First, what is an insider threat? According to the Transportation Security Administration’s (TSA) 2018 Report of the Aviation Security Advisory Committee on Insider Threats at Airports, “The term insider threat refers to individuals with privileged access to sensitive areas and/or information, who intentionally or unwittingly misuse or allow others to misuse this access to exploit vulnerabilities in an effort to compromise security, facilitate criminal activity, terrorism, or other illicit actions which inflict harm to people, an organization, the air transportation system or national security.”
With that definition in mind, let’s examine the components of insider threat and how you can protect your operation from them.
Peeling back the layers of insider threat
A good way to understand insider threat is to picture it as an onion with several layers. The outermost layer is made up of insiders who have planned their actions beforehand: the employee who downloads intellectual property with the intent to sell or give it to a competitor company, the employee who steals money or collaborates with an outside party to steal items of monetary worth, or an employee who is a secret member of a terrorist group and is working there to obtain inside security information that can be used for violent acts.
The second layer is the employee who impulsively turns into a threat. For example, an employee is fired and decides to take revenge on their now former employer by damaging property or installing a computer virus into their network. A disgruntled employee brings a weapon and turns the business into a scene of workplace violence.
Going a little deeper, the third layer is a little less obvious. This consists of employees or contractors who disregard or ignore a company’s security policy. Such persons may include:
- An employee letting another person piggyback (also known as ‘tagging along’) on their badge to access a secure location
- A manager sharing their password with an assistant
- A contractor failing to properly close a gate after performing maintenance
- A technician leaving a company laptop in their vehicle instead of keeping it with them
- A mechanic assuming a stranger near an aircraft is authorized to be there
Below that is the fourth layer. This includes employees who don’t realize their innocent acts pose a risk to their company. For example, an employee takes a selfie inside their office and posts it on social media. Not a big deal, right? However, say that selfie shows an open financial report sitting on the desk or the employee’s identification badge – now that’s a security breach! Another example includes having confidential conversations in public areas like restaurants or taxis. It’s never safe to assume the people around you aren’t eavesdropping on your conversations, so keep confidential conversations for when you’re in a safe space.
Employees, contractors and others with inside knowledge, can be duped by the actions of others outside the company and this is our fifth layer. These employees may be the victims of elicitation. The FBI defines elicitation as “a conversation with a specific purpose: collect information that is not readily available and do so without raising suspicion that specific facts are being sought.” This could take place in an online chat, email, phone call or even in a person-to-person conversation where an employee innocently reveals sensitive information without ever knowing it.
Aviation Security International states at-risk employees can become insider threats and this is our sixth or innermost layer. These individuals suffer from addiction, mental illness or depression, and are vulnerable to efforts made by outside parties or to their own inner demons. They have no intent to cause harm, but they do.
Examples of recent aviation-related insider threats
Consider the following real examples of insider threats within aviation:
- Heathrow Airport in London found itself a victim of a data breach after someone found a memory stick containing sensitive information from the airport’s network. CSO, an Australian publication, states the memory stick was lost by an airport employee who had downloaded the information but failed to secure it. As a result, the airport was fined by the Information Commissioner’s Office for £120,000 in October 2018.
- In August 2018, Richard Russell, a ground service agent at Horizon Air in Seattle, Washington, who had been employed there for over three years, turned one of the company’s passenger aircraft around with a tractor. According to The Washington Post, he then got into the cockpit of the aircraft, turned on the engines, taxied the aircraft to one of the runways at Seattle-Tacoma International Airport (Sea-Tac) and performed a successful takeoff. The theft resulted in a fatal crash on a small island nearby. The Seattle Times reports that while all protocols at Sea-Tac were followed, the incident has already generated federal discussions on aviation security.
- In July 2018, the U.S. Department of Justice stated a former Delta Air Lines baggage handler in Georgia was sentenced to 30 months in prison for bypassing airport security and smuggling a total of 135 firearms onto various aircraft. The handler used the aircraft as a way to transport the guns to New York where they were sold illegally on the street.
Protecting your company and assets
Businesses have several tools available to them, which can mitigate their risk of becoming a victim. These include the following:
- Installing internal monitoring systems like keystroke logging or video surveillance.
- Training employees: Educating employees on insider threat is one of the best ways for companies to protect themselves. The training should cover the company’s security protocols, types of insider threats, what information about the company should remain private and what to do if they see something suspicious.
- Vetting employees, contractors and others: Background checks provide companies with an inside look at those who work for them and can identify potential issues.
- Establish security protocols: Regardless of the size of the company, it is important to establish guidelines and rules regarding access controls, handling sensitive data and who has access to that information, the storage of that information and other security measures.
- Post signage and visual materials: Once security protocols are established, companies are able to reinforce and remind employees of the security protocols through signage and visual materials.
- Provide employees with resources that encourage mental wellness and information on where to seek help from appropriate networks and agencies.
- Develop and establish enforcement protocols: It is important for everyone at a company to follow security protocols. If employees and vendors see that not everyone is complying, security protocols become difficult, if not impossible, to enforce.
Insider threat cannot be completely eradicated, but companies who do everything possible to protect themselves are less likely to become victims.