Your organization is at risk every day from outsiders seeking to acquire your sensitive and proprietary information for their own gain, whether political or financial, therefore it is critical that your insider threat plan include a strategic approach to managing this risk. The case of Su Bin pleading guilty for selling F-35 secrets to China is one example showing how much effort, and investment of time in an insider, that a well-resourced outsider may be willing to exert to obtain your proprietary data. Tangentially, stolen trade secrets are estimated to cost the U.S. between $225 billion and $600 billion annually.
A few questions that your senior leadership team should initially consider for managing the risk of outsiders recruiting your insiders include:
Who could target your organization or cause your organization unintended harm? Depending upon your organization’s critical assets and mission objectives, this might include state (e.g., foreign intelligence services) or non-state actors (e.g., politically-motivated activists, cyber criminals).
Why would your organization be targeted for infiltration by an outsider? Your organization could be targeted by outsiders seeking revenge (e.g., former disgruntled employees), foreign adversaries seeking economic or industrial competitive advantage, ideological individuals seeking to sabotage your operations, cyber criminals seeking personally identifiable information (PII) or other sensitive data to sell on the black market.
How could your insiders be targeted by outsiders? Outsiders could target your unwitting employees to gain sensitive insights into your organization or witting employees in exchange for payment or access to sensitive information, including networks or hard copy documents.
What are the implications of an insider incident at your organization? Depending upon the motivation behind the outsider to recruit an insider, your organization could suffer harm in the form of mission impediment or sabotage, reputational or corporate brand embarrassment, profit loss, or personal safety to your staff.
The following recommendations will help you prevent, detect, and respond to the risk of outsiders recruiting your trusted insiders:
- Accept outsider risk as an enterprise responsibility. Your assets are critical for a reason, if they are of value to you, then they are likely of value to an outsider or adversary. If you have not thought about this type of threat before or it is not ‘on your radar’ that is okay.
- Determine whether your organization should develop a formal insider threat and/or counterintelligence program. One way you could do this is by establishing an insider threat task force to review what your organization needs are to reflect its size, maturity, and future growth.
- Provide your staff with training on how state (e.g., foreign intelligence services) or non-state (e.g., cyber criminals) actors might target them, physically or virtually. A few examples include money or health issues. Encourage your staff to understand that if they are targeted and subsequently asked to provide or obtain sensitive information to an outsider, they will not be reprimanded for reporting the incident. Include a discussion of how they can be targeted through social media channels such as LinkedIn, Facebook, and others.
Provide your workforce clear guidance and policies to equip them to serve as your organization’s first line of defense against outsider risk. Senior leadership at your organization must accept that if you do not proactively get to know your workforce, an outsider might, which could result in direct harm to your organization. Do not wait for an incident to place your organization in a reactive state when you can proactively start a discussion to raise awareness within your senior leadership team and across your enterprise today.