Why every university needs an insider threat program

Insider threat. The words conjure up images of a secretive employee loitering at a business after closing time, hoping to catch the right moment to get a peek at confidential information.

Incidents under the umbrella of insider threats — in which employees use their legitimate access to intentionally or unintentionally do harm to the organization — can fall into a number of different categories, ranging from national security espionage to theft of intellectual property to privacy violations.

And insider threats aren’t just an analog issue — in 2018, 25 percent of cyberattacks were caused by insiders.

For higher education institutions that collect data ranging from personal information to highly sensitive research information, data leaks caused by insider threat can result in economic loss and irreparable harm to an institution’s reputation. Despite the peril posed by insiders, most higher education institutions don’t have insider threat programs — but they should!

To combat the insider threat, colleges and universities must understand the need for an insider threat program, be watchful for indicators of insider threat, and build a formal insider threat program.

Are universities responsible for national security?

Colleges and universities can be treasure troves of information. Some of this data can include cutting-edge research and intellectual property belonging to the institution, its faculty, and its researchers. Research partnerships between institutions and the federal government can introduce security implications attached to that IP.

Many existing higher ed insider threat programs are motivated by a mandate to protect national security. More than 12,000 facilities, including laboratories and universities, are approved for access to classified information under the National Industrial Security Program. Universities cleared for access to such information hold a Facility Clearance, or FCL. The Department of Defense grants an FCL when researchers need access to classified information in connection with a government contract. Colleges and universities may hold an FCL if they are conducting research sponsored by the Department of Defense that requires faculty members or researchers to have access to classified data. Institutions with an FCL are required to implement insider threat programs to protect that classified data.

Adversaries use a number of different tactics to target this classified information. Higher ed institutions and their employees are a top target for foreign intelligence services that seek classified information about U.S. technologies for military or economic advantage. The collaborative nature of the academic community, education’s willingness to host foreign scholars, faculty autonomy, and the openness of many academic information technology networks all provide access points that a foreign intelligence operative could exploit.

That’s why foreign intelligence services are targeting U.S. higher education institutions and why universities need to be vigilant in understanding those contacts.

Kathie Sidner, the University of North Carolina’s director of defense and military partnerships, says insider threat programs ensure that trusted individuals don’t deliberately or accidentally compromise national security. Sidner works closely with UNC campuses, the U.S. Army Research Office and the defense industry on applied research projects.

“An insider threat program helps higher education institutions distinguish the legitimate contacts from the ones that may be suspicious,” Sidner said.

Building an insider threat program to protect national security

Cleared contractors, like colleges and universities with an FCL, are required to establish insider threat programs to help identify situations where an insider may put the security of the U.S. at risk.

The requirements for these insider threat programs are specified in the National Industrial Security Program Operating Manual. The NISPOM requires institutions to:

• Designate an insider threat program senior official to oversee the institution’s insider threat program
• Establish an insider threat program and identify insider threat program personnel to run the program
• Provide insider threat training for insider threat program personnel and for cleared employees
• Detect and mitigate the impact of insiders who pose a risk to classified information
• Monitor classified network activity
• Conduct self-inspections of the institution’s insider threat program

Failure to implement an insider threat program can lead to loss of an institution’s FCL, the college or university can be barred from bidding on federal contracts, and fines or lawsuits.

Detecting insider threats in higher education

As foreign intelligence services continue to target higher ed institutions and researchers, some possible indicators of insider threat that colleges and universities might look for include:

• Unreported or frequent foreign travel; attempts to conceal foreign travel
• Sudden unexplained wealth, sudden repayment of large debt or loan
• Repeated security violations, such as unauthorized downloads or copying of files, keeping classified information assets at home or any other unauthorized place, or discussing classified confidential research or related information in public
• Exhibiting disgruntled or agitated behavior

The insider threat is hard to detect, especially in higher education.

“Often, because of the open, publication-driven culture, people within the academic community may not fully grasp or appreciate the real threat of ‘insiders’ at universities,” Sidner says. “The idea of foreign intelligence services targeting university faculty and students just feels so abstract or far-removed from the campus setting.”

How to build your insider threat program

Insider threat programs can extend beyond protecting classified information. Higher ed institutions can build them to protect sensitive campus data, like research data or personally identifiable data, from compromise by an insider threat. To get started with building an insider threat program, higher education institutions can turn to the NISPOM for high level guidance on the most important program elements:

• Designating a campus official or officials to help run the program
• Creating processes and procedures to help detect and mitigate the impact of insiders who pose a risk to institutional data and resources;
• Providing training to campus employees to help them identify and report suspected insider threats

Institutions wanting to establish an insider threat program should start by forming an institutional working group. The group’s institutional members should have positions that give them the necessary expertise to help inform the design of the program, facilitate access to needed information during insider threat investigations, and provide ongoing guidance for program activities. These same leaders can also help the institution ensure that any administrative, legal, privacy, civil rights, and civil liberties issues are appropriately identified and addressed within the institution’s insider threat program.

While external threats often grab the headlines, insider threats can be just as harmful to an institution’s resources and reputation. Campus programs are a strong step forward that help identify and mitigate the higher education insider threat.

Joanna Lyn Grama is a senior consultant at Vantage Technology Consulting Group where she advises clients on information security policy, compliance, governance and data-privacy issues.