When people think about cybersecurity and protecting a company, organization or government agency’s networks and data, they picture cyberwarriors doing battle against sophisticated hackers, opposing nation states or hacktivist groups. And while that’s certainly part of the job, they often fail to consider the other threat to an organization’s networks and data – their own employees.
The insider threat – the cyber risk or cyber threat that originates within the organization – is very real for many companies and government agencies. And studies show that insider incidents are increasing in frequency and are extremely difficult, time consuming and costly to mitigate.
According to the Ponemon Institute’s 2020 Cost of Insider Threats Report, the frequency of insider incidents has tripled since 2016. The report also found that insider incidents take an average of 77 days to contain and have an average cost of $11.45 million to mitigate. And while those numbers are frightening, what’s most troubling about insider threats is how difficult they are to identify and prevent.
TransUnion, the consumer credit reporting agency that also offers credit scores, credit reporting and other credit services, recently released their Insider Threat Insight Guide to help companies identify these malicious insider threats and take appropriate action to mitigate insider incidents. The guide claims that financial distress is a large indicator of which employees may become insider threats, and illustrates that a rather large percentage of the federal workforce could be at risk for perpetrating insider incidents.
To get more information on insider threats, how to identify them and how to mitigate them in the federal government and military, we recently sat down with Jonathan McDonald, EVP and head of TransUnion’s public sector business. During our discussion, Jonathon shared warning signs for insider threats and illustrated just how large of a concern this could be for the government and military.
Here is what he had to say:
GovCybersecurityHub (GCH): What is a malicious insider threat and how is it distinctly different from other types of insider threats? Are they more harmful?
Jonathan McDonald: A malicious insider threat is when an individual with authorized access to an organization’s assets – people, intellectual property or systems – and purposefully and wittingly does something nefarious to cause substantial harm.
Witting actors tend to cause more harm to an organization as compared to unwitting actors – think compromised or careless users who accidentally transmit information into the wrong hands – because of the severity of their actions and resulting negative outcomes. Outcomes may include espionage, selling secrets for monetary or personal gain; sabotage, purposefully harming or destroying an organization’s assets; or workplace violence.
GCH: What role does financial stress play in driving malicious insider threats?
Jonathan McDonald: According to Shaw and Sellers Critical Path Model, people undergo stresses in life with varying degrees of coping mechanisms. Financial stress due to excessive debt, for example, can be one of these stressors.
If the proper coping mechanisms are not there the person could decide to alleviate their financial stress by stealing or selling secrets. History has also shown us that some insider threats emerge from an individual’s greed and desire for substantial material gain.
GCH: Is the military at particular risk for malicious insider threats? How does the military compare – in terms of percentage of employees at risk of financial distress – to other industries and organizations?
Jonathan McDonald: The military does not have any greater risk for malicious insider threats than any other agency, department or corporation. Other TransUnion studies have shown the military actually fares slightly better than other departments in the government when it comes to financial stress.
However, as a whole, the government has a greater number of persons in financial distress and in greater debt than a random sampling of the population of the U.S. at large.
GCH: What should government agencies be looking for when trying to identify employees that may become malicious insider threats? Are there warning signs? What can military and government organizations do to mitigate insider threats?
Jonathan McDonald: A common framework is the Critical Path Model by Shaw and Sellers. In this model agencies are looking for stressors in life and concerning behaviors. Stressors could be life events such as marriage, divorce, family member death or family member illnesses. They also can be financial and professional – such as a demotion.
Concerning behaviors could be things like unauthorized travel, interaction with foreign actors, increased destructive behavior such as breaking the law, and becoming an introvert at work, for example. Looking for these things and performing a legal and thorough investigation is critical to preventing a possible insider threat event.
GCH: TransUnion is not a cybersecurity company. What role is TransUnion playing in helping government agencies and the military combat insider threats?
Jonathan McDonald: TransUnion is helping agencies understand what stressors may be occurring in a person’s life and what concerning behaviors they may be engaged in outside their place of employment. We help them design monitoring programs to be alerted when these events occur. Finally, we help agencies measure the effectiveness of their Employee Assistance Programs by performing longitudinal studies to measure, for example, the decrease in the number of persons in financial distress due to a new financial wellness program.
We are able to leverage financial information, public records, alternative data sources and device reputation analytics to provide a holistic view of an organizations exposure to potential or active insider threats.
For additional information about TransUnion and to access the Insider Threat Insight Guide, click HERE.