Malicious insiders often don’t get caught because of stovepiped security monitoring systems, according to Lou Bladel, the former FBI agent who led the investigations into Edward Snowden and former CIA Director David Petraeus.
Bladel told MeriTalk that many government and private sector organizations have good detection and monitoring tools, but that those tools rarely talk to each other, resulting in an incomplete picture of the organization’s insider threats.
“The problem is, they’re generally stovepiped,” or segmented, said Bladel, adding that combining HR data with downloading trends and online behavior will lead to a more accurate understanding of an employee’s state of mind. “You would get a whole picture of somebody losing faith in the firm.”
Bladel added that malicious insiders can take advantage of this stovepiped system by explaining away individual discrepancies without having to address the larger trend of their behavior. For example, Bladel said that former NSA insider Edward Snowden was actually caught twice taking data without authorization, but was able to talk his way out of both instances because nobody connected the two.
Employees should also have an outlet for reporting suspicious behavior, according to Bladel, as his FBI investigations uncovered many government employees who noticed something off before an incident but didn’t say anything because they didn’t think it was their place.
Bladel, who currently works as executive director of Fraud Investigation and Dispute Services at Ernst & Young, said that an important part of his job is to “make people aware that their systems aren’t speaking to each other.” He added that most organizations only set up the necessary security protocols after there is an issue, and not before.
However, Bladel was adamant that employee monitoring systems should not be set up in secrecy and should instead maintain communication with employees.
“I think the best way to start is with transparency,” said Bladel, explaining that organizations should let people in sensitive roles know that they will be monitored and explain why it’s important to do so. “If you were to do it covertly, I think that would be one of the biggest mistakes you could make, because you lose the faith of your employees.”
To maintain privacy, Bladel also uses a system that assigns numbers to the data, rather than names.
“I don’t like the word ‘monitoring,’ ” said Bladel, explaining that the word comes across as very Orwellian and that he prefers to think of insider threat programs as an “internal firewall.”
Bladel said that he thinks government has a leg up in the insider threat arena, because of data classification and security clearance protocols, but that security systems and agencies still do not communicate with each other enough.
“I think it’s much larger than people realize,” said Bladel, adding that people are starting to pay more and more attention to it. “I think it’s a developing problem.”