As companies begin to open their doors back up to employees, contractors, and customers, they can also potentially be exposed to insider threat attacks. Defense Counterintelligence and Security Agency (DCSA) defines an insider threat and the damage it can cause as:
“The threat that an employee, contractor or individual with access to government information, systems or facilities will use his or her authorized access, wittingly or unwittingly, to harm the security of the United States.”
“Insider threats can cause significant damage to our people and our national security. The U.S. Federal Government takes seriously the obligation to protect its people and assets whether the threats come from internal or external sources.”
“DoD Contractors and other Industry members should report potential insider threats to your company’s Facility Security Officer (FSO).”
FSOs and Security Managers can face this potential impact head-on by conducting the following:
Review your last self-inspection (SI). What, if any, insider threat vulnerabilities did you identify? Was corrective action taken and annotated on the SI? Was the self-inspection provided to leadership/senior management for review? Was any adverse information reported by staff during interviews? If the staff was off-site, how was your security program impacted by conducting interviews and reviewing security procedures?
Conduct a new self-inspection. By conducting an updated self-inspection upon staff returning to the office, you can review how the change in staff presence has affected your security program. Review the security procedures established at your company and validate that they not only meet requirements but are effectively implemented. This information should then be reviewed with senior management to ensure transparency and educate management with a high-level overview of the security program.
Interview all staff. As part of the SI, you should be conducting internal interviews with staff. Cleared and uncleared employees can potentially hold keys to avoiding future damage. By interviewing staff, you are gauging their level of understanding of the security program. You are also letting your staff know that as we begin to shift back into the office, the security team remains diligent with internal audits. Review reporting requirements with employees. Remind staff of their responsibility in identifying a potential insider threat, and its impact on not reporting adverse information.
Conduct an insider threat self-assessment. Meet with your insider threat team and discuss current policy and procedures. Review Insider threat indicators along with internal reporting requirements. When was the last insider threat vulnerability? How was it reported? What was the infraction? Review company working hours. Who is authorized to work outside of normal business hours?
Annual Insider Threat Training. Review your insider threat training and ensure you are up to speed on the latest indicators and threats. When was the last yearly insider threat training distributed? Have all current staff taken the training and provided security management with a certificate of completion for review during an audit?
Review external threats. Have employees been contacted by outside threats via phishing email? When was the last suspicious contact reported? Are staff aware of the information they should and should NOT share outside of their organization? Have you or staff received suspicious cold calls requesting detailed company information?
Conduct end-of-day security checks. If classified information is being stored in your facility, then you must conduct end of day checks in accordance with NISPOM 5-102. Prevent the unauthorized removal of classified information from your facility by varying the time and process for security checks.
Monitoring and reporting your external threats and insider threats ensures your organization is a step ahead of potential attacks. Conducting a thorough and detailed assessment and self-inspection along with communication to staff and management are critical factors in ensuring you remain diligent in the fight against the insider threat.
David Touchton is the founder of FSO Services, and he can be reached at David firstname.lastname@example.org.
Joshua Jost is a partner at FSO Services. He can be reached at email@example.com.