The New York Times recently published the story of yet another government contractor accused of stealing classified information from the National Security Agency. Unlike the widely publicized incident with Edward Snowden, where confidential information about U.S. surveillance and foreign intelligence operations was leaked to the press, it is unclear what the motive was behind this theft and how it will impact intelligence operations. Nevertheless, this case shines a harsh light once again on a government contractor, Booz Allen Hamilton, who employed both Snowden and the now-accused Harold T. Martin III.
Officials claim, according to media reports, that Martin didn’t fit the mold of a suspected insider threat and that he may have collected the classified material before Snowden went public in 2013. Regardless, government contractors with access to sensitive data—especially so-called “Privileged Users” like system administrators—can pose a serious threat to national security.
How does this impact government contractors?
If you’re a government contractor with Facility Security Clearance, the Defense Security Service (DSS) has mandated that you certify your compliance with NISPOM Change 2 by November 30, 2016. NISPOM Change 2 requires contractors to “establish and maintain an insider threat program to detect, deter and mitigate insider threats.”
Insider threats are more difficult to prevent and potentially more damaging than other cyber security risks such as outside hackers. It often takes months or years to detect an insider threat and the perpetrators are inside your organization with access to sensitive data the entire time. Furthermore, once an insider threat is detected, the process of mitigating the damage they caused could extend for many years after the initial data breach.
Anyone inside your organization or contracted through a third party can become a threat. According to the 2016 Verizon Data Breach report, insiders with malicious intent make up the largest percentage of insider threat and are primarily motivated by financial gains (34%) and espionage (25%). The report also finds that an insider threat may not always be malicious or even intentional. Data breaches can occur as the result of data mishandling, unapproved hardware or software, and email or internet abuse. Insider threats may also be individuals who are misled or coerced into divulging confidential information by an outside party.
What should you do to address insider threats?
For starters, you can take steps to ensure your compliance with NISPOM Change 2 and prepare your certification letter for the DSS by November 30, 2016. The key to building a strong insider threat program is to develop a keen understanding of your workforce. Ongoing monitoring of human resources and information technology systems will reveal patterns that may indicate a possible threat early on. Training to teach your employees how to identify warning signs, understand the dangers of mishandling information, and encourage conflict resolution and reporting through internal processes is also an important step. A senior company official should be appointed and empowered to enforce your insider threat program and policies.
Once you have an initial insider threat program in place, you should look for ways to build on this framework and further strengthen your defenses against insider threats. Industry experts agree that the November 30 deadline is just a starting point for an ongoing effort to address the challenge presented by insider threats. Minimum standards for programs are expected to evolve in the next couple of years as attackers become more sophisticated, the initial requirements associated with the November 30 deadline are just the beginning.
The Raven Group is a Corporate Counterintelligence consulting firm that helps companies protect their trade secrets, intellectual property (IP), employees, and reputation. Raven’s consultants have spent a lifetime protecting our nation from threats of every kind and are second to none. Let us bring that expertise to your company.