By Brian Kaveney, Partner & Security Clearance Team Leader, Armstrong Teasdale LLP, Lex Mundi member firm for USA, Missouri And Tim McQuiggan, Security Clearance Advisor, Formerly Director of Security, Boeing Defense, Armstrong Teasdale LLP, Lex Mundi member firm for USA, Missouri
Edward Snowden's leaks of classified documents and the Washington Navy Yard shooting are just two recent examples illustrating the difficulties all employers face in minimizing risks associated with employee behavior. Although companies that handle classified information and have cleared employees are required by law to implement measures beyond simple background investigations, in both the Snowden and Navy Yard shooting cases, compliance with current legal standards was insufficient to prevent disaster.
In light of these and other recent events, government agencies are currently developing regulations for companies with security clearances at the facility level that will include program requirements for "insider threats"â€”shorthand for individuals with access to an organization's sensitive information who then use the information to the detriment of the organization, its customers, the government, or even the United States as a whole. However, pending these forthcoming requirements, it is clear that it is in the interest of companies in all industries to act immediately to raise security standards beyond current legal requirements and industry norms.This Top Ten list provides a brief overview of important tips for addressing and mitigatinge insider threats in a cost-efficient manner.
1. Educate the Workforce on the Protection of Intellectual Property
Competitive barriers to entry and revenue spent on research and development can be the key to a company's future and the security of its employees' jobs. An employee who recognizes that his or her interests are aligned with the employer's in protecting that intellectual property will be more vigilant in monitoring for suspicious activity. As a result, it is incumbent on company leadership to ensure that employees understand the value to the company and its individual employees in acting to protect intellectual property. Remind employees that their own 401K and retirement benefits could be impacted by a drop in the stock price as occurred in the Snowden case.
2. Educate the Workforce on the Indicators of Insider Threat Behavior
In-house counsel and security must educate the workforce on the indicators of insider threat behavior and strictly enforce codes of conduct and other applicable reporting procedures. Training and education should encourage employees to be on the lookout for suspicious behavior that may be an indicator of "insider activities":
Issues at work. Dissatisfaction, problems with authority, bypassing company rules for convenience, argumentative character, and poor performance can all be warning signs for adverse employee behavior. "Looking for a thrill." Employers should be cautious with employees who appear to be intrigued by secrecy, seek excitement, or romanticize the secret nature of work duties (the "007 wannabe"). Entitlement mentality. Employees who believe that they are owed and deserve better than their current circumstances may be motivated to act on those beliefs in a manner that hurts the company and its reputation. Disgruntlement. An employee with an axe to grind can pose serious risks when it comes to valuable company information. Financial problems. Excessive debt and unexplained displays of affluence or hardship often precede financially motivated insider threat behaviors. Vulnerability to blackmail. Circumstances such as extra-marital affairs, drug/alcohol addiction, and gambling problems can be motivating factors for intellectual property theft. The "Data Collector." An employee who seeks information that he or she does not need, accesses restricted areas, downloads unauthorized data, or conducts unauthorized searches may be fishing for valuable information. Employees will nearly always be the first to notice these warning signs. As a result, companies should regularly educate their workforces on the importance of reporting suspicious behavior.
3. Establish Mechanisms to Identify People Who Are Improperly Accessing Proprietary Information
In many cases, companies can look to existing, available information to identify whether employees are pilfering confidential, proprietary information. For example, companies should monitor whether employees are regularly downloading or printing unreasonably large amounts of information, particularly during abnormal hours.
4. Correlate Existing Company Data Sources
It is key for companies to correlate data from different sources in order to detect "insider threat" activities. For instance, data from network tools can reveal that an employee suspiciously accessed sensitive information, while human resources data can uncover that the same employee is dissatisfied because he or she was denied a promotion. By collecting and cross-referencing data from these and other sources, companies can more effectively and efficiently identify behaviors indicative of "insider threats."
5. Ensure Communication between Business Areas
Businesses regularly fail to share information across business areas. In particular, when disaster strikes, it often comes to light that the human resources department possessed adverse information about an employee that was never shared with other parts of the business. A common reason for this is a basic lack of understanding by human resources personnel about what information can be shared with other areas of the business. To avoid these problems, companies must decide who is going to spearhead the effort to combat insider threats and empower the appropriate individual or division to lead the effort. That effort must include a goal of unifying procedures among areas such as security, recruiting, marketing, and human resources in order to ensure that information is effectively shared across the business. In taking these steps, companies should be mindful of labor protections and other applicable laws, such as the Privacy Act of 1974 and the Fair Credit Reporting Act, as well as recent guidance from the EEOC and related litigation over workplace privacy issues.
6. Develop a Recovery Plan for the Leak of Confidential Information
Companies must be prepared for the possibility that an employee will leak confidential information. Action should be swift and specific to minimize damage, and should address both the external and internal impact. First, companies should prepare a detailed public statement discussing existing safeguards, actions it has taken to apprehend the bad actor, and the changes it is committed to make as a result of the leak. A well-executed statement will show customers, clients, and fellow business partners that the company has strong management, acts in good faith, and is operating to minimize further leaks. On the internal front, companies must keep faithful employees motivated to reduce damage to productivity. If employees believe that their company has been seriously damaged, then they may begin to search for new positions. Recent cases indicate that the actions of a single bad actor can in fact make employees embarrassed or ashamed to be affiliated with their organization. A strong public statement that denounces the insider's actions, coupled with strong internal communication reinforcing organizational unity can minimize the detrimental effect on morale and productivity. Pledging full cooperation with investigative agencies also helps rebuild employee trust in the company brand.
7. Understand Your Company's Risk Areas and Exposure
It is impossible to quantify the cost of your company's name appearing in the media in association with a catastrophic event caused by an employee's transgressions. Even if the company is not directly responsible (or is ultimately found not to be responsible), association with the event can cause irreparable damage in numerous waysâ€”from damaging the company's reputation with shareholders to leading to protracted, expensive litigation in the courts. In virtually all cases, the enormous potential costs of an employee-created disaster far outweigh the relatively minor costs connected with evaluating and upgrading existing security procedures. It is critical, however, to recognize that there is no "one-size-fits-all" approach to these issues, as every company has a unique structure and culture.
8. Identify Your Core Critical Technologies
"If you are everywhere, you are nowhere." It is far easier for organizations to protect an identified subset of company data than trying to protect all of their sensitive information. To prevent unauthorized leaks, companies must identify the information most critical to the companyâ€”whether classified information, pricing strategies, research and development, or other key intellectual propertyâ€”and then implement the administrative procedures necessary to protect it.
9. Liaise with Federal, State, and Local Authorities
Companies should regularly meet with government agencies to obtain information about existing trends and to receive guidance. Counterintelligence information is a key resource for the employee education process, as agents can be excellent partners in workforce training initiatives. These relationships can also prove invaluable if your company experiences a catastrophic event.
10. Conduct an Audit
Perform an audit of current practices aimed at protecting the company in the public arena and preserving its credibility with the government and customers. Although an audit can be performed internally, employing an outside firm to perform the review demonstrates objectivity and facilitates communication among different areas of the business such as security, HR, recruiting, marketing, and legal. Employing a law firm to conduct the audit also may help preserve the attorney-client privilege and prevent the disclosure of sensitive documents and recommendations.
In the current climate, companies are obligated to take all available steps to prevent the disastrous consequences of employee "bad acts"â€”from the theft of confidential information to workplace assaults. By conducting an audit and following these other tips, you can help ensure that your company doesn't end up dealing with the aftermath of front-page headlines or a multi-million dollar judgment. Even if an incident occurs, by taking these steps a company may mitigate the harm and preserve its reputation with its customers.