Covering all the bases in the fight against insider threats

How do you know when your longtime employee has the propensity to morph into — or has already become — an insider threat?

The answer to this question has been seemingly impossible to know. Government employees and contractors may be committing leaks of classified information and financial crimes that have gone undetected for years, benefiting their wallets or, more insidiously, foreign adversaries.

The sudden exposure of the National Security Agency’s (NSA) PRISM program in 2013 via Wikileaks and Edward Snowden, a federal government contractor at the time, and then again when terabytes of data were gathered and brought off-site by Booz Allen Hamilton contractor Harold Martin in 2016, are both glaring examples of how insider threat risks are an ever-present danger to the government, and to contractors that are bound to the National Industrial Security Program (NISP).

Do early background checks, security clearances at initial hiring and periodic reinvestigations effectively weed out future offenders? Not always.

Advertisement

This is because a person’s financial or behavioral situation can change drastically over just a few years. Internal data about job performance is one key barometer, but not knowing what is happening financially and legally in their employees’ personal lives outside of work can also present significant risks to employers.

What leads to hidden crimes by government insiders? Money problems are most often at the root. A person’s threat level can change due to mismanagement of money and debt, personal or family illnesses, addictions and other external factors.

Those who commit illicit acts against their employer are usually seeing their debts increase and their ability to pay them at risk. They may be presented with monetary opportunities from adversaries, or have adverse changes in employment, such as a demotion or other work-related issues.

Preventing insider theft is only accomplished when a comprehensive strategy is put into place that addresses workers and contractors throughout their entire lifecycle of employment. It must be backed by consistent checks of the most relevant data. The use of predictive non-obvious behavioral analyses built on accurate, timely information will make checks more reliable and effective.

Examples of behavioral analyses can include a view into legal entanglements and changes in life patterns. This can be flagged from traditional credit inquiries and also what is known as “alternative data” from public records, not found on the consumer credit file.

Catching early warning signs

Using data, government agencies will obtain a better indication of whether their critical employees who are accessing sensitive information may be experiencing financial or personal distress. Catching early warning signs may be enough to allow them to provide assistance and counsel before the employee is in trouble and looking for a way out.

Agencies know when an employment situation changes, but typically do not have insight into the financial hardships of their employees or what is happening from a public records perspective. Early warning signals may include the sudden and rapid heightening of personal debt levels, missed payments on cars, mortgages or personal installment loans. Triggering events can be identified in many areas, including accounts, new accounts, inquiries, derogatory account information, and changes to address and contact information.

While an agency can know that an employee has been demoted, other factors — such as whether a government employee handling sensitive information has been increasing their debts at a rapid pace; is becoming delinquent on multiple accounts; or if has legal problems such as DUIs or criminal activity — may be invisible.

Given this reality, a comprehensive behavioral risk evaluation is necessary.

To get the full picture, the use of non-obvious data sources, or alternative data, may include subject biographic information, employers,  criminal records, property records (real property and vehicles, for example), driving records, driver’s licenses, utilities, professional affiliations and licenses, liens, judgments, bankruptcies, vehicle sightings, associated persons and businesses, relatives, neighbors and watch lists. All of this data should be viewed in context to maximize the effectiveness of an insider threat program.

Data from a TransUnion study analyzing credit and debt found that nearly 30 percent of government employees run the risk of financial distress within the upcoming year and almost 15 percent are severely at risk. The comprehensive analysis analyzed anonymous, aggregated data for consumers in the armed services, intelligence community, homeland security and  justice and civilian agencies and compared them to similar data for consumers not in government employment. According to this research, government employees generally have higher delinquency rates and larger debt loads than non-government employees.

The study also found that the key external data assets government organizations need to access include:

  • Events that indicate a change in financial wellness
  • Life patterns measured through non-financial data
  • Sudden and unexplained affluence
  • Long-term deterioration of financial well-being

Agencies and businesses can utilize available resources to better understand the sometimes unique dynamics that are at play for their respective organizations.

An especially important asset for insider threat programs is trended data. Whereas a traditional credit report offers a snapshot of a consumer in time, trended data assets leverage historical data to help identify a pattern. For example, a traditional credit report may reveal that a consumer has $10,000 in credit card debt, but a report using trended data would also indicate whether they have built up, paid down or maintained that balance over time.

Insider threat detection and continuous evaluation of cleared personnel remain the biggest challenges for the entire range of federal agencies and the military.  These are organizations that have suffered in the past, yet still are unaware of the available data that can be used to help thwart insider threats and even proactively and preemptively address an issue before their employee turns to the dark side.


Jonathan McDonald is the executive vice president of TransUnion.