Cyber is often the focus of security today, but it’s still humans at the heart of vulnerabilities. That’s why a successful personnel security program still requires security professionals and programs focused on how humans can and will make mistakes. Building and maintaining a security program is at the heart of this week’s NCMS Seminar taking place in Minneapolis. The event is an annual gathering of security professionals from across the nation.
“Ninety percent of successful data breaches are initiated by some form of human hacking,” said Peter Warmka, a former CIA intelligence officer speaking on ‘human hacking’ during a keynote address at the annual security seminar. He emphasized how much social media has aided the efforts of foreign intelligence agents. Information that used to be accessed via facilities and locations can now be accessed through a quick internet search.
Looking profile by profile adversaries can gather a full picture of a security clearance holder:
- LinkedIn: Resume and professional history, companies worked at, skills and interests
- Facebook: A different optic from LinkedIn with more personal and family data, photos, interests
- Twitter: Ideology and political leanings
- Instagram: Pattern of life; where you go and what you do on a routine basis
“LinkedIn is crazy. People are not very careful with who they’re connecting with,” said Warmka. He said he regularly uses fake profiles to connect with attendees before he attends security conferences, and between 52-54% will connect with the fake profile.
Addressing the Insider Threat
The risk posed by employees is nothing new to anyone in government. And training on the insider threat isn’t a nice-to-have, it’s a must-have for any contractors supporting the Department of Defense. NISPOM Change 2, published in 2016, established insider threat training requirements specific to industry. Cleared employees are required to receive insider threat training before gaining access to classified information and every year after.
Any annual training program can become rote. That’s why it’s important to educate employees not just on what the rules are, but why the rules are there, emphasized Charles Phalen, principal with C.S. Phalen & Associates, speaking at the NCMS Seminar during a session on assessing and strengthening insider threat programs sponsored by SIMS Software, the leading provider of industrial security information management software. “Every rule is a result of some event that happened,” said Phalen. The risk for companies comes in creating binders worth of rules – without properly educating employees and companies on the why behind them.
The problem with any security breach or vulnerability is it can’t be contained to the individual actor who perpetrated it. “You don’t allocate reputation by divisions,” said Tom Langer, principal with Atlantic Security Advisors. Langer cited multiple high profile cases of companies who suffered significant reputation and financial costs due to breach of trust issues – companies from VW and Theranos to Sony and NBC News.
Both Phalen and Langer emphasized insider threat training requires more than an annual training – it requires a commitment to integrating insider threat awareness across the organization.
“You are the central nervous system,” said Langer, speaking to the audience of security professionals at NCMS. Because insider threats can take place across an organization, security professionals need to feed and fuel awareness across their organizations, and bring in the stakeholders to do it.
“Our goal is to find the people who are struggling,” said Phalen. Identifying potential risks before they occur, not just waiting until the bad event happens, and adding to the binder of rules is the key, said Phalen. In contrast to foreign intelligence agencies tasked with scanning and searching for bad actors from the outside in, however. security officers have the opportunity to identify risks from the inside – and before they happen.