Insider threats are a major risk to all companies, not just those in the national security space. But it’s important to know who the threat actors are – and why they’re acting. Dr. Eric Lang, director of the DoD Personnel and Security Research Center, or PERSEREC, discusses his work on insider threat, and why non-malicious actors are as concerning as the headline grabbing cases we see. You can read more in his 7 Science-Based Commandments for Understanding and Countering Insider Threats.
“Because it’s always a human we just need to pay more attention to human factors, issues,” said Lang. “Technology will always be important, but we’re just not paying enough attention to the human factors, issues, and particularly the non-malicious actors who are causing those issues.”
One factor that has increased potential for insider threat is the rise in remote work across workplaces. Lang noted 62% of individuals don’t follow security protocols as closely at home as they do in the office, and among insider threat criminal prosecutions, 75% involve remote workers. A key factor is simply the nature of doing work away from the office, and the ease in printing or stealing proprietary or confidential information. And because insider threats and risks aren’t just about the malicious actors – but the nonmalicious actors – remote work opens up the ‘sloppy’ security practices that can increase risk for companies.
Combating Misconceptions
One key issue still is stigma around mental health issues.
“Organizations, despite putting out appropriate policy, still have people at too many levels who have bad assumptions and myths about mental health,” said Lang. Many across the cleared workforce still assume that specific conditions will result in clearance denial, when the data shows mental health issues result in a miniscule number of clearance denials or revocations.
“Getting treatment won’t undermine your security clearance but lying on a government form will, and some people lose their clearance because of that,” said Lang.
Combating Insider Threats Through Changing Culture
Culture change is key to combatting insider threat. Policies can only go so far – a psychologically safe culture has to support the workforce and the ability to share information and create open avenues for addressing risk factors before they become an issue. The key is to be technology enabled, but human centric.
“Organizations have to avail themselves of best practices that already exist,” said Lang. “It’s more of a mindset shift. The biggest gaps and the the biggest opportunities continue to be on the human factor side. We need to focus on humans over hardware and psychology over software.”
Insider threats aren’t going away – and whether they’re intentional or unintentional doesn’t matter. But what does matter is creating a culture where information sharing is the norm – and not the exception.
“Culture is more important than the policy,” said Lang. The research has shown it has become more important. “It’s the basis of why things work well and don’t work well.”