[William R. Evanina is the Director of the National Counterintelligence and Security Center and the recipient of the 2017 ICIT Pinnacle Award.]
Silicon Valley is synonymous with innovation and technology. As anyone working in this space knows—particularly for start-ups with proprietary information—you have to be able to trust your employees to guard your company’s unique assets.
Many Bay Area companies directly contribute to U.S. critical infrastructure, including communications, IT, and energy. I urge everyone to learn more about what can be done to protect our nation’s critical infrastructure from insider threats.
Among my duties as the Director of the National Counterintelligence and Security Center, I’m responsible for providing outreach to U.S. private sector entities—which own and operate most of our nation’s critical infrastructure—in order to minimize risks resulting from intelligence collection, penetration, or attack by America’s adversaries. As recent cases have demonstrated, insider threats can be devastating.
The good news is that the risks from insider threats to the nation’s critical infrastructure can be reduced significantly. Here are several important steps, based on U.S. government best practices, which can help your organization become better prepared to identify and address insider threats:
Decide who should be engaged: Designate a single individual in your organization to supervise the effort, and identify individuals in key areas of your organization to participate: human resources, security, information technology systems, training, legal, and other managers.
Determine what matters most to your organization: Identify your organization’s “crown jewels”—information if destroyed or stolen would damage or destroy the enterprise (e.g., products, production techniques, trade secrets, software, and customer information).
Reassess personnel management practices: Perform background checks, which should include contacting references, verification of previous employment, and education. As staff circumstances can change over time, conduct periodic re-checks. Non-disclosure agreements—particularly related to the organization’s “crown jewels”—and non-compete clauses in work agreements should also be considered.
Develop clear termination procedures: When an employee departs, a checklist of procedures should be in place to protect the organization. These procedures can include: exit interviews to assess the employee’s potential risk to the organization; reminders about disclosure risk; termination of access to facilities (e.g., locks and alarm codes); and deletion of network accounts. An insider can cause damage even after they’ve left the organization.
Engage the workforce: Engage with the workforce to create a culture of awareness of everyone’s role to protect the organization, the “crown jewels,” and their jobs.
Review IT systems for security and vulnerability: Depending on the size, scope, and criticality of the IT system, you may wish to log and monitor all user activity on the system, consistent with applicable privacy laws. System monitoring can identify if insiders are accessing information they do not need for their job; if they are copying, printing, or e-mailing excessive amounts of information; or if they’re engaging in anomalous activity that goes beyond their work role. If you have an IT backup system, make sure it’s secure from tampering.
Engage your privacy experts: Ensure that your organization’s policies are consistent with current privacy laws, and protect the legal rights and civil liberties of your workforce.
Put information into context: To assess potential risk, employee behavior must be put into context. Look at issues such as changes in job performance, work habits, and use of IT systems. For example, if an employee is entering or exiting the organization’s facilities at odd hours, does he/she have a legitimate work reason for doing so?
Test your security posture: An insider threat can seriously damage an organization’s ability to fulfill its mission. Continuous review of your security posture is essential. Conduct exercises to develop an insider driven worst case scenario and run the organization through that scenario to improve organization processes before you need them in real life. You can also do such things as sending out fake spear phishing emails to the workforce to see who clicks on the links. Educate those who don’t pass the test.
The National Insider Threat Task Force and the Defense Security Service have produced training, best practice guides, and toolkits for the federal government that can be readily adapted and applied to the private sector. These useful products can be found online at www.cdse.edu/toolkits/insider/index.php. You can find out more about how to address the threat, as well as learn more about the National Counterintelligence and Security Center online at NCSC.gov, and you can follow us on Twitter @NCSCgov.
If you haven’t made plans to protect your organization from insider threats, you should begin that process right away. Your organization’s future may be at stake. To combat the threat, I urge all of you to know the risk, and raise your shield.