A global approach to the insider threat
We all know that the nature of the security threat is asymmetric and that we need to protect our companies’ assets from all realistic security threats in a converged manner.
But do we really consider the reality that all security threats have a people dimension?
Results from recent surveys demonstrate the increasing threat posed by the insider, from both accidental and intentional compromise of data or access to facilities. Insiders likely target trade secret information; the information of most value to an organisation. Information which is deemed to have value to a company (either real or potential) and which is shown to be known only to the company and which is protected internally can be said to be a trade secret. It is trade secret information which must be protected from the insider threat. In this digital age, information contained on technology platforms is the likely target.
Theft of trade secrets
A recent study prepared for the European Commission regarding the theft of Trade Secrets in the Internal Market, dated April 2013, identified that the respondents had suffered attempts or acts of misappropriation of trade secrets over the last 10 years, both within and outside the European Union (EU). Of the 537 respondents, 20% suffered at least one attempt of misappropriation within EU countries. The companies which experienced the highest proportion of such acts were in the chemical, motor vehicle, and pharmaceutical sectors, with slightly lower rates in the telecommunications, electricity and gas, and computer sectors. Larger firms reported a higher frequency of attempts or acts of misappropriation of information when compared to small/medium firms both inside and outside the EU. The parties identified as being primarily responsible for such acts are competitors, former employees and customers.
When reviewing a 2012 survey conducted by the Ponemon Institute, the statistics concerning employee attitudes to information theft are staggering. From the 3,317 survey respondents, the following was identified:
- 50% of departing employees kept confidential information and 40% planned to use the information in a new role;
- 60% stated that new employees from a previous competitor offered confidential information from their previous employer to their new one.
- When considering mitigation action, 69% of employees stated that their company does not do anything to prevent an employee from using information obtained from a competing company;
- 53% stated that their companies do not take any action when an employee takes sensitive business information. There was also a consensus of belief that no-one from a company would be able to know that the information had been taken and that the sharing of such information would not harm the previous company.
Defining the insider threat
Currently there is a draft directive at European Parliament level, which, if passed, will require EU member states to adopt the Directive into local country legislatures. However, the Directive will unlikely go far enough and so the onus is on the individual company to protect itself from threats posed by insiders. Enterprises must clearly understand how they define insider and ensure that they consider all employees, contractors and consultants, as well as vendors and external partners who have access to an enterprise’s information assets. An organisation must also set clear direction regarding how such threats will be mitigated. If the intent is malicious, then a desired approach may be a law enforcement referral, depending upon legal jurisdiction and enterprise location. If the compromise occurred as a result of poor security behaviour, then mitigation could include enrolling the employee on an education programme or an internal discipline case, depending upon severity.
Accountability and Governance
Any programme designed to mitigate this threat must have accountability and governance. The Chief Security Officer (CSO) must understand how this threat manifests itself internally and communicate the resulting risk to an organisation’s board. Where the security risk is greater than the acceptable threshold, then the risk should be placed onto the Enterprise Risk Register. The CSO must then be named as accountable for this security risk and be charged with defining a related corporate policy and compliance programme.
Success of any programme resides in the level of endorsement and support that the leadership displays in regard to it and the talent that is hired to deliver the programme’s objectives. Tone from the top must be set and individuals employed in this field should have a counter-intelligence background that complements their corporate knowledge and their ability to influence stakeholders. Additionally, all valuable intangible assets should be inventoried.
Poor security behaviour
There must be a desire to capture metrics regarding poor security behaviours, in order that the business can understand the value of the security programme. Where gaps are identified, it is the role of Security to work with stakeholders to close them and to refresh existing policies. Where gaps exist around security knowledge, it is necessary to deliver an enterprise-wide learning presentation. This learning must be mandatory, accessible by all, reviewed regularly and form part of the enterprise compliance programme.
Education must be complemented by constant communication detailing the desired behaviours, for example a Clean Desk policy or enforcing the Need-to-Know principle, thereby empowering colleagues with security knowledge. The programme must ensure that employees feel personally responsible for protecting the company’s trade secrets and that they take ownership of their security related behaviours.
Finally, there must be enforcement activity, namely investigations and discipline, delivered in a transparent manner. It is this holistic approach to the insider threat that will allow adequate mitigation.
Rowena Fell, MA CPP FSyI
Merck Sharp & Dohme
Associate Director, Intellectual Property & Trade Secret Protection Programme (EMEA)
Women’s Security Society Board Member