Detecting Insider Threats to Trade Secrets
Edward Snowden is somewhere in Moscow (we think) travelling with a trove of information the former National Security Agency contractor downloaded from the office. Which, ironically, makes Snowden—wanted on charges of theft and espionage by the Department of Justice—something of a poster child for the very risk the Obama administration has been warning companies about this year: insider threats to sensitive data.
In February, the White House released the “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets” [PDF], including cases studies of insider theft. Meanwhile, the Federal Bureau of Investigation has also publicized tips on how companies can deter an “insider spy.”
For companies to confront the issue effectively, security experts say they can’t think of trade secret security from a purely technological standpoint, but rather, have to focus on identifying at-risk behaviors among employees.
“Insider threat is all about people,” says Ed Stroz, a former FBI agent and co-president of the forensics investigation firm Stroz Friedberg.
Whether a person is undergoing personal hardship, feels unhappy at the office, or has misgivings about work, any number of stressors “could cause you to act in ways that are adverse to your employer,” Stroz says.
And therein lies a common conundrum for businesses: how do you foster a culture that prevents and detects trade secret theft by employees, without creating an aura of suspicion and putting a serious damper on the workplace environment? “It’s more of a management challenge,” Stroz says.
Stroz has two main recommendations for deterrence and detection. One is implementing what’s known as “dual control” for sensitive corporate information. Essentially, that means two people have to be present in order to gain access to certain networks—much like having two people conduct a count of all the cash in a bank vault.
That can mitigate the potential for bad acts by someone working solo. “To get two people to agree to do something together is a much harder target to achieve,” Stroz explains.
Dual control also benefits employees. For one, it can help protect them from unwarranted blame by giving them a witness. Also, if an employee ever has to make a tough judgment call on the job, they can bounce the problem off a peer.
Stroz also advises companies to pay attention to behavioral traits that could indicate an employee is at risk for committing an insider act. Is the person coming in late a lot? Is their appearance disheveled? Are they openly using profanity? “You can see behavioral indicators where a manager can make a judgment,” says Stroz.
Working in conjunction with Dr. Eric Shaw, a former profiler for the Central Intelligence Agency, Stroz Friedberg has even developed patented software that analyzes text to detect changes in a person’s state of mind. It’s most commonly applied to employee email, Stroz explains, and the firm has used it in hundreds of cases. He says the analysis helps answer the question, Does a particular worker deserve more scrutiny?
That’s also a query Shane Sims would like to see more companies ask before they hire someone. “We think there’s more companies can do on the front end,” says Sims, a principal in PricewaterhouseCoopers’s Advisory practice focused on cybersecurity.
To start, companies need to determine what information is most important to their business—assets that could cause financial, legal, regulatory, or brand risk if it were exposed or stolen.
And while this is often viewed as a tech issue, it’s a determination that is not for a company’s chief information security officer to make alone. Stakeholders from across the company need to be involved. “It’s more of a strategic conversation than a technology-centric conversation,” Sims says.
Once that’s determined, companies need to pay extra attention during the recruiting process to candidates who’d have access to that information if hired. Those roles “require more than a background check,” says Sims. “It requires a background investigation.”
Whereas a background check would turn up a person’s criminal history, a background investigation is meant to identify other risk indicators, such as financial struggles or legal problems that aren’t necessarily criminal.
Once someone is hired and inside the company, Sims recommends that companies continue to monitor for risk indicators—not just those that are related to, say, security incidents, but also HR- or ethics-related incidents. Often companies have a lot more information about a person than they think, says Sims, but they fail to correlate it.
Clear policies can be a big help. For example, if employees have access to sensitive information, let them know upfront their computer may be monitored. “Be overt about it,” Sims says.
Finally, he notes, the companies that do the best job at mitigating insider threats, don’t refer to the issue as “insider threats.”
“It needs a new label,” says Sims. So try “trade secret protection” or “IP protection” instead.