In the panel “Insider Risk: Mind Games” at the 2022 International Conference on Cyber Security on July 20, four experts on managing insider risk discussed the challenges that insiders pose to organizations and how their behaviors can be recognized and managed.
The event featured three panelists—James Dennehy, special agent in charge of the FBI’s counterintelligence and cyber division; Eric Shaw, Ph.D., a clinical psychologist and founder of a company that helps organizations manage insider risks; and Doug Thomas, head of insider threat in counterintelligence and workplace violence and a managing director at JPMorgan Chase—as well as the panel moderator, Elsine van Os, founder and CEO of an insider risk management consultancy firm in the Netherlands.
Problems Related to the Pandemic and the Great Resignation
There are four critical issues that impact insider risk management today, said Shaw: pandemic-related stressors, social identity stress, the rise of conspiracy theories, and new policies and practices that monitor former employees.
“The [pandemic-related stressors] pull directly on all the personal predispositions we associate with insider risk, whether it’s medical/psychiatric issues, personality, social skills issues, previous violations, or susceptibility to recruitment or social network risks,” Shaw said. “In psychology, we’re saying, ‘If there was a crack [before], now there’s a crevice.’”
Van Os said another issue that is negatively affecting insider risk management is the Great Resignation. When employees leave their prior workplace, they often take home sensitive company data, thus eroding the company’s value, she said.
FBI Security Measures: Multilayered and Still ‘Not Enough’
Dennehy, a special agent for the FBI, said that the insider threat protections at his job are multilayered—but they aren’t enough.
“I work for the FBI. I have access to top-secret information. I have access to all the investigations that the field office conducts. So our insider risk and insider threat program has to be pretty layered—and it is. I started a new job at the New Jersey field office on Monday, so last Friday was my last day in the New York City office. I tried to get into the New York City office today to return a car. They didn’t let me in. I said, ‘No no no, it’s Jim Dennehy!’ And they don’t care,” he said. “My access to the New York office and to all of its files was cut off immediately.”
And that’s only one security measure. Every five years, Dennehy is polygraphed to check if he is spying on the U.S. government or showing signs of becoming a terrorist, he said. He is required to disclose all of his finances to the U.S. government on an annual basis, in addition to undergoing drug tests and mental health evaluations. But that’s still not enough to protect the FBI from insider threats, he said.
In an insider threat study conducted by the FBI a few years ago, they found that hackers steal information by using their existing or shared credentials to increase their privileges in the company system, he said. In addition, there are likely double agents within the FBI, he said.
“There are probably Robert Hanssens that still work in the FBI. Probably—we just don’t know about it,” Dennehy said, referring to the former double agent who pled guilty to 15 counts of espionage in 2001.
‘I Want People to Be Engaged—For Their Sake’
Thomas said that one of the biggest challenges in insider risk management is convincing employees and executives that this is a real problem.
“Unless they’ve actually had it happen to them and they know about it— [and]it’s probably happened, they just don’t know about it … then it’s hard to convince the masses and the leadership that this really is a problem. It’s not a movie, it’s not just people with clearances, it’s not people who have access to weapon systems. This actually happens for real,” Thomas said. “I want people to be engaged—engaged for their sake, the firm’s sake, their coworkers’ sake—because if these things go wrong … it’s a big deal.”
In order to counteract insider threats, companies can seek to access more personal data from their employees, said Thomas. However, he added that they have to be sensitive about not being too intrusive.
“You have to be very careful about what kind of data you’re looking for, explaining why you want that kind of data, how you’re going to use it, how you’re going to protect it, and how you’re going to protect the reputations of the people you’re looking at,” Thomas said.
How to Protect a Company’s ‘Crown Jewels’
Dennehy explained how the FBI helps research institutions and businesses to manage their insider threats and protect their assets.
“What we want to do is …identify to us what your crown jewels are. What are your most protected assets besides your people? What information do you want to protect the most? And now let’s build your program around that.”
At the end of the panel, Dennehy applauded JPMorgan Chase, one of the biggest financial firms in the world, for developing an insider threat program. The company’s action also serves as a lesson to other organizations, he said.
“[JPMorgan Chase] probably learned because of mistakes. And they probably learned because of feeling the pain of that information going out the door,” Dennehy said. “Undetected, [the threat actors]could’ve taken down a billion dollar firm because that information could lead to the opening of a competitor company that’s now gonna take away their market share. And that’s where CEOs, CFOs, and C-suite are going to really start listening.”