Confronting the Insider Threat
Edward Snowden, who has leaked classified information about intelligence collection activities of the National Security Agency (NSA), reportedly told the South China Morning Post that he sought a job as a contractor at government consulting firm Booz Allen Hamilton with a goal: to collect proof about the NSA’s domestic surveillance programs and alert the public to the programs. However, Snowden is not the typical insider threat. Most insiders who later betray their employer’s trust don’t start out with that intent. The change from benign employee to malicious insider can be spurred by anything from home-life stress to frustration at being passed over for a promotion to the thought that the company does not appreciate one’s contributions.
Though the risk is great, it is not possible to deny insiders the access to data that they will need to do their jobs. So what can a company do?
The company must have clear policies regarding how corporate data is to be handled and safeguarded, and confidential data should be clearly labeled, with access as restricted as feasible. Additionally, the company should secure the data itself and use software to track access and seek signs of suspicious activity, especially with regard to what information leaves the system or is copied. This article focuses, however, on the human factor—what companies can do in the hiring process and throughout employment to detect signs that a person is likely to become, or has become, an insider threat.
Individuals who end up becoming an insider threat exhibit some common traits. That doesn’t mean all insider threats have these traits or that all people with these traits will become a threat. But it can be useful to know what these traits are.
One possible worrisome trait is narcissism, according to Satyamoorthy Kabilan, director of National Security and Strategic Foresight at the Conference Board of Canada: “It’s about people who perceive that they’re far more valuable than they actually are; they have an exaggerated value or view of the value that they bring to the organization, an exaggerated view of their abilities and achievements, and [they] are usually very intolerant of criticism. They minimize the significance of the contributions of others.”
Narcissism is also singled out as a possible red flag by Dan McGarvey, security program director for Global Skills X-Change (GSX) and member of the insider threat working group under the ASIS International Defense and Intelligence Council.
Histrionic personality disorder is another. That disorder is associated with a need for attention, and approval, and excessive emotion. A third red flag is antisocial personality disorder, which is often known as sociopathy.
Of course, it’s important to recognize that with some of these characteristics, such as narcissism, they may also be present in high performers in certain organizations, so they can’t be something that you simply use to screen out potential threats. The real problem is distinguishing between the types of people who are not a danger to the company and those who have a higher potential to become one, says Kabilan.
McGarvey has been doing research that tries to identify certain models that incorporate the various types of personalities that are often seen in insider threats. He believes they have encapsulated most threats in three models. The first is the counterproductive workplace behavior model, which McGarvey says has to do with issues of control, and a feeling of a need to take back individual control. He says this model includes someone like Bradley Manning, a soldier who passed classified material to the Web site WikiLeaks. McGarvey says this model also describes perpetrators of workplace violence, such as Army Major Nidal Hasan, who went on a shooting spree at Fort Hood.
The second model is the organizational citizen, which is where Snowden might fit. These are “individuals who have a very strong sense of justice and in what they believe is right,” says McGarvey.
The third model is called Ten Stages in the Life of a Spy, and it looks at the steps an individual must go through to become a spy and sustain spying.
“So those three models put together actually then account for just about everyone we’ve seen in terms of inappropriate behavior in the work force,” McGarvey says.
Harley Stock, a forensic psychologist who has worked with insider theft, advises that when companies are looking to weed out people like Snowden, it’s important to include personality assessments in the screening. “Some of the things that you look for [indicating] a guy like [Snowden] is somebody who’s overly moralistic, who has very strongly held beliefs about how the world should operate, so they have the kind of rigidity in their personality that things are right or wrong, black or white. There’s no gray area. There’s no area for negotiation, compromise, or alternative views of the world. And that, somehow, his view is the correct view.”
Stock says Snowden uses a psychological justification mechanism to say, “They’re wrong, I’m right, therefore, I have a moral, ethical obligation to do something about it.”
Stock advises that when doing these personality checks, the company should ask applicants not only for positive references, but also for references from people the applicant admits to having had difficulty with at some point in the past. “Now somebody says to you, ‘well, I’ve never had any difficulty,’ well, that already would raise my index of suspicion.”
Some of the questions that a company would want to ask a reference about the job applicant are “How does the person handle decisions? Are they flexible? Do they seem to dig their heels in and not listen to opposing points of view? Have they done anything that’s disturbing to you?” says Stock.
A common characteristic shared by those who pose an insider threat is dishonesty, says McGarvey, so prospective employers should be on the lookout for any type of deception in the hiring process. “So if a person comes in and they give you a bogus, not necessarily an incomplete résumé but a bogus résumé, not only are they being dishonest but they’re trying to manipulate the situation into making you think they’re someone they’re not,” McGarvey says. He adds that it’s not necessarily that the applicant makes errors, but why there are errors and if they are intentional.
John McGonagle, managing partner of The Helicon Group, recommends asking job candidates about their job history and any issues with prior employers. Too many job changes could be a red flag. “Some high achievers are constantly changing jobs,” he says, but it might be worth looking into.
“Maybe they’re trying to get ahead or maybe they’re going from company to company stealing products and moving to the next company…. Until you associate that as part of the group of inappropriate behaviors, you don’t necessarily see it as an insider threat issue, you just see it as somebody who’s trying to get ahead,” McGarvey says.
McGonagle also recommends asking whether applicants have been involved in lawsuits with prior employers. They “may have been perfectly legitimate…but it’s a legitimate question to ask,” McGonagle says.
One way to avoid individuals who could go either way is to hire someone with characteristics that tend to mitigate insider threat risk. For example, working well with others, showing compassion to and for others, responding well to criticism, and communicating frustrations effectively—these are all qualities to look for in job candidates, says the Deloitte report Building a Secure Workforce. Prospective employers can seek to determine whether a person has these characteristics by talking with a person’s references and asking the right questions during written and oral interviews.
A thorough background check is an obvious first step in screening out insider threats, with the above-mentioned red flags as one guidepost. Even the best check will miss insiders who haven’t yet done anything wrong, but it may catch others who have already transgressed or have exhibited some troublesome behaviors.
Companies that use background checks must decide whether to do the check themselves or contract it out to a third party. Going to a third party will cost more but the screening company will be more experienced at the work and will usually have more resources to pursue for the check.
Whether the check is carried out in-house or contracted out, management must decide what the check will entail, but they must consult counsel to ensure that they are staying within all applicable laws. “And make it very transparent and visible,” says Eugene Ferraro, chief ethics officer of Convercent.
If conducted by an outside company, or what is often referred to as a consumer reporting agency or CRA, the background check is bound under the limits of the Fair Credit Reporting Act (FCRA), which is meant to protect consumers. For employment background checks, the FCRA requires that the company provide written disclosure to the applicants before obtaining a consumer report, as well as receive authorization to obtain the report. The FCRA requires strict compliance. The authorization has to be provided to an applicant on a single page, separate and apart from the application or other documents,” explains Ryan DiClemente, of Saul Ewing LLP. So, for example, if a company “includes that authorization at the very end of its application, that’s going to be insufficient under the FCRA. And there’s been litigation that has recently arisen as a result of that.”
The company must also provide a copy of the report and certain disclosures prior to taking any action against the applicant if the report leads to an “adverse action,” which could include not being hired, as well as certain additional disclosures after the adverse action is taken. Investigative reports that include interviews on the person’s background and character have additional FCRA requirements. However, when a current employee is suspected of wrongdoing and that spurs the background check or investigation, it may be exempt under FCRA. “Just by way of example, if your company suspects somebody of theft, and at that point, you decide to run a background check that is related to the conduct, the disclosure requirements of the FCRA are unlikely to apply,” notes DiClemente. He adds that it makes sense that “you would not want to be putting an employee on notice that you suspect them of something because it could jeopardize the internal investigation.” The company must work with legal advisors to ensure that it complies with all state and local laws that apply as well.
Criminal histories. Companies may want to check criminal histories of job applicants for red flags that could indicate a person might not be trustworthy, but they have to be careful to abide by legal restrictions increasingly being placed on the use of this type of information. (For more information on this topic, see “Managing” on page 74).
Due diligence. Whatever the background check entails, the information in it must be verified. An unreliable background check will be useless. For example, it has been reported that Snowden’s education claims were not entirely accurate, but according to public reports, this did not lead Snowden’s background checker U.S. Investigations Services, known as USIS, to revoke his security clearance. That contractor and others that have done similar work for the intelligence community are now being scrutinized. (It may turn out that they have explanations for what occurred.)
How can a company ascertain whether the vendor hired to do background checks is doing a good job? “Some sort of quality assurance is appropriate,” Ferraro says. For example, the contractor might be asked to do background checks on some individuals about whom the results are already known so that the results can be compared and the thoroughness of the work assessed. One of the reasons USIS is under scrutiny is because the company allegedly did not do all of the secondary reviews it claimed to have done to ensure that reported results were accurate.
Ferraro advocates conducting proper due diligence on the vendor. “It’s like anything else. You just don’t take your cars to any mechanic, you take them to the right mechanic if you want the problem fixed. So due diligence is an important component. And associations, trade organizations like ASIS International and [the Society of Human Resource Management] often hold training and seminars on this topic, as do all of the major law firms. In fact, law firms are a very good source of finding a quality vendor,” says Ferraro.
In-house. When a company conducts the background check on potential employees on its own, says Ferraro, “much of the Fair Credit Reporting Act does not apply.” However, before companies jump on that option, they must consider the drawbacks to in-house searches. First is greater liability. “Number one is a risk-management issue. If I use you as my vendor and something happens, I can always sue you. If I do it myself, who am I going to sue?” Ferraro says.
Then there is the fact that the company might not have the in-house expertise or resources. Ferraro points out the difficulty in searching for criminal records. There is no comprehensive one-stop shop for all of the nation’s criminal records, so it often requires going straight to sources where the applicant has lived. Ferraro says that it might be easier for a third party, which already has relationships and an infrastructure that allows it to do those sort of checks.
On the Job
Preemployment screening is only a small part of the equation, however. Most insiders will pass any screens with flying colors because they aren’t a risk at the time of the screening. As stated earlier, insiders tend to develop their decision to do harm over time.
McGarvey says that what pushes someone over the line that makes them become a threat could be personal, like financial debt, or related to what the business is doing, which might be something like furloughs or salary cuts or actions that the employee dislikes or deems wrong, as appears to have been the case with Snowden.
And when there is movement from the idea of doing something to actually taking the action, such as stealing information, Stock says that it often begins about a month before the employee leaves the company. Companies needs to be vigilant about looking for signs of trouble to detect the move to action when it occurs. But what should they be looking for?
Behavioral changes may be one sign that an employee has become an insider threat. For example, a change in hours; an employee who used to work 9 to 5 will start working earlier or later and spending more time in the office alone. They’ll begin accessing data that they don’t need or that they never accessed in the past.
Stock adds that companies should look at what types of systems employees are accessing, who they are talking to, and what types of questions they are asking about information they normally would not be involved with.
Psycholinguistic changes. Psycholinguistic changes can be a tipoff that someone is becoming an insider threat. These can be discovered in some cases through personal interaction as well as e-mail monitoring with special programs. “They’ll start not only complaining more but you’ll see sentences that have the word ‘I’ in it more. ‘I did this, and I’m not appreciated. I did this, and you did this to me when I did that.’ So it’s becoming more focused on them as opposed to business,” says Stock.
Stock says another psycholinguistic trait to look for is what is known as aversive frustration: “‘I have a goal. My goal is to get a promotion. You, my supervisor, are standing in my way. So, now as I’m trying to move towards my goal, you’re keeping me from that. The more I feel that I’m being kept away from my goal, averted from that, the more frustrated I become. The more frustrated I become, the more I think of what I need to do to get to where I need to be.’ So that sense of frustration comes out so the person will say things like, ‘you know, I’ve been here for 15 years, and this is how you treat me. I’m not appreciated. You say that you want me to succeed but you’re standing in my way.’ So you see that shift.”
Cognitive distortion is another possible indicator that someone may be going down the path of becoming a threat; it’s when the person misinterprets others’ actions. And McGarvey says that individuals will sometimes “demonize” the company or their coworkers. That’s “where you start talking about an individual or other individuals and really saying things about them to dehumanize them in your mind. You see that in countries, you see it with groups…. You start talking about how bad the company is, how they’re doing this, how they’re doing that,” McGarvey says.
No one person in the company is going to have the complete picture of any one individual, so companies may want to have a team composed of representatives from various departments that meets periodically to discuss whether anyone sees signs of any insiders exhibiting behavior that seems troubling. The team should include representatives from human resources, security, legal, and others as appropriate, so that all of them can bring together their perspectives on the risk.
“If you suddenly find that each and every department from a completely different angle has seen certain risk characteristics, then the chances that this person may be an insider threat certainly are much higher,” says Kabilan. He says the frequency with which these teams should meet would depend on the organization. “It could be anything from monthly to quarterly; it really depends on the size of the organization and the sort of security risks that they have. But it should be a regular thing. It should not be something that gets convened because an issue has arisen.”
Awareness. Apart from this team, the company will benefit from raising the general level of awareness throughout the company. The Deloitte report advises companies to establish insider-threat awareness programs for the employees as one part of a culture that mitigates insider risks. This will also help put all employees on notice about what the company policies are with regard to the confidentiality of the company’s proprietary information, what behaviors are not allowed, what might trigger monitoring of employees, and what disciplinary actions might result from violations of the policies.
In addition, according to the Deloitte report, “Ongoing educational campaigns directed at the work force about the threats posed by insiders can heighten sensitivity to insider threat challenges, and provide concrete, practical steps employees can take to minimize asset loss.”
The Deloitte report also advocates creating networks of security-minded people and training the work force to observe, collect, and report information on suspicious behavior. That includes making sure there is a way for employees to report such behavior. The report also suggests developing a way to test this training to ensure that it is effective.
“The challenge of asking the work force to become involved is both one that’s a practical issue and a perception issue,” says McGarvey, who implemented insider-threat programs when he was director of information protection for the U.S. Air Force.
Security doesn’t want to be seen as being like the Stasi was in East Germany, asking everyone to report on everyone about everything. “First off, it doesn’t work, and secondly, it gives you a horrible reputation,” says McGarvey.
But there are ways to implement a reasonable reporting system. McGarvey says that training employees to detect patterns of behavior that indicate distress will allow the company to help the individual at risk. McGarvey says that this will involve human resources and other departments outside of security.
In the Air Force, McGarvey relied on engagement with the surgeon general’s office and the chaplain’s office, to help identify issues and to provide resources for troubled individuals.
“We wouldn’t have to go to an individual and say, ‘Hey, you’re screwed up, we’re going to pull your clearance, we’re going to fire you, we’re going to put you in jail.’ Instead, we’d say, ‘We see there’s an issue; you can go talk to a counselor; you can go talk to your chaplain, but you do need to talk to someone,’” says McGarvey.
This approach takes specialized training, however. “The training actually has to be in three different areas. You have to have training for the security officers so they understand what it is they’re dealing with and how to approach it. You have to have training for the general population, so they understand that this is not a witch hunt. And then you have to have training for the management, senior management, so they understand where you’re coming from on this and so that we can ensure cooperation with the other elements like human resources. So it has to be a very comprehensive program,” says McGarvey.
Paying to set up and maintain this type of program, including the training and reporting mechanisms, is a cost effective option when compared to intellectual property loss. However, to keep costs down, companies must figure out how they can best implement these types of programs, possibly overlaying them with security structures that are already in place; for example, augmenting the hiring process to not just look for technical skills but also social fit with the company.
If an individual does become the subject of suspicion and the company’s threat assessment team and management decide to more formally monitor that person, the company must make sure that it works with legal counsel to avoid any charges of legal misconduct and privacy violations.
Employee assistance. Where possible, the goal of all this vigilance is to catch someone at the early stages of stress and deter them from going down the wrong path. With that in mind, there are some possible mitigation strategies that may be employed to prevent someone who may be frustrated with the company, dealing with a personal crisis, or who may start considering wrongdoing from veering over into the dangerous insider threat zone. Stock notes that many companies today have Employee Assistance Programs (EAPs), and those services might be able to assist employees.
According to the Deloitte report, the EAP “can make a critical difference in interrupting forward motion of a potential insider who is in crisis and whose solution is the intent to compromise information.” The report also recommends ensuring that management is engaged. But Stock notes that companies sometimes see the red flags, and, instead of offering help, “they have a knee-jerk reaction, and they terminate them.”
When an employee is terminated, regardless of the cause, the business must have protocols that minimize the potential for the departing employee to harm the company or steal corporate data. That process actually begins when a person is hired, at which time they should have been asked to sign appropriate documents, such as confidentiality, nondisclosure, or noncompete agreements.
At the time of departure, especially when it is a termination, one of the best safeguards is to take out the paperwork that they signed and show it to them again. This reminds them that they signed a legal document and “that it is serious business,” says McGonagle. “Don’t overstate it. But again, you want to remind them that they still have obligations to you.” (Of course, this may not deter a determined leaker or a person intent on otherwise misappropriating corporate data but it will set a legal framework for later prosecution.)
Next, the company must have a process for immediately removing the terminated employee’s access privileges to any company systems and networks. This reduces the potential for the employee to take company data after the termination.
An insider looking to do harm is a uniquely dangerous villain, because of his or her proximity to the company and its information. By having comprehensive policies in place and cultivating a vigilant work force with a culture that acknowledges and mitigates insider threats, companies may be able to avoid situations where assets are compromised by trusted insiders looking to do harm.