Balancing concerns of tact and awareness is delicate, but it must be done to maintain order. Generally, there are three requirements for awareness to be effective: 1) Understanding of the problem, 2) Knowledge of what actions to take, and 3) Motivation to take the appropriate actions. Generally understanding the problem should create motivation, but an effective awareness program must specifically ensure that it addresses both concerns. You can be aware an issue exists, while not being motivated to do anything about it. . . .
. . . . You must however avoid manifesting a modern day Salem. The focus of your guidance should be telling employees to look for behaviors that are clear violations of policies and procedures. Examples include observing people looking through other people’s desks, asking for passwords, being in areas that they do not belong, and attempting to access other people’s computer accounts. There are also financial and other wrongdoings related to job roles and industry sector.
A more delicate, but just as important, aspect of awareness is for people to be comfortable reporting uncomfortable feelings. This is admittedly vague, but uncomfortable feelings have resulted in catching malicious insiders in a variety of incidents. In one case we are personally familiar with, an employee felt uncomfortable that one of her coworkers was speaking Chinese a lot on the telephone at work, and they did not work with any Chinese people. The woman reported the incident and an FBI investigation uncovered that the employee in question was funneling information to Chinese intelligence operatives. . . . (read the rest)