Insider Threat Awareness

An Insider Threat

Any person with authorized access to any United States Government resources such as personnel, equipment, networks or systems, with a malicious threat, wittingly or unwittingly, who intends to do harm to the security of the United States or that organization.

Detecting an Insider Threat is identifying and/or describing the different behavioral indicators of people who become an insider threat.

Behavioral Indicators include but not limited to:

  • Unreported requests for critical assets/information outside official channels or mishandling of sensitive information.
  • Unreported offer of financial assistance, gifts, or favors by a foreign national or stranger.
  • Seeking to gain higher clearance or expand access outside the job scope.
  • Working hours inconsistent with job assignment or insistence on working in private.
  • Divorce or other significant change in circumstance.
  • Displaying questionable loyalty to U.S. government or company.
  • Conflicts with supervisors and coworkers.
  • Unexplained absenteeism or tardiness.
  • Engaging in exploitable behavior.
  • Repeated security violations.
  • Attempting to enter areas not granted access.
  • Failure to report overseas travel or contact with foreign nationals.
  • Engaging in classified conversations without a need-to-know.

Not every person who exhibits these identifying indicators are involved with illicit behavior, but most who have been caught were later found to have displayed one or more of these indicators.

Deter an Insider Threat

  •  If you suspect a possible Insider Threat, whether malicious or unintentional, you must immediately REPORT it. 
  • Waiting for a situation to get to that threshold may be acting too late. 
  • Never assume someone else will report something you know!
  • Failing to report may result in disciplinary action up to and including termination and criminal and/or civil sanctions.
  • Employees with a PCL have an additional legal obligation to report based on the documents signed during their indoctrination.

All reports are held with strict confidentiality and the details are shared only with the minimum number of people required to complete the investigation. Determinations are made within that investigation on elevating that reporting obligation to the proper authorities (DSS/FBI).

REMEMBER – Report any indicators to your Insider Threat Program Senior Official or your security team without fear of reprisal at any time.

Mitigate an Insider Threat

Involve different departments within the Insider threat program for early detection (IT/Legal/Human Resource, etc.) via your Insider Threat Program Plan

  • Implement strict password account management policies and procedures.
  • Enforce separation of duties and least privileges.
  • Define explicit security agreements for any cloud and network services.
  • Clearly document and consistently enforce policies and procedures and controls.
  • Anticipate and manage negative issues within the work environment around you.
  • Know your assets.
  • Follow access controls and monitoring policies provided.
  • Develop a comprehensive employee termination procedure.
  • Implement secure backup and recovery processes.
  • Establish a baseline of normal network device behavior.
  • Be especially vigilant regarding social media.
  • Close the doors to unauthorized data exfiltration.

In addition to this training, additional resources can be found at the Center For Development of Security Excellence at www.cdse.edu or you can contact your security team.

As a PCL emplyee you have a legal obligation to report certain events, not only about yourself but your coworkers as well.