Trust in the Information Age
The recent arrest and criminal charges against Airman First Class Jack Teixeira for the alleged posting of classified and sensitive information on social media is yet another example of the significant risk that trusted individuals pose to government and businesses. In today’s information age, relatively low-level employees have access to a treasure trove of sensitive information. Teixeira was not a consumer of the information that he posted on social media. He was instead part of the Department of Defense apparatus that facilitated the flow of classified information to the many analysts and decision makers who use sensitive or classified information as an essential part of their duties.
When there is a government leak, there is often significant press and attention around such activity. But what about businesses? Insider risks – including leaks – can be equally catastrophic to the security and fundamental operations of an enterprise.
Enterprises face a range of insider risks. An employee can walk out the door with critical trade secrets, and bring them to their next employer. A contractor can access information, aiding a competitor for additional financial compensation. After feeling slighted for a lack of promotion or bonus compensation, staff could leak information as revenge.
Understanding where an insider’s motivations may be coming from can help drive mitigation tactics and controls.
Access Controls
Does every individual in an organization need access to every drive? Should employee keycards work for every door and storage closet?
Teixeira’s role was not all that different from IT professionals in business organizations that have system administrator privileges as part of their job. Such admin privileges can be used inappropriately and cause significant damage to an organization. An insider in any organization that has access to sensitive or secret information has the capability to do great harm to that organization (and its business partners). So, what can organizations do to safeguard their operations? In many instances, privileges must be granted—but they also must be monitored.
Trust but Verify
Trust is a significant cornerstone of the government security clearance process in the United States and business information security programs. Organizations cannot be surprised by a breach of trust. They should work to prevent a breach, while recognizing that a breach could occur. In order to stay one step ahead, entities must have a practiced plan in place to mitigate the damage from a leak – planning in a crisis is never a good option.
Many organizations address the insider threat by relying on trust of vetted individuals, but do little to verify compliance. In our role overseeing compliance with CFIUS National Security Agreements, we often see companies who have constructed strong information security policies and procedures but fail to verify that their program is working. They construct training programs, but do not test to determine if their employees actually understand the training. They vet employees to determine if they can be trusted with sensitive information, but fail to continually evaluate those trusted individuals. We all know life circumstances can and often do change, and those changes can significantly impact and alter an assessment of one’s trustworthiness. As a result, ongoing diligence is key.
Implement an Insider Threat Program
What should be done? Businesses and government can still trust but must watch individuals who have access to sensitive or valuable information. The level of watchful vigilance should be proportionate to what information or data needs protecting.
If you are a business without an insider threat program: Start one now. If your organization has such a program: Evaluate and enhance it, because this threat is not going away.
Any insider threat program should consist of:
- A culture of compliance. Look to positive reinforcement to encourage employee participation. Don’t create an environment of fear.
- Good training that tests its effectiveness. Solicit user feedback and review analytical data. Conduct knowledge checks and rehearse real life scenarios.
- Know what you are protecting. Understand what your company’s critical assets are, where they are stored, and how they are protected. Control and monitor access to them.
- Exercising the system to identify weaknesses; strengthen the system through lessons learned. Perform a technical assessment of your network/physical security. Update company policies. Have clearly published guidance on reporting and accountability.
- Prepared incident response plan if something does go wrong. This must be regularly reviewed and rehearsed. You’ll learn lessons each time that will inform improvements and updates.
- Exhibit positive teamwork! Everyone should feel personally invested in the success and security of the company.
Despite perceived best efforts, organizations often end up with “half a program,” having hired individuals who are deemed trustworthy, and efforts for ongoing monitoring halted. Organizations often take the view that ongoing monitoring or vetting of behavior implies a lack of trust—however, trust cannot be built as a snapshot in time. Circumstances change regularly, and so too do risks. Continuous vetting of trusted employees and contractors is essential to an effective information security program to ensure insiders remain trustworthy and risks are kept at bay.