Insider Threats: More Than Just an IT Problem.

• Author: Patterson, Mike

* When once-reliable employees turn against their company, severe damage can result. The 1999 cult comedy classic Office Space provides a humorous example. Peter Gibbons, a software programmer fed up with being mistreated, uploads a virus to steal money from the company. However, Peter's plan goes awry, and he steals even more than he intended.

Although Office Space is a comedy, its plot provides a powerful lesson of an employee becoming an insider threat. Protecting vital corporate data and networks when "good guys go bad" requires more than monitoring for technological indicators of insider threats. Companies must also screen for the human factors that could indicate a developing problem. Facing a growing body of cybersecurity compliance obligations, defense suppliers should leverage best practices in strategic human resource management to preempt developing insider threats.

Companies increasingly rely on enterprise databases accessible across their workforce. With increased employee access to company data, risk of malicious release of information is a significant threat. In 2015, a report from McAfee noted 33 percent of internal actors took employee information, 27 percent took customer information, and 15 percent took intellectual property.

According to a 2018 Cybersecurity Insiders survey of cybersecurity professionals, employees who become insider threats tend to target vulnerable assets like "confidential business information," "privileged account information like passwords," "sensitive personal information," "intellectual property" and "employee human resources data." Corporate stakeholders see threats against these assets as particularly damaging.

Given the growing insider risk to these valuable assets, developing a holistic approach to tracking threats is an important cybersecurity goal. Furthermore, National Institute of Standards and Technology Special Publication 800-171 requires that companies provide security awareness training on recognizing and reporting insider threats. While information technology leaders understand insider risk, they commonly lack the expertise and authority to address the problem through educational and behavioral approaches. Employees outside the IT department may bring more suitable skills to identifying the profiles and mitigating the motivation behind potential threats.

Companies should prioritize identifying sources of employee risk and develop monitoring strategies. Knowing what causes an insider...