Leveraging Public Data to Mitigate Threats
This article was originally published in March 2020 as part of an ASIS member-exclusive eBook. To read more eBooks from ASIS International, log onto ASIS Connects here.
Insider attacks generally take the form of theft, fraud, sabotage, or violence by individuals with access to the critical resources of an organization. Unsurprisingly, worrisome indicators often exist prior to these malicious acts. More and more, these indicators are reflected in publicly available spaces.
For example, before the 5 December 2019 attack at Pensacola Naval Air Station in Florida, Saudi Air Force officer Mohammad al-Shamrani exhibited anomalous behavior. He obtained a Florida hunting license and bought a handgun and several extended magazines—not common hunting gear.
Al-Shamrani then began making increasingly extreme social media posts. Hours before the attack that left three U.S. Navy sailors dead, he posted a hate-fueled manifesto on Twitter. A post-incident investigation found that 17 of al-Shamrani’s fellow Saudi students had social media profiles containing jihadi or anti-American content. More than 12 Saudi servicemen were expelled from the United States after a Pentagon-ordered review of the program.
Like many before it, this attack raised the question of how public data can be leveraged to detect and prevent insider attacks. But why should organizations consider using publicly available information to safeguard their people, property, and profit?
There are three main reasons: insiders tend to not act impulsively but move slowly toward action; they leave clues in their progression along the insider kill chain in the form of changes in attitude and behavior; and these clues are increasingly found in public data.
Driven by the growth of the Internet and ubiquitous personal and professional use of mobile devices, availability of public data has exploded. Detailed personal, financial, and professional data can be found on almost anyone. The increasing strength and availability of data analytical tools means that massive amounts of personal data can be instantly aggregated, profiled, and made publicly available.
This expanding digital domain is complemented by widespread use of social media platforms. The public forums of Facebook, Twitter, Instagram, and other social sites are where people now voice their hostility, anger, or plans for malicious or violent activity.
And this phenomenon will only grow with time. Digital natives (those raised in the Internet age) are filling the ranks of organizations. Unlike their parents who typically use mainstream platforms Twitter and Facebook, younger employees tend to express themselves more expansively via a widening array of social media outlets. Whether posting about themselves or others, the information can provide valuable insights about a potential insider’s perceptions, plans, and intentions.
“With the move toward remote work, public data provides an opportunity to recognize atypical behavior that would otherwise go unnoticed or unreported.”
Taken together, these forces have moved public data usage from a desirable—but optional—element of insider threat programs to becoming a critical resource. In today’s world, failure to leverage such a resource leaves an organization, its employees, and its leadership open to financial, reputational, and physical risk. From an enterprise risk prevention perspective, public data cannot be ignored.
The Value of Public Data Sources
Effective insider threat early warning rests on an organization’s ability to understand its employees and their potential reactions to critical events so that problems can be identified and addressed before they result in harmful action. Used legally and properly, public data can help accomplish this.
Specifically, public data can be extremely valuable in assessing prospective hires, continuously evaluating trusted employees, and informing insider threat investigations by enabling the recognition of dangerous personality pre-dispositions, anomalous activity, and malicious behavior. With the move toward remote work, public data provides an opportunity to recognize atypical behavior that would otherwise go unnoticed or unreported.
Of the data publicly available to organizations, social media, financial data, and legal records are the ones most used for insider threat mitigation.
Whether it’s a post about themselves or a post from others about them, social media now reflects what people are thinking and doing. As such, it can offer an open portal to an individual’s state of mind and activities.
Facebook, Twitter, Instagram, LinkedIn, and other platforms may reflect unusually negative sentiment an insider feels toward an employer, colleagues, or others. It may also reflect uncommon levels of risk-taking, such as an interest in criminal activity. On a broader scale, an individual’s online affiliations can provide insights into his or her predisposition toward violence, fraud, or intellectual property theft. Finally, undisclosed foreign governmental or commercial affiliations may indicate espionage-related relationships and activity.
That said, the fluid nature of factors relevant to social media usage means that organizations need to proceed prudently before incorporating it into insider threat programs. These factors include how the public is using social media, the growing number and type of personal details being shared, the availability of stronger data analytics, and the evolution of privacy expectations and laws.
A good example of how privacy concerns are evolving the law is the European Union’s General Data Protection Regulation (GDPR). The regulation created privacy protections and generally requires organizations obtain explicit consent to collect, store, and process individual’s data. It requires that employers only view an employee’s social media profiles when the information is relevant to the position. Before doing so, employers need to undertake several actions, including notifying candidates before viewing their social media accounts and obtaining informed consent. Candidates and employees should also know exactly what their consent means, what information they are giving access to, and how that information will be used.
GDPR may be the bellwether for future U.S. privacy rulings because current U.S. law is more lenient.
U.S. employers monitoring U.S.-based employees are allowed to use publicly stated views to help determine if an individual may harm themselves, their colleagues, or the interests of the organization, and also as an element into broader analysis of an employee’s ability to hold a position of trust.
While personal financial situations have often proven themselves to be missed red flag indicators of insider data theft and fraud cases, it is not rare for saboteurs and those mounting violent workplace attacks to also be under financial stress. Simply put, financial issues have been recognized be early warning indicators in a variety of insider attack formats. Credit and tax reports can reveal delinquencies, foreclosures, recoveries, bankruptcies, and other problems that an employer should be aware of. With this early warning, employers can provide the assistance needed to prevent an insider from harming the organization.
“It is not rare for saboteurs and those mounting violent workplace attacks to also be under financial stress.”
As noted, the path an insider takes from predisposition to action often provides indications of strife and turmoil within the insider’s life. Law enforcement and court records can bring such turmoil in an employee’s life to light.
Investigations, arrests, convictions, civil suits, and protective orders may indicate unpredictability, volatility, strained personal relations, addiction, or an inability to follow laws and established procedures.
Law enforcement involvement in an employee’s life can also reflect drug, alcohol, sexual, and psychological problems. When viewed in the aggregate, independent events may indicate the employee should receive help or be removed from a position of trust.
As hinted above, incorporating public data into insider threat and continuous evaluation programs can be challenging. Firms must determine whether they feel the use of public data is merited and appropriate, and then come to a decision that fits their legal interpretations and corporate cultures. This decision making is individualistic, often based upon a cost–benefit analysis comparing the value of expected insider threat detection and deterrence versus the impact on employee morale and attrition.
To minimize potentially negative workforce perceptions, some organizations may decide to use public data that is somewhat invisible to employees—such as commercially available databases containing information on personal finances, credit, and law enforcement encounters—rather than more personal information like social media content.
The following questions may help leaders determine if their organizations should use public data as an element of their insider threat program:
- What data will reliably contribute to insider threat risk mitigation?
- Can the data be legally collected and assessed?
- Can the data be efficiently and effectively processed and analyzed?
- What internal policies must be implemented before using the data?
- What will be the impact on organizational culture and employee morale?
- Is the organization and its leadership comfortable using the data?
If an organization decides to use public data for insider threat purposes, the following practices can help it do so effectively.
Ensure legal compliance, well-communicated governance and leadership support. All insider threat programs must comply with relevant privacy regulations, and organizations should employ proper legal expertise to understand and navigate them.
Within the United States, the Fair Credit Reporting Act (FCRA) and Equal Employment Opportunity Commission (EEOC) are the leading federal laws and regulators. Within the European Union, the GDPR is the leading regulation (see above).
While compliance methods depend on jurisdiction, organizations must be prepared to provide the applicant or employee a written explanation of the use of public data for decisions about their employment, describe the nature and scope of the investigation, and obtain written permission.
Getting employee acceptance of the use of public data as an insider risk mitigation resource can be greatly enhanced by the way the organization plans, promotes, and implements its efforts. Clear policies and procedures must be crafted to ensure that the monitoring of data occurs only when warranted and is focused on assisting employees to avoid harmful situations.
Employees should be advised how public data can be used to identify situations that could financially or physically harm them, and how it will not be used. Consideration should be given to matching the use of public data to the position that an individual occupies; someone with greater access or responsibility receives greater scrutiny than someone holding a more routine position. This governance should be incorporated into hiring documents so that prospective employees are fully aware of, and consent to, public data-based monitoring before they begin onboarding.
C-suite leadership should be open and consistent in its support for the proper use of public data for insider risk reduction; endorsing and promoting it as a valid security tool that can be used in a manner consistent with the organization’s mission, culture, and values. Without such support, public data usage may cause resentment and pushback from the workforce.
To further promote trust, leadership should highlight the point that employees are able to redress information used to make personnel decisions. Specifically, the individual must have access to the raw data collected from publicly available (and other) sources to challenge, correct, or dispute it.
“Information on past actions must be evaluated in the context of an employee’s current personal and professional behavior.”
Use only relevant data. Employers need not respond to every foolish action an employee undertakes outside the workplace, but instead be focused on activities that indicate an employee poses a potential risk to him or herself, coworkers, facilities, or sensitive information. Program managers should develop criteria that identify the kinds of data that are relevant to workplace security, the data sources that meet these standards, and the types of potentially derogatory insights that merit further investigation.
Data should never be the sole determinant for decision making. Rather than considering derogatory information identified through public data as a demonstration that someone is untrustworthy, insider threat program managers should treat indicators as a trigger for in-depth evaluation. In other words, public data should not be used in isolation to make personnel decisions; it must be placed in the context of an individual’s broader life circumstances.
Remember that past behavior is not always an indicator of similar future behavior. Old expressions may not reflect a person’s current beliefs or activities, and prior self-destructive habits (such as excessive drinking or gambling) may no longer be an issue. Indications of past financial difficulties may not accurately reflect one’s current financial health. To summarize, information on past actions must be evaluated in the context of an employee’s current personal and professional behavior.
Data usage must evolve with legal, technological, and cultural changes. The digital domain, social media, and online privacy issues are evolving. Advances in deep fake technologies, machine learning, 5G networks, quantum computing, and artificial intelligence are happening every day. While advances in data science may enable more efficient and effective use of public data for insider threat mitigation, other advances may prompt greater privacy controls.
As such, organizations must maintain a current understanding of new developments and their application to public data usage. If a new source of information meets established criteria for relevance and usefulness for insider threat analysis, an organization should consider whether and how to incorporate it into its evaluation protocol. The goal is to adopt technology that effectively identifies and ingests relevant data, ensures it conforms to organizational policies, compares or adds it to information gathered from internal sources, and packages it for evaluation by a skilled insider threat analyst.
The scope of opportunities for stopping insider attacks often goes underappreciated. Public data usage is one way to improve the identification of malicious insiders before they cause damage to an organization’s information, people, or facilities.
Val LeTellier has 30 years of risk management experience in the public and private sector. He ran security operations as a U.S. State Department Diplomatic Security Special Agent and then intelligence and counterintelligence operations as a CIA operations officer and station chief. Twenty years spent recruiting foreign sources and penetrating intelligence targets provided a deep understanding of how insiders are created, managed, protected, and discovered. Subsequently, he cofounded a cybersecurity firm that combined CIA human source and NSA technical expertise. He continues to support the intelligence community and provides pro-bono insider risk advisement to Washington, D.C., charities and non-profits. He holds an MBA, MS, CISSP, CEH, ITVA, and PMP. He leads the ASIS Defense & Intelligence Insider Threat Working Group and is a member of the INSA Insider Threat Subcommittee.