In a cyber climate where not even the government is safe, most companies are addressing cyber threats. But while companies may be strengthening their defenses against outside attackers, they might be ignoring another type of threat — one that hits closer to home.
Threats from Inside
Insider threats can stem from a number of root causes. According to Kevin Shewbridge, an Intelligence Analyst at Lockheed Martin, “There is no common theme; incidents and motivations vary widely.” One such motivation might be resentment over a firing decision. “Terminated or disgruntled employees often sabotage networks or other company resources as a revenge tactic,” Shewbridge explains. Greed is another driving force for some employees: “Insiders may be motivated purely by greed, and steal and sell information for financial gain.” But not all security breaches are knowingly executed. “The inadvertent or ‘accidental’ insider causes as much damage as the malicious insider,” says Shewbridge. Employees may unknowingly take trade secrets and proprietary information when they transition to their next job, potentially at a competing company. “Over half of employees think it is okay to take proprietary information with them when they leave the company.”
Companies stand to lose big when they leave themselves open to an insider attack. The average cost per incident is around $400,000, and the risk is only getting greater. According to Carnegie Mellon, trade secrets and intellectual property theft is projected to double by 2017, with losses approaching half a trillion dollars annually. In order to safeguard organizations from inside threats, Lockheed Martin has developed a five-step Insider Threat Detection Program.
Step One: Gain Leadership Support
Anyone who’s tried to alter company policy knows it’s nearly impossible without executive support. The first aspect of getting leadership on board is making sure they have a strong understanding of the types of threats the organization faces and what’s at stake should they fail to implement a detection program. But it’s not all about scare tactics. According to Shewbridge, companies that implement this program stand to gain on a number of fronts: “It safeguards the company’s brand reputation, preserves and enhances competitive edge, is proactive rather than reactive, instills customer and shareholder confidence, safeguards company assets and information, and lessens the chance of regulatory fines and loss of revenue due to insider activity.” It’s important to show executives that the program is aligned with the company’s corporate culture and values, that it’s legally and ethically sound, and that it meets regulatory standards.
Step Two: Leverage the Latest Technology
With the support of executive leadership, you’ll be able to explore the cutting-edge technology used to combat insider threats. The latest detection tools analyze both network and behavioral risk indicators from other business functions, such as HR and corporate security. The big data analytics found in the Lockheed Martin Wisdom® Insider Threat Intelligence solution provides context and insight in real time, proactively alerting security teams to at-risk employees. These systems were designed to help organizations prioritize and drive security operations, conduct investigations, and reduce the time and resources needed to execute an effective program.
Step Three: Develop a Communications Plan
The next step in developing a strong company-wide initiative is getting everyone on the same page. As Shewbridge puts it, “All employees play a role in protecting the company and its resources.” An organized communications plan can be an efficient, effective way to inform employees about new policies and protocols that will be implemented with the launch of the Insider Threat Detection Program. This strategy should be developed in close coordination with the communications, HR, and legal teams to ensure messaging aligns with the corporation’s culture and values.
“The idea is to be as transparent as possible about the program to the employee population without giving away the ‘secret sauce,’” Shewbridge says. That secret sauce can be “any process, procedure, or technique used to detect insider threats that, if known to the insider, would give that insider the knowledge to know how to alter their behavior to avoid detection.”
Step Four: Execute a Training and Awareness Campaign
All employees should receive education and training on insider threats, but to varying degrees. “Certain employees — those more susceptible to targeting or solicitation by competitors — should receive more extensive or frequent training,” Shewbridge explains. “Employees who frequently travel internationally, for example, may receive training on tactics, techniques and procedures employed by foreign competitors to collect sensitive or proprietary company information.”
Step Five: Establish a Governance Structure
Without governance, there is chaos — especially when threats are involved. The final step in implementing a detection program is creating a governance structure to oversee it. “A governance structure is composed of senior leaders from each business area that has a stake in the program,” Shewbridge explains. “This could include security, human resources, legal, ethics, privacy, information security, risk and compliance, etc. Each member represents their particular area and has an equal role. But ultimately, the CEO, in consultation with legal, has the last word.”
If you’re ready to arm your company against insider threats, head here to learn more about Lockheed Martin’s detection program.
Jessica Ferri is a writer based in Brooklyn. You can find her at jessicaferri.com.