Insider Threats in Federal Government: The Data and the Response
Federal government agencies could commit more than $1 billion in fiscal 2017 to insider threat countermeasures, according to Bloomberg Government data. A 2017 survey of Federal cyber security professionals provides insight into what’s driving this expenditure.
Insider Threat Examples in the Government
Insider threats in government are categorized just as they are in private industry: oblivious and negligent insiders, malicious insiders, and professional insiders. And the results can include loss of intellectual property, loss of employee or constituent data, and an impact on national security.
The Federal government is a particularly enticing target for malicious and professional insiders due to the massive amounts of data stored by agencies.
Edward Snowden is probably the most well-known insider attacker in the government realm in recent years. But 2017 saw several insiders exposed. NSA contractor Reality Winner was charged with sharing classified information with a news organization. Harold T. Martin III was accused of stealing millions of pages of classified material from the NSA. And a State Department employee was just recently charged with leaking information to China in return for gifts. The motives of these individuals may differ, but the result is the same: sensitive data being compromised.
Findings on Insider Threats in the Federal Space
MeriTalk surveyed 150 Federal cyber security professionals earlier this year. Here’s what these professionals said regarding insider threats in their environments:
- 85% of Federal IT managers say their agency is more focused on combating insider threats today than one year ago.
- 86% say their agency has a formal insider threat prevention program, up considerably from 55% in 2015.
- Federal IT managers say their agency has been the target of cyber incidents perpetrated by insiders (either malicious or unintentional) at roughly the same rate as two years ago – 42% in 2017 vs. 45% in 2015.
When asked why insider threats are more challenging today, the professionals cited three key factors:
- Cloud adoption: 59% say the increasing number of cloud-based systems has made insider threats more difficult to detect.
- Endpoint multiplication: 56% say the number of endpoints that access their networks has grown by more than 25% over the past three years.
- Remote workforce: respondents estimated that 32% of their agency’s workforce logs on to their network from a remote location at least once per week.
The survey found that Federal agencies that have lost data to insider incidents are significantly less likely than those that have not lost data to say their programs include a formal threat detection protocol, including the detection of suspicious behaviors.
Data breach lag time – the time between when a data breach begins and when it is detected – can have a dramatic impact on the cost to mitigate. In the Federal space, data breach lag time is significant. Just 19% say their agency can detect and report unauthorized access in real time. On the positive side, agencies prioritizing insider threat response are significantly more likely than other agencies to be able to detect and report unauthorized access in 30 minutes or less (52% compared to 30%).
Advice to Prevent Government Insider Threats
Cyber security professionals surveyed reiterated tried-and-true advice – a least privilege access policy, encryption, and authentication – as key tactics in the battle against insider threats. But they also advocated for monitoring technology to listen for and report on insider threats, with one professional offering this advice:
“Beef up real time monitoring and budgets”.
Online monitoring technology can help government security professionals stay vigilant regarding insider threats by:
- Creating a pattern of normal employee behavior that can help identify if contractors, remote staff, or in-office staff are accessing information that’s not supposed to be accessed.
- Delivering instant and tailored system alerts to reduce the data breach lag time. By establishing a “normal” behavior profile and probing the system actively, management can turn the alert time from years to hours and days.
How Government Agencies Can Shift from Reactive to Proactive Insider Threat Defense
When Thinking About Cyber Security, You Don’t Have Competitors
NSA Data Leak: More Exposure of Classified Data
Data Security, Insider Threat and More: An Interview with a FDIC Employee
How States Can Improve Cyber Security on a Budget