Last week, at the Global Security Operations 2010 event in Atlanta, then-Chief of the Counterintelligence (CI) Strategy and Domain Section, Thomas Mahlik, gave a briefing to attendees on industrial espionage, specifically about the means and methods used used by hostile countries to target US technology industry companies and their people.
Chief Malik mentioned a statistic that you have probably already heard, that 71% of proprietary information loss involves an insider to the organization.
While listening to his presentation I had a realization about four typical security programs whose siloing definitely increases security risk.
These four security programs are: workplace violence, proprietary information protection, andsecurity education, awareness and training, and employee hiring. (Yes, I know that hiring is a Human Resources function, but doesn’t Security set some of the criteria for employee qualification and background checks, and employee acceptable behavior?) Even when these programs aredirected or executed by the same security personnel, a lack of correlation of their data puts small blinders on security’s eyes. It is very common for these four programs to be out of sync with each other, because the materials on which they are based typically come from independent sources.
You should consider these four security programs to be related. Here is an example of how their siloing hurts security.
One element of workplace violence is the disgruntled employee. The disgruntled employee is also the most typical target for outsiders seeking proprietary information. In fact, even a slightly disloyal employee will do to get the ball rolling. How do you find such employees (or contractors)? Certainly someone who fails to show up for security education, and who intentionally violates “minor” security rules (“minor” means not considered serious enough by others to report), is in the disloyal category.
Do you see another reason now why metrics relating to security education, awareness and training are important? Repeated failures to participate in security education activities should set a red flag, requiring follow-up, and escalation if the individual refuses to “get with the program”.
This is not just my opinion.
“You have a significant proportion of the insider threats coming from the average employee who feels disloyalty to the employer,” said Terry Gudaitis, director of incident response services for Science Applications International Corp. (SAIC). “There also is an influx of those who are in organized groups who want to obtain information for competitive and financial reasons, which refers to economic espionage.”1
Minor security violations, and continued refusal to participate in security education (despite reasonable-sounding excuses), should be recognized as low-level threshold indicators. Why wait for a major violation or incident? If you can’t correct the small violations, you won’t be able to prevent the large ones that will really hurt your organization. Most actions related to proprietary information loss are not visible violations. This is why the other visible violations are important indicators.
What? You can’t enforce security education? It’s not mandated by company policy? Managers won’t reprimand for it? it isn’t brought up in annual personnel reviews?
If you get pushback on these things from management above you, contact Special Agent Babak or gather some other good material1 on the subject, and if that doesn’t win them over, take your case to the CEO (you had better be proposing solutions and have clear summaries of them).
Security violations (including no-shows for education) should be cross-referenced with other indicators across security programs.
And if you don’t have all four security programs going, you had better get them going fast.
Unless, of course, your organization’s people and assets are not worth protecting.
Best regards,
Ray Bernard
1 The Insider: Best Practiced Edition (August 2006), by Dan Verton, excerpted on this web page: http://www.infragardconferences.com/thegardian/3_2.html (opens in new window)
An Ounce of Prevention: Insider Threats
Last week, at the Global Security Operations 2010 event in Atlanta, then-Chief of the Counterintelligence (CI) Strategy and Domain Section, Thomas Mahlik, gave a briefing to attendees on industrial espionage, specifically about the means and methods used used by hostile countries to target US technology industry companies and their people.
Chief Malik mentioned a statistic that you have probably already heard, that 71% of proprietary information loss involves an insider to the organization.
While listening to his presentation I had a realization about four typical security programs whose siloing definitely increases security risk.
These four security programs are: workplace violence, proprietary information protection, andsecurity education, awareness and training, and employee hiring. (Yes, I know that hiring is a Human Resources function, but doesn’t Security set some of the criteria for employee qualification and background checks, and employee acceptable behavior?) Even when these programs aredirected or executed by the same security personnel, a lack of correlation of their data puts small blinders on security’s eyes. It is very common for these four programs to be out of sync with each other, because the materials on which they are based typically come from independent sources.
You should consider these four security programs to be related. Here is an example of how their siloing hurts security.
One element of workplace violence is the disgruntled employee. The disgruntled employee is also the most typical target for outsiders seeking proprietary information. In fact, even a slightly disloyal employee will do to get the ball rolling. How do you find such employees (or contractors)? Certainly someone who fails to show up for security education, and who intentionally violates “minor” security rules (“minor” means not considered serious enough by others to report), is in the disloyal category.
Do you see another reason now why metrics relating to security education, awareness and training are important? Repeated failures to participate in security education activities should set a red flag, requiring follow-up, and escalation if the individual refuses to “get with the program”.
This is not just my opinion.
“You have a significant proportion of the insider threats coming from the average employee who feels disloyalty to the employer,” said Terry Gudaitis, director of incident response services for Science Applications International Corp. (SAIC). “There also is an influx of those who are in organized groups who want to obtain information for competitive and financial reasons, which refers to economic espionage.”1
Minor security violations, and continued refusal to participate in security education (despite reasonable-sounding excuses), should be recognized as low-level threshold indicators. Why wait for a major violation or incident? If you can’t correct the small violations, you won’t be able to prevent the large ones that will really hurt your organization. Most actions related to proprietary information loss are not visible violations. This is why the other visible violations are important indicators.
What? You can’t enforce security education? It’s not mandated by company policy? Managers won’t reprimand for it? it isn’t brought up in annual personnel reviews?
If you get pushback on these things from management above you, contact Special Agent Babak or gather some other good material1 on the subject, and if that doesn’t win them over, take your case to the CEO (you had better be proposing solutions and have clear summaries of them).
Security violations (including no-shows for education) should be cross-referenced with other indicators across security programs.
And if you don’t have all four security programs going, you had better get them going fast.
Unless, of course, your organization’s people and assets are not worth protecting.
Best regards,
Ray Bernard
1 The Insider: Best Practiced Edition (August 2006), by Dan Verton, excerpted on this web page: http://www.infragardconferences.com/thegardian/3_2.html (opens in new window)