Training for the Threats from Within: Insider Threats
The story of the Trojan Horse lingers today. The large wooden object that the Trojans thought to be a sign of victory over the Greeks was gladly welcomed within the indestructible walls of Troy. Little did they know, the horse that they willingly received into the city caused their destruction. The walls that the Greek enemy could not overcome were ultimately compromised by the Trojans themselves. Why has this story lasted the test of time?
Perhaps it is because it illustrates one of the largest vulnerabilities a culture, group, organization, or company has. Today, we call them Insider Threats. Like the Trojan Horse, an Insider Threat is any individual that is given access to an organization’s assets, intellectual property, facilities, or other critical infrastructure and then uses that access to cause harm intentionally or unintentionally to the organization or its people. As recovery from the pandemic continues, Insider Threats will require increased attention by organizations. For many organizations, pre-pandemic work occurred primarily in an office setting and perhaps on the road by business travelers. Now, organizations are endeavoring to normalize the work-from-home setting. Insider Threat preparedness must be a focus through this process and training is a powerful way to prevent your organization from experiencing its own trojan horse.
Training is powerful because it creates awareness and understanding. With awareness and understanding comes the ability to prevent, respond to, and recover from Insider Threats. To accomplish this, it is important to begin with the ways Insider Threats happen: (1) Violence, whether terrorism or workplace violence, (2) Espionage, (3) Sabotage, albeit physical or cyber, (4) Cyber, intentional or unintentional breaches of information systems, and (5) Theft of physical property, intellectual property, or financial information. In addition to these methods, there are warning signs for each that offer the potential for early recognition and intervention. Incorporating this information in a tiered training program throughout your organization facilitates the opportunity for this needed early recognition and intervention enterprise-wide, and hopefully prevention, therefore. Notably, the tiers discussed below may be prioritized differently by organizations, however, each element needs implementation for a comprehensive program. One tier includes the implementation and training of a multi-disciplinary Threat Management Team (TMT) responsible for assessing and managing Insider Threats. Consisting of personnel from disciplines like Human Resources, Security, Legal, and others, this team should receive training for Insider Threats similar to what is recommended by the ANSI ASIS WVPI AA-2020 National Standard for Workplace Violence. A Threat Management Team requires “the most detailed and comprehensive training regarding the behavioral or psychological aspects” of Insider Threats. The Standard also outlines “violence risk screening, investigatory and intervention techniques, incident resolution, and multidisciplinary case management strategies”, which are relevant for Insider Threat TMT training as well. Covering these areas in relation to each of the methods from the previous paragraph facilitates a formidable foundation for a TMT. Depending on the organizational size and structure, this training may also include an executive sponsor. Alternatively, a truncated version of this training may be provided for larger organizations that have a separate group from the TMT that governs an Insider Threat program.
A second tier of training would be designated for frontline management type personnel, the people leaders. While they don’t require the extent of depth a TMT should receive, they must know how to recognize behaviors of concern from their subordinates and know what to do about it. Requisite information for this layer of training would be information beyond an awareness that there are concerning behaviors related to Insider Threats and that noticing them should be reported. For example, what might be prudent for a manager is to better understand the concept of “Steady-state behavior”. If a subordinate is known to be grumpy between 8:00 AM and 10:00 AM every morning, that’s not necessarily concerning behavior, particularly if that’s the only behavior that the individual shows that might otherwise be concerning. It is behavioral change that should raise attention and potential concern, particularly if there are several behavioral changes that are clustered together. While awareness training may only discuss reporting these behavioral changes, managers should know what to do in these instances. In all, managers must build relationships with their people, so they may understand when someone may be struggling and on the potential path to becoming an Insider Threat.
A final tier of training, as you might imagine, is the awareness training. Awareness training for everyone is pivotal. Remember that Insider Threats may be unintentional in some cases. Therefore, awareness training can have a significant impact on reducing these kinds of threats because creating an awareness will inherently identify how personnel may have been previously creating vulnerability. However, awareness training can also help prevent potential intentional threats. Insider Threat awareness training provides everyone with a baseline understanding of what to be mindful for, what behaviors may be concerning for each method, generally what to do when concerning behavior is noticed, and how to survive emergency situations resulting from Insider Threats. In addition, it is important that this training is not punitive, but rather implemented as part of a culture dedicated to safety and well-being. However, if done properly, reports of concerning behavior may increase, so it is important that those that may receive reports are prepared beforehand.
Insider Threats are a growing concern for organizations. What was interesting about the Trojans, and partially why the story of the Trojan Horse is so powerful, is they placed significant value in horses. Horses, which were such a strong part of their culture, became their reckoning. Today, people are similarly the backbone of organizations, although organizations must prepare lest they experience their own Trojan Horse. Tiered Insider Threat training is a place to begin.
ABOUT THE AUTHOR Jake Newton Vice President, Security Solutions CPPS programs have been utilized by over 50 percent of Fortune 100 corporations, over 1600 colleges and universities and many of the largest non-profit/charitable organizations across the globe. CPPS has trained over 10 million individuals in Best Practices related to their personal safety and resilience including: Situational Awareness, Workplace Violence Prevention, Active Shooter Response, Travel Safety, and Kidnap Survival.