Don’t neglect this underutilized source of threat intelligence

The recent arrest of another National Security Agency contractor charged with stealing highly classified documents is the latest indication that federal agencies and their contractors still aren’t doing enough to combat insider threats. While some government security experts recently told Federal News Radio that it’s the employee vetting process — not the lack of an insider threat program — that’s to blame, putting a plan in place — and quick — is still critical, even...

READ MORE

The recent arrest of another National Security Agency contractor charged with stealing highly classified documents is the latest indication that federal agencies and their contractors still aren’t doing enough to combat insider threats. While some government security experts recently told Federal News Radio that it’s the employee vetting process — not the lack of an insider threat program — that’s to blame, putting a plan in place — and quick — is still critical, even more so for contractors who, under recent changes to a Department of Defense rule, only had until Nov. 30 to submit a written proposal.

One resource often overlooked in creating and implementing an insider threat plan is the human resource (HR) department, which is chock-full of threat intelligence just waiting to be shared. As Michael O’Connell outlined in his piece recently, “7 signs your co-worker is an insider threat,” there are myriad indications that an employee (at any level) might be a risk, and the HR department typically knows about them before anyone else. On top of any personnel issues, HR would be savvy to an employee experiencing:

  • Negative reviews
  • Being passed over for a promotion
  • Unhappiness with a manager
  • Wage garnishments

Privacy concerns often discourage (or legally prevent) HR from sharing this intelligence with the information security team, but there are ways of making sure the necessary parties know they need to monitor the given employee more closely without sharing any details. Information security is at a major disadvantage if it isn’t aware of these risks, so it needs HR to be involved as much as possible throughout the employee lifecycle, not just by conducting background checks before the employee is onboard.

Count to 10: Becoming a positional risk organization

Start by inviting HR (and legal) to be part of a security threat task force to help establish and implement policies to improve communications. Together, develop and employ a simple, systematic approach to rating the risk associated with each position in an organization. A simple 10-point scale works.

How do you do this?

There’s an inherent level of risk associated with every position within an organization, mostly dependent on how much access the position has to various technologies and information — classified or not, as well as the work product the position is engaged in creating. To establish a framework for this 10-point scale, the task force should evaluate what level of access each position requires, and what the worst-case scenario could be if the information they had access to was compromised. The greater the privilege and access to sensitive data, the higher the ranking — or risk score.

As part of quantifying positional risk, determine at what level each position ranking should be monitored. A level 3 employee, for example, would obviously require less scrutiny than one ranked at a level 8 (or 10).

An example of how this framework could be established can be found — and used — in this “Quantifying Risk Worksheet.”

Once a framework is in place, determine how HR should communicate any potential changes in risk. For example, if an employee in a level 5 position receives a poor review, HR should let information security know to elevate that position’s risk to an 8 or even a 10 until they hear otherwise. Information security would then increase the inspection of the employee until HR tells them to revert to level 5, or the employee has been removed from their position.

Monitoring positions: A joint effort

Let’s delve a little deeper into what constitutes employee monitoring — and when it might be needed. Manually watching employees — or asking colleagues to alert them to any abnormal behavior they might see — might be enough when the employee is at a level 1 or 2, but once that threat is raised even one or two levels, the organization needs to leverage technologies that can look at patterns of behavior or even capture and review specific employee activity, including emails or texts, if required. Technologies such as user behavior analytics software can be set up to reactively monitor at-risk insiders or proactively put in place throughout the organization to improve an organization’s internal security.

While HR might have privacy concerns about proactively monitoring all employees, most behavior analytics software have privacy protections woven throughout the technology. For example, the programs can be set up to monitor program activity and track documents, without recording the employees’ time on their private banking sites or the organization’s HR portal, where private information would be visible. By aligning what you monitor with your goals, you can achieve them without unduly compromising privacy.

Leveraging HR and the scores of threat intelligence it possesses to help quantify the risk associated with each position can greatly improve the specific understanding of insider risk within your organization, establish appropriate monitoring levels on each activity or employee behavior, and further enhance communication between all key departments.

David Green is the chief security officer for Veriato.

Related Stories

    Don’t neglect this underutilized source of threat intelligence

    Read more