Detecting and preventing insider threats
Business leaders have for many years been focused on outside threats, but recent revelations about high-profile insiders have helped them recognize the need to be more proactive about handling insider threats that could endanger corporate assets or employees’ lives.
‘Insiders have access and permission because they know where the crown jewels reside inside an organization,’ says Scott Weber, who heads Stroz Friedberg’s insider threat business. ‘They know where to find things, while outsiders have to force their way in, fish around trying to figure out where important information is and what they’re going to do with it. In reality, insiders are much better positioned to do material harm to the business than an outsider because of that access to and knowledge of the organization.’
Boards are increasingly asking senior management members whether the company has a detection program, understanding that it’s ‘part of the care and loyalty they owe to the firm and to shareholders,’ Weber explains. ‘The obligation and the duty boards and officers owe to identifying and preventing insider threats is heightened more than it is regarding outsider threats because you can’t control outsiders. But when it comes to your own employees, you’re supposed to have policies and procedures in place, and you’re supposed to be able to monitor compliance with those policies and procedures.’
Stroz Friedberg has been working with lots of companies seeking assistance to either develop an insider threat program from scratch or review an existing program and suggest modifications. Employers are also asking for a review of tools they use to detect and prevent such threats, which generally fall into two categories: technical indicator tools and behavioral tools, Weber says. The first type look at individuals’ interaction with data and systems within the company to find anomalous patterns, such as changes in the times they log onto a system or attempts to access secured areas of systems they haven’t been cleared for. The second type is fairly new and uses psycho-linguistic science and statistics to analyze language in employee communications for anomalies in word choice and frequency of use.
Stroz Friedberg’s automated solution looks at all employee-generated communications sent via all methods the organization provides to employees, including emails, text messages, instant messaging and internal chat. Human review of these communications ‘occurs in less than 1 percent of the situations, and only if and when a person’s language over time reveals that he/she is presenting an at-risk posture and exhibiting one or more concerning behaviors detected in his/her language,’ says Weber.
The solution analyzes 60 different psycho-linguistic science categories, creates a mean score for each of them and then compares each individual against himself/herself over time. ‘If and when there is a material change in the statistical scoring of one or more of those categories, that would indicate someone who’s potentially an at-risk,’ Weber explains.
Those mean scores are also used to compare the anonymous individual with his/her peers to detect at-risk behavior. ‘If my disgruntlement score is a 5 and my peers’ is a 2 or 2.5, l’m an outlier, and therefore am likely presenting an at-risk posture,’ Weber says. ‘That would then trigger a human review of the emails that scored high for disgruntlement.’
He emphasizes that the solution knows employees’ communications only by code numbers, not names, unless an outlier score turns up in one or more categories. Only then does a ‘trained analyst or clinician put a face to that person and look at the substance of those communications,’ he explains. ‘Then that becomes one piece of a much broader review of the individual’ that looks at any atypical data behavior patterns, or might involve human resources to check whether co-workers have lodged complaints or a supervisor has noted anything in a recent review about the employee seeming distant, disconnected or no longer excited about his/her work.
By ‘trying to bring all these things together to get the most complete picture of the individual in a preventative way’, companies can ‘proactively address an employee who is a potential at-risk and do so in a way that’s helpful to both the employee and – hopefully – to the organization,’ Weber says.
Stroz Friedberg has used its proprietary solution to support investigations for more than a decade, but has been seriously marketing it as an early-warning tool for only seven months. Weber says use of the tool has been growing but won’t provide any data.
Making monitoring clear
Companies contacting Dr Sharon Smith, president of consulting firms Threat Triage and Forensic Psycholinguistics, are concerned about whether communications they have received or uncovered at work are coming from individuals likely to inflict harm. ‘They’re trying to provide security for their physical facilities, as well as for workers,’ she says.
Smith, a retired special agent in the FBI’s Behavioral Science Unit who has developed software companies use to analyze concerning language, says, ‘When [people are] in predatory mode, I believe it shows up in their language use. There could well be a direct connection with someone thinking about doing corporate espionage or sabotaging [a company’s] computer software.’
Many US companies have a systems use-and-monitoring policy that they ensure employees understand, which limits employees’ expectations about their right to privacy when using the company’s systems in the workplace. These policies typically define the company’s monitoring rights and the disciplinary action they are permitted to take in response to employee violations. Companies that don’t have such clearly defined policies are far more vulnerable to employee lawsuits if they implement a software solution such as those designed to detect and prevent insider threats, says Sonya Rosenberg, a partner in Neal Gerber & Eisenberg’s labor & employment practice group.
Employees need not necessarily sign off on such policies to affirm their consent to monitoring. For example, the policy may be included as part of an employee handbook, and employees may sign an acknowledgment of having received and agreed to abide by the policies contained in it, she says.
‘Some employers with more pronounced concerns in this area will distribute these kinds of communication system policies as stand-alone policies and require individual acknowledgment and sign-off of them,’ Rosenberg notes. ‘And that may be a great way to go because such a sign-off serves as strong evidence that the employee consented to monitoring.’
In many other countries, employees have much more say about their privacy rights in the workplace. ‘For global companies it requires a nuanced approach because in places like Europe, it’s almost the opposite [of the US] where there’s a rebuttable presumption that employee monitoring is almost off-limits,’ says Aaron Simpson, a partner at Hunton & Williams whose focus is on complex privacy and security matters. Still, given rising concern about insider threats, he sees a need for companies operating in such countries to strike a better balance between their use of security tools and employees’ privacy rights than they have previously done.