Despite increased trainings on insider threat (thank you Edward Snowden and the like), the risks haven’t necessarily gone down over the years. This past week, the National Security Institute held their 35th Annual Security Forum – Impact 2022. The event brought government and industry together, highlighting that the needs in national security are nuanced and varied, but it’s important to hit all of them.
Top 5 Takeaways on Insider Threat from the Experts
From understanding Trusted Workforce 2.0 to cybersecurity threats to changing government initiatives, security officers cover a lot areas on any given day. And as insider threat continues to grow, it’s important for organizations to continually find tangible responses to combat the threat. A few themes bubbled to the surface this past week from security experts in the industry.
1. Zero risk is not the answer.
Aiming for zero risk may seem like the best solution in combatting insider threat – no one wants bad things to happen. But risk avoidance is not the same as risk reduction. And we have had many lessons in national security that have taught us how to take steps to reduce risks. So, don’t turn away a qualified candidate who doesn’t have a squeaky clean background; work with them to be open and honest throughout the security process. Meet employee needs when they’re stressed out, instead of just expecting them to get their life back together on their own. The security clearance process is long, and the number of available clearances for industry is not nearly enough. Working with employees through their personal problems is not only a good retention strategy, but it’s also a strategic move to reduce insider threats.
2. Silence isn’t always golden.
Loose lips may sink ships, but not communicating processes, expectations, or lessons learned means that people don’t have the information they need to keep the U.S. secure. Better to err on the side of over-communicating. When we stop talking about the changes that DCSA is making or lessons learned from prior espionage cases, security gets compromised. So, talk to colleagues in the field. Talk to government representatives. And talk to your organization about security – keep the lines of communication open.
3. Prepare for your reaction to a crisis.
When a crisis hits, your response will make a difference. Work in national security long enough, and you’ll realize that it’s not a matter of if a threat will be realized – just when. If your contract or office has the next Snowden, what will your next steps be? Do you have a plan in place to take care of your people? What about a cyber incident? Part of CMMC is making sure organizations have the proper steps outlined in the case of a breach. By all means, set your plans in motion to avoid the threat of insider threat or a cyber breach, but you can mitigate the losses to national security and your organization by how you respond in the aftermath. And make sure you share out lessons learned. Spend less time in CYA mode, and more time in ensuring that others aren’t impacted in the same way. National security is at stake – and that’s more important than a company’s brand.
4. It’s not the 1950s anymore.
Defense Office of Hearing and Appeals (DOHA) Director Perry Russell-Hunter explained that much of the security vetting process was built on the state of life in the 1950s in America. The background investigation was highly dependent on what your neighbors thought of you. But Russell-Hunter said that we have new neighbors now – and they’re online. This generational and reality shift is reflected in the SEAD-5 directive on social media, and publicly available information has now become the new self reporting tool. In the future, the process will continue to evolve into more than just a threat report.
And when it comes to tracking which governments around the world pose a threat, Russell-Hunter encouraged security professionals to use reports and open source information from the State Department and the Library of Congress. Keeping abreast on countries that spy on us or have less than democratic governments can identify emerging risk factors in national security. Sometimes, old U.S. adversaries haven’t changed, but others can get added to the list. It’s important to stay up-to-date.
And with Continuous Vetting moving forward in implementation, financial considerations may not be the biggest threat to clearance revocation. Criminal conduct and social media could begin to play a bigger role. Goodbye 1950, and hello 2022.
5. Technology is not enough in cybersecurity.
You’d think technology would be the biggest factor in advancing cybersecurity. But at the end of the day, there’s always people behind the technology, and they’re the biggest risk. You can have all the latest technology and the best processes in place, but if people aren’t following it, your organization is still at-risk. ESC Federal’s Shayla Treadwell is a key player in her organization’s understanding of the psychology of its employees’ cyber actions. We all know that password sharing is bad, but telling people it’s bad may not be the right way to get them to stop doing it. Understanding the psychology of your workforce will move the dial forward on actually securing it.
A major factor today is meeting the highly varied needs of a workforce that has five generations in it. ClearanceJobs’ Director of Content & PR, Lindy Kyzer pointed out that many security officers reported a low use of video in their trainings. With younger generations moving into national security and older ones retiring, it’s important to get information to people in the best way possible. Short videos can be a game-changer in getting employees to act on policies and procedures.
You may need to deploy things in multiple formats to hit each generation. When you care for the people behind the technology, you will be able to build a culture of security that’s embedded into the workforce.
It Takes a Village
When it comes to managing insider threats, it’s clear that it’s not just a government problem or an industry problem – it’s everyone in national security. It requires government and industry working together to both advance technology and support the people behind it all. The past two years have increased stress in the workforce, but supporting the people is a key piece to preventing, detecting, and responding to insider threats. National Counterintelligence & Security Center’s Acting Director, Michael Orlando cautioned that with the increases in stressors in the workforce, insider threats are up by 40%, and more importantly, half of the threats are due to neglect. Implementing new and improved strategies is never easy, but it still has to be done. Our adversaries aren’t resting, so it’s important to keep fighting.