incident response strategy

What We Learned From the 2017 National Insider Threat Symposium and Expo

The 2017 National Insider Threat Symposium and Expo, hosted by the National Insider Threat Special Interest Group (NITSIG), put the spotlight on insider threat detection, behavior patterns, program development, law enforcement, legal ramifications, and future challenges. The one-day event consisted of speakers from a mix of backgrounds, including insider threat risk mitigation experts, private sector business professionals, and U.S. government and defense contract thought leaders.

While the symposium offered a glimpse into the capabilities of several powerful insider threat monitoring tools, the speakers emphasized that the tools alone won’t magically solve the problem. Insider threat is a human problem; therefore, insider threat requires a human solution. Dr. Robert Gallagher, NITSIG Board Member, explained, “Tools are valuable to test behaviors but you need humans to assess those behaviors.”

Here are four other takeaways from the expo that stood out to me.

Information Isn’t Valuable to Millennials Unless It’s Shareable

Dr. Gallagher also discussed the role millennials play in sharing insider information. Millennials interpret the value of information differently than other generations. They believe that information is a right to all and there is no distinction between public and private information.

Millennials also believe that the real value of information comes in the form of external validation through likes and shares from their peers and friends. They want to be seen, want to be heard, and that presents opportunities for threat actors to spy on the information they send out.

Insiders Covet Trade Secrets and Intellectual Property

Insider threat usually brings about an image of someone stealing classified information, which is where companies have historically focused their threat detection efforts. Of all the information that gets exchanged, attendees were encouraged to think about trade secrets and intellectual property as being the most coveted prized, along with any other international communication that is sensitive in nature.

Charles Phalen Jr., Director of NBIB, made an important distinction: everyone needs to be treated as a possible insider, not just the folks with security clearance. You need to look at your entire workforce population.

When it comes to insider information sources, the dark web is clearly a preferred avenue. But open web sources like LinkedIn are also viable information hubs for threat actors to gain insight and access. For example, criminal organizations can directly scout, target, and ultimately train insiders who fit their ideal candidate profiles. LinkedIn also provides a real-time window into employee behaviors – the good, the bad, and the ugly.

The Use of the Word “Report” Can Be Explosive

While the importance of reporting to identify trends and validate threats remained a point of emphasis, all of the speakers agreed that the word “report” can be an unexpected deterrent. As Doug Thomas, Lockheed Director of Counterintelligence Operations and Corporate Investigations, stated, “’report’ can imply snitching.”

Instead, employees are encouraged to stay “engaged” and continuously observe and communicate any suspicious or abnormal behavior. Thomas also made an interesting point that employees will feel more comfortable with insider threat monitoring tools and processes if they know who is being watched – including the watchers (analysts) themselves.

All in all, an effective communication plan is an essential piece to any insider threat program to keep all levels of employees engaged from the top down, and to mitigate risks.

Not Everyone Who Claims to Be an Insider is an Insider

This was one of the most interesting statements made through all the presentations. There are plenty of rogue insiders out there. Organizations need to check individual backgrounds, look at the reputation of these actors, and apply source veracity to validate the information that comes across. According to, Tom Hoffman, Vice President of Intelligence at Flashpoint, 80% of claimants in these communities “talk a good game” but don’t have the access to be a legitimate insider.

On the flip side, the person claiming the insider might be the actual insider. There are all kinds of possibilities. Insider threat analysts and chief security officers (CSOs) need to constantly check their sources before making any decisions. Phalen articulated that focusing on position descriptions as a determinate of risk is not effective in thwarting insider threats. Focusing on behaviors regardless of position is the best way.


The NITSIG Insider Threat Symposium and Expo confirmed that the issue of insider threats is an evolving challenge that requires continuous vigilance and education. You need to know your people – from the pre-employment screening process onward. Continuous training and assessments can help you stay on top of any new behavior changes or potential factors that could lead to insider threat development.

Learn more about our insider threat training course, and download our insider threat eGuide, “10 Steps for Establishing an Effective Insider Threat Program,” to keep your organization protected.