To Detect Insider Threats, Give Your Employees Channels to Report Them
On September 21st 2001, senior analyst for the Defense Intelligence Agency (DIA) Ana Belén Montes was arrested and charged with conspiracy to commit espionage against the United States for the government of Cuba. Prosecutors alleged that her clandestine activities were directly responsible for an attack on U.S Army forces in El Salvador which led to the death of Sgt. Gregory A. Fronius. In 2002, Montes pleaded guilty to the charges and was sentenced to prison for 25 years.
In the aftermath of Montes’ conviction, many of her colleagues were shocked – during her time at the DIA, she had earned the reputation for being dependable, trustworthy, and exceptional at her job. But not everyone was surprised: in a video interview published by the Cybersecurity & infrastructure Security Agency (CISA), former DIA Chief of Staff Louis Andre stated: “Everybody felt the same way about her: good analyst, but there’s something wrong here.”
Since Montes had aroused the suspicion of her colleagues, why did it take more than 15 years for her activities to be noticed? Andre had an answer for that question: “nobody – including myself – wanted to go to security and say ‘you know, you really ought to take a look at her.’” Unfortunately, incidents like this happen every day, and your organization could be next.
Why Insider Threats Go Unreported
Insider threats remain a top risk to government agencies and contractors. Over the past ten years, the scale of that risk has steadily increased, driving renewed vigilance from the government. It has been a key motivation behind the development of continuous evaluation (CE), updates to NISPOM, DISS, and ongoing initiatives in the DCSA.
But most investigations in the aftermath of an insider threat event reveal a disturbing pattern: insider threats rarely go unnoticed. In fact, it almost always turns out that someone working alongside the threat actor notices unusual behaviors and harbors suspicions while failing to report them. CISA’s video interview gives us insights as to why:
- No one wants to tell: an aversion to “snitching” is engrained in most Americans from childhood. Cleared personnel do not want to get their colleagues in trouble, especially when they cannot prove that anything is amiss.
- Reflexive denial: when cleared personnel notice something suspicious, they often doubt their own perceptions. They think “it couldn’t happen here,” and refuse to believe the worst about their colleagues. Ultimately, they talk themselves out of saying anything.
- Lacking the big picture: in isolation, indicators of an insider threat may not seem very serious until they are connected with other indicators that form a more complete picture. When multiple individuals keep what they have noticed to themselves, no one gets a chance to connect the dots until it is too late.
In short, those who are in the best position to expose an insider threat will often stay silent unless they are motivated to speak up. FSOs and other security officers, therefore, have an obligation to help their employees understand the signs of an insider threat, emphasize the importance of reporting everything, and provide them with the channels to do so.
Signs of Insider Threats
In order to detect an insider threat, cleared employees and FSOs need to establish a clear sense of “normal,” both for the organization as a whole and for their colleagues as individuals. CISA offers the following questions:
- What is an employee’s normal work schedule?
- What physical locations do they generally access?
- Normal communications/interactions with internal/external entities?
- Normal IT system and electronic file access protocols?
- Normal network/VPN activity?
Since the baseline for normal behavior varies between persons and organizations, establishing that baseline requires a concerted effort to raise awareness and pay attention.
Maladaptive Behaviors
Maladaptive behaviors encompass signals – ranging from subtle to obvious – that indicate something is “wrong” with an employee. Either they are not adjusting to their workplace, or something is wrong with their personal lives:
- Bringing personal problems into the workplace
- Financial issues that affect their work
- Close-lipped about their activities; isolated
- Signs of drug or alcohol use and illegal activity
- Financial difficulty, gambling addiction
- Responding to these situations in a negative way
In some cases, maladaptive behaviors can indicate duplicity and underlying deception. In other cases, they reveal a weak personality that is vulnerable to compromise. In either case, it is important to report them.
Signs of Radicalization
Signs of radicalization may indicate that an employee has been – or is already – radicalized by a religious or political ideology which could motivate them to sabotage or even attack their employer:
- Fascination with terrorist organizations
- Abrupt changes in behavior or appearance
- Frequently voicing grievances over a perceived “injustice”
- Excessive political involvement or interest in political groups
- Angry outbursts and hateful comments about their co-workers or organization
- The acquisition of weapons and other items that could be used in a violent attack
Obviously, the mere presence of religious or political conviction is not evidence of an insider threat: radicalization results in behaviors that go far beyond what is normal for adherents to an ideology or belief system.
General Signs of Compromise
Signs of compromise indicate that an employee has been recruited or coerced to act against their organization, or that they are doing so on their own initiative. These include:
- Working at odd hours without permission
- Attempting to access or showing an excessive interest in protected locations
- Unusual traffic and file requests from their digital devices
- Reports of physical or online harassment and bullying
- Unexplained wealth
- Unusual travel to foreign locations
- Foreign contacts
- Repeated and seemingly deliberate violation of rules
While none of the indicators in this article prove the presence of an insider threat, it is better to report a false positive than allow real threats to go unreported. While many find the self-monitoring requirements in SEAD 3 to be onerous, they are specifically designed to capture false positives because that is the best way to capture real ones.
The Best Way to Detect Insider Threats
Insider threat detection is a problem that experts have been trying to crack for years. Organizations have developed algorithms to flag suspicious digital activities, and the government has commissioned psychological studies to develop screening tools for applicants. But when it comes to noticing a malicious insider, there is no substitute for human instinct.
After the conviction of Ana Montez, former colleagues said they had felt there was something “wrong” with her behavior, although they could not specifically explain why. So-called “micro-signals” can represent underlying deception, and people – from years of interacting with other human beings – are good at noticing them.
Fight Insider Threats with Portal Commander
Ultimately the most effective way to boost your insider threat program (ITP) is to utilize the cleared personnel throughout your organization to generate intelligence. Their combined efforts can bring attention to patterns of behavior that would otherwise go unnoticed.
The latest version of Portal Commander provides your organization with everything you need to fight insider threats:
- Insider Threat Reporting Module
- Anonymous Reporting
- Foreign contact reporting
- Contact information for the DCSA, DHS and CIA
- Insider threat overviews with data visualization
Save time, optimize workflows and keep your organization safer: for a free demo, call us today!
MathCraft Security Technologies offers a robust product line of NISPOM-compliant security applications for cleared contracts and enterprises. Our solutions are carefully engineered to improve security processes, giving Facility Security Officers (FSOs) and employees the comprehensive tools that they need to manage data, monitor visitors, and automate workflows. For ultimate convenience, they are also available on-premises or via the cloud. Contact us for a demo!