Tip Line

The Soteritech anonymous insider threat tip line is active and available to any organization who would like to encourage their employees to "say something" if they see something that might be an insider threat indicator.  The service is free of charge from Soteritech.  Often employees are reluctant to call-out a fellow employee if something seems a bit off about a colleague, or they witness the colleague involved in an insider threat activity.  They give the benefit of the doubt, especially if they might be identified as the whistleblower.  They fear they could be wrong about their suspicion, or potential reprisals from the organization.  

As organizations though, we want to encourage employees to provide this type of information, but also want them to feel comfortable doing it.  For this reason, Soteritech intermediates on behalf of the informing employee by simply collecting the insider threat information and intended destination email, reviewing it, and then forwarding the information (un-altered) on the employee's behalf.  It's a great free service I hope organizations will take advantage of.  Contact me if you have questions... doug.sampson@soteritech.com.  

Getting into DTSA details

Smart Business takes a crack at how the updated trade secret law will impact businesses...

One recommendation...
"Revise employee agreements to fulfill the notice requirement of the DTSA for trade secret disclosure to the government. Under the new law, companies must provide notice of whistleblower and retaliation protections for reporting suspected trade secret violations to both current employees and contractors."


DLA Gets It!

Great to hear DLA as one of the first in DoD to build an integrated insider threat program.  It's not just about reviewing insider threat indicators in isolation, it's about seeing the forest through the trees.  It's about adding up indicators across many different aspects of an employee's life to determine threat potential.  

DLA Intelligence’s insider-threat program manager, Jimmy Dyer, comments that "A person isn’t necessarily a threat if he or she has experienced a number of stressors or had an isolated outburst... It’s all about aggregating information…  Sometimes life events cause us to do things that we wouldn’t ordinarily do.

Employee access to information system privileges or security clearances might also serve as indicators.  That’s going to elevate the threat, because now that employee has access to national security information.  Looking at these factors together allows the team to better protect agency employees."

The slippery slope...

Great story from HRM Canada regarding the fine line between employee discipline, and dismissal.  How would you react?

These factors come into play...

  • Whether there was any confusion on the part of the employee personally or resulting from the employer’s rules or policies, or from the employer’s enforcement thereof, particularly regarding the goods in question.
  • Whether theft is a problem in the workplace, and the employer’s response to other instances of theft in the workplace.
  • Whether the theft was premeditated, or the result of confusion or an impulsive momentary aberration.
  • The nature and seriousness of the theft (including the value of the goods involved).
  • Whether there was a single act of theft, or a pattern of theft-related or other dishonest conduct.
  • The grievor’s behaviour and reaction when confronted with the allegation of theft.
  • The grievor’s character and reputation for honesty in the workplace and in the community generally.

Great article that helps bring the human factors into context.  It's not just about someone trying to access a classified file, or plugging in a thumb drive.  You can't track intention through a monitoring tool.

Psycholinguistics... just heard of it today

Great article through Info-Security Magazine from David Green, CSO at Veriato regarding understanding both the personal... and professional mental health of our employees.

"Security systems that call on psycholinguistic indicators and powerful investigation tools are indispensable for a growing number of companies concerned about threats from within. But even the best technology can’t root out every potential problem.

Used in tandem with a little common sense, you stand a better chance of getting inside an employee’s head and anticipating harmful behavior. Someone under obvious stress at work (example: a recent poor performance review) or at home (a known family problem) bears watching. So do employees who’ve given notice, or suspect their job is at risk, that may decide to walk out with some of your assets.

When it comes to dealing with insider threat, there are no silver bullets. A combination of people, process, and technology is required."

Nicely said David.  It definitely involves collection of information across many groups within an organization.  It's too bad that often these groups are siloed.  Insider threats are designated to HR, cyber is designated to IT, and physical security is designated to facilities.  Perhaps these groups could be combined into a single security department, and report to the highest levels of the organization.  That way, they could make the business case for a unified security approach and funding.

I love this...

9 reasons why your security awareness program sucks... by CSO reporter Ira Winkler

This is a must-read for those that need to wake up and pay attention to how their employees are trained to thwart insider and external threats to their intellectual property.  It's not rocket science, but it requires written policies, explicit consequences, and consistent, effective delivery to all employees and contractors.

"Improving security awareness is infinitely more complicated than telling people what not to do. Again, it is about promoting behaviors dictated by governance."


Security Needs a Seat at the Table

Too many organizations see insider threat management as a human resources thing.  After all, insider threats are just people, right?  Too many organizations see cybersecurity as an IT thing.  After all, it's just software monitoring network traffic, right?  Too many organizations see physical security as a facilities thing.  After all, it's just guarding the premises, right?  

Each of these areas are typically seen as silos, operating independently and raising red flags when their own particular alarms are triggered.  What they don't see is they can often be informing each other, and providing vital information that could help create a more complete picture of a potential attack (or threat).  Let's use an example.  

Your network monitoring software identifies multiple outside attempts to access a particular server that contains the specs for your company's secret new medical device.  This gets shut down by your intrusion software.  Several days later, Tom (VP of Operations) who happens to be trying to put 2 kids through college is overheard by another employee at a local restaurant discussing the new device and how it's going to change the market.  The employee informs HR about the conversation, who sees it as normal behavior since Tom is an executive.  A week after that Tom is discovered through monitoring software copying the device spec files from the server to a USB drive.  When confronted, Tom becomes agitated and verbally threatens the HR manager.  The HR manager fires Tom that day.  Two days after being fired Tom returns with the intent to harm people in the organization.

This scenario encompasses cybersecurity detection, insider threat management, and physical security of the premises.  All of these functions exist to protect the intellectual property and human life in an organization (its most important assets), and all of them need to be working together.  Perhaps a better way to organize these functions is to put them into a single functional group, and give them a "seat at the executive table" where they can deliver the business case for security from a single voice.

Employee Training Isn't Enough

Referencing an article in CSO (a reprint of a CIO magazine article) simple employee training to detect and deter insider threats isn't enough.  It's not a one-time thing or an annual thing.  Companies need to develop a culture of security that encompasses changes across people, process and technology to help thwart internal threats.  

"Employee-related security risks top the list of concerns for security professionals, but organizations aren't doing enough to prevent negligent employee behavior, according to a new study."

More to DTSA

The Defense Trade Secrets Act has some important provisions employers need to pay attention to...  As reported by JDSupra Business Advisor... 

One of the many important provisions of the law that employers should not overlook is the notice requirement. In short, agreements with any individual performing work as an employee, contractor, or consultant for the employer that govern the use of a trade secret or other confidential information, must either set forth certain immunity provisions of the Act or provide a cross-reference to a policy document provided to the employee that sets forth the employer’s reporting policy for a suspected violation of law.

Time to make some updates to your employment and contracting agreements.

DTSA Signed

The Defense Trade Secrets Act was signed by the President yesterday.  I am hopeful it will have a positive impact to help American companies protect their intellectual property to both external and insider theft.

As reported in USA Today, "One of the biggest advantages that we've got in this global economy is that we innovate," Obama said at a signing ceremony while flanked by a bipartisan congressional delegation. "We come up with new services, new goods, new products, new technologies. Unfortunately, all too often, some of our competitors, instead of competing with us fairly, are trying to steal these trade secrets from American companies, and that means a loss of American jobs, a loss of American markets, a loss of American leadership."

The theft of trade secrets costs the economy more than $300 billion a year, according to the Commission on the Theft of American Intellectual Property. That's comparable to the annual U.S. exports to Asia.

Fifty percent or more of those thefts are from insiders who knowingly steal, or unwittingly give away America's competitive advantage.  Let's put a stop to that.

DTSA Report

As reported by Lexology.com... The President is expected to sign the Defend Trade Secrets Act (DTSA) shortly, so companies should be prepared to tangle with the newest cause of action on the block:

  • In cases of trade secret theft, consider whether state or federal court is your best venue;
  • Ensure that any new confidentiality agreements and existing policies comply with the DTSA’s immunity provision;
  • Protect your trade secrets! The DTSA is only useful when disaster strikes. Your first goal should be to take affirmative action to protect your sensitive information so that you never need the law’s protections.

Secret Sauce

Building a culture of security within your organization requires four things:

1. Explicit policies and rules of behavior... If you don't want people to bring weapons to work... make sure you've written it down and communicated it.
2. Pre-arranged agreements between internal organizations to communicate in times of crisis... You don't want to encounter an insider threat situation and not know what information you should expect from HR, or legal, or IT.
3. Educated employees... Employees should understand the behaviors that could lead to insider threats.  Train them and give them a truly anonymous way to leave insider threat tips.  They can be your best advocates.
4.  Using technology... From something as basic as reviewing event logs all the way to recording screen activity and monitoring external media and sources, simple and sophisticated tools exist to perform proactive alerts and simple forensics.

If your organization has some "secret sauce" you want to protect, then make sure your entire organization is on-board to protect it.

Way to go Congress...

As reported on Fortune.com, The U.S. Congress on Wednesday passed and sent to President Barack Obama legislation strengthening legal protection for companies’ trade secrets, including manufacturing processes and computer methods.

The House of Representatives voted 410-2 to approve the “Defend Trade Secrets Act” on the heels of it being unanimously passed by the Senate earlier this month.

The legislation, which is backed by the White House, would open the door for companies to sue in federal court for damages related to theft of trade secrets.

Human error...

Great story on Lexology.com from Baker & Hostetler, LLP regarding human error being the blame for most breaches...

"While investment in security defense and detection technologies is an essential component to building an effective defense-in-depth strategy, the reality is that most breaches can be traced back to human error."

Why not invest some of that cybersecurity budget to train employees to not let criminals right in the front door?

Organizations need a culture of security...

Great GCN article from Brian Robinson titled "Confidence: The secret sauce for security". My general interpretation of Brian's use of the word Confidence... translates to Culture. His opening few sentences say a lot... "Talk about security these days often focuses on technology -- the tools agencies can deploy to keep intruders out of their networks and systems or, if they do get in, to mitigate the damage from those intrusions. Very little discussion is spent on users and how important they are to that security."  I completely agree.  Just as much attention needs to be placed on the human aspect of cybersecurity as the technologies.


Cyber Threats from Insiders

As reported by the Daily Business Review, "for every cybersecurity breach that makes the news, there are at least a dozen — some far more egregious — that the public doesn't hear about, a panel of leading cybersecurity experts said." 

Internal threats know more about your systems.  They know about your defenses.  They know more about how to evade the tools and protections you have in place.  It's time to pay attention to the human element of cybersecurity.