On May 31, 2017, all cleared government contractors are required to complete insider threat employee awareness training prior to being granted access to classified information. The regulation mandates the training takes place annually. The requirement is part of the National Industrial Security Program Operating Manual (NISPOM) Change 2, a regulation issued in May 2016 by the Under Security of Defense for Intelligence which requires cleared contractors to establish and implement insider threat programs.
The objective of this insider threat awareness training requirement is threefold. First, for contractors to clearly understand the consequences of breaking the rules. Second, to teach contractors how to identify common behavior patterns of individuals so they can easily spot unusual behavior. Third, to inform contractors who they should contact if they notice something unusual that may indicate an insider threat.
To test the stickiness of the training requirements, I thoroughly read them one night, woke up the next morning and wrote down what I remembered. The first two parts – consequences and common insider threat behaviors – I recalled clearly. However, the third part, who to contact, I completely forgot, and this was no more than eight hours after reading them.
My point is, that while the training mandate is a positive step, holding it just once a year makes it less effective. During the past 20-plus years working in government, in addition to majoring in psychology, I have learned the best way to retain a lot of information is to break it into smaller chunks. Insider threat awareness training encompasses a wide swath of lessons. From identifying the indicators of unusual behavior to understanding the penalties for committing cybercrimes, to knowing who to report what kind of information to and how to report it, it’s a lot of information to take in in one fell swoop — and should be consistently reinforced throughout the year.
Effective reinforcement for inside threat training should be broken up into 7-10 minute sessions at least once a quarter, or even better, as policy violations happen. Based on data coming from our Risk Fabric analytics software, in 90 percent of data loss prevention incidents – meaning when employees leak sensitive data outside an organization – the employees are legitimate users who innocently send out data for business purposes. They are exhibiting normal employee behavior to their peers and department, even though it might be in violation of the established policy. In these cases, if training occurs near the point in time the violation happens, it will be much more effective at changing the behavior. Our data shows when employees are called out by their employer, close to 80 percent make changes so they are more security-conscience.
Quarterly training should also center around tests. At least once a quarter, contractors should take a test asking them basic insider threat awareness questions. They should then go through follow-up training that specifically focuses on the questions they answered incorrectly.
While insider threat awareness training is a key component of third party vendor risk management, it is just one component of a much larger program. Continuous monitoring of all contract users is essential. Agencies should understand what each contractor is doing on their network, what kind of information they access, the value of that information and how they access it. They should have technologies and processes in place that identify unusual behaviors and prioritize threats that put their most mission critical assets at risk of a compromise.
An even more targeted approach is implementing contract based monitoring. Agencies should focus on the key contracts that bring the most risk to the organization and put their best and most resources towards minimizing that risk. For example, if a contract ties to a project that, if compromised could cost human lives, then the agency that owns the contract should make sure the tightest security measures are in place – continuous monitoring, data loss prevention, frequent risk assessments and training and ensuring the threats and vulnerabilities that could compromise valued assets within that contract are prioritized and mitigated immediately.
Finally, accountability for good cyber hygiene and compliance should not rest solely on insider threat officers within agencies. Contracted project managers have a responsibility to protect their client’s (which is in many cases our nation’s) valuable information assets.
They should ensure risky user behavior is addressed and mitigated before it’s too late.
Thomas Jones is a Federal Systems Engineer at Bay Dynamics. With more than 25 years of experience in information technology, he’s held roles as a federal contractor, sales engineer, solutions architect, system engineer, network engineer and senior consultant working with the federal government. He spends large portions of his work week in the trenches with IT professionals working to ensure cybersecurity and availability for the federal government.