How governments and companies can prevent the next insider attack

In 1984, for example, Indian Prime Minister Indira Gandhi was killed by two of her own Sikh bodyguards, one of them a trusted favorite. Her security chief had even warned her to remove the Sikhs from her guard, citing Sikh anger about an Indian military attack on Sikhism’s holiest site, the Golden Temple.

Missing the red flags
One of the most striking elements of the cases in our study is how organizations ignore even the most obvious and alarming red flags. U.S. Army biodefense researcher Bruce Ivins, for example, complained about his increasingly dangerous paranoia in an email to a colleague. Ivins even speculated about being mentioned in newspaper reports with the headline: “Paranoid man works with deadly anthrax.”

No one reported, or acted on, that or any of his many other signals that something was amiss. Instead, his coworkers wrote them off as harmless eccentricity. Even when an employee told his boss that she feared he would attack her, no action was taken.

Companies and government agencies must provide strong incentives for their employees to report worrying behavior – including clear and well-enforced reporting rules, and recognition for those who do the right thing. Those efforts should make clear that in some cases, the result of reporting will be that a troubled colleague gets much-needed help.

Disgruntlement dangers
Employees who are upset are far more common than mentally disturbed ones, and therefore more likely to pose an insider threat. One studyof insider cyber-sabotage found that 92 percent of the cases examined occurred “following a negative work-related event such as termination, dispute with a current or former employer, demotion, or transfer.”

More than half of the insiders in these cases were already seen as disgruntled before the incident occurred. Fortunately, simple steps can combat employee dissatisfaction. These include providing effective processes for making and resolving complaints, complimenting and rewarding employees for good work and reining in bullying bosses.

Multiple layers of defense
Organizations often make the mistake of thinking a single element of defense – such as background checks – is enough to protect them from insiders. But defenses are often less effective than they seem. Years ago, for example, Roger Johnston and his colleagues in the Vulnerability Assessment Team at Los Alamos National Laboratory tested over 100 types of widely used tamper-indicating seals. They found that all of them could be defeated with equipment from any hardware store, with average defeat times of less than five minutes.

Hence, organizations need a comprehensive approach to protecting against insiders, from ensuring that no one can access the protected items without being monitored to building a vigilant, questioning culture. Nuclear facilities, for example, should keep material that could be used in a nuclear bomb in a locked vault to which few have access, constantly monitor the vault, ensure that no one is ever in the vault alone and, where practical, keep the material in forms too big and heavy for one person to carry and hide.

Monitoring people, information and physical spaces can be critical. After an insider destroyed a nuclear reactor’s turbine in Belgium in 2014, for example, the country established new rules ensuring no one could ever be alone and unwatched in key reactor areas.

Testing and constantly looking for vulnerabilities are also key. Johnston’s effort is only one example of an essential approach: assigning intelligent teams to look for ways to defeat security systems, identifying weaknesses and helping to fix them.

Building a strong security culture in the organization – in which all employees take security seriously and are constantly on the lookout for vulnerabilities to be addressed or concerning behavior the organization should know about – is fundamental. The Fort Hood massacre can be blamed, in part, on a breakdown of security culture. Despite clear danger signs in erratic behavior and radical statements, none of Nidal Hasan’s commanders wanted to cope with the hassle of disciplining him.

Fixing these systemic problems takes focused leadership from the top of the organization, incentives for strong security performance and a broad understanding of both the threat and the relevance of security measures to deal with it throughout the organization. Capable leadership will make organizations more successful and more secure.

In our high-tech society, the insider threat is ever-present. High-security organizations, governments and companies alike need to take action to counter the organizational and cognitive biases that often blind us to the insider danger – or future blunders will condemn us to more disasters.

Matthew Bunn is Professor of Practice, John F. Kennedy School of Government, Harvard University. Scott D. Sagan is Professor of Political Science, Stanford University. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).