One of the legacies of Edward Snowden's treason is that companies are now concerned about the insider threat more than they ever were before. He demonstrates that a single person inside an organization can devastate the organization. While technology should have caught Snowden, there is also the realization that his coworkers and managers should have noticed indications of unusual activities.
The question then becomes how do you train employees to tactfully recognize the signs of a malicious insider, without creating widespread distrust within an organization. Back when I worked at NSA, one of my coworkers pointed out two documents that both describe a fellow employee who was 1) always interested in what their coworkers are doing, 2) volunteers for extra assignments, 3) always works late, and 4) never takes a vacation. One of the documents was from human resources on how to get promoted. The other was from the security department describing how to tell if your coworker is a spy.
Clearly NSA employees failed to determine which side of the spectrum Snowden fell on, while employees at his past employer, the CIA, accurately determined his predisposition to commit espionage. Snowden demonstrates that even within organizations that should know better, detecting a malicious insider is hit or miss. How then is an organization outside of the Intelligence Community supposed to make their employees aware of the concern, especially without inspiring a witchhunt?
The problem is real. Malicious insiders have wreaked havoc in organizations of all types. While the IT world focuses on stories of rogue administrators, insiders in all roles carry out thefts and other malicious actions. While some wrongdoers are very clever and are able to cover their actions very well, the reality is that just about all malicious insiders show indications of their intent. This is relevant to awareness programs as their coworkers are in the best position to see those indications.
Balancing concerns of tact and awareness is delicate, but it must be done to maintain order. Generally, there are three requirements for awareness to be effective: 1) Understanding of the problem, 2) Knowledge of what actions to take, and 3) Motivation to take the appropriate actions. Generally understanding the problem should create motivation, but an effective awareness program must specifically ensure that it addresses both concerns. You can be aware an issue exists, while not being motivated to do anything about it.
The easy part of addressing the insider threat is that there are now many examples to help get the message across. People like Snowden and Bradley Manning are clear examples that it only takes one person to cause a lot of damage. While these individuals have become household names, it is better to use examples from your own company or industry. While some companies understandably do not like to highlight their own incidents, they can anonymize the cases. The message is actually simple, insiders are a big threat and do not ignore signs of questionable behaviors.
Sign up for Computerworld eNewsletters.