Kristen Hardy is the lead investigator at Rockwell Automation, Milwaukee, for all cases related to insider threat.
What is insider threat?
An insider threat (or insider risk, as we call it) is formally defined as “a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misuses that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems” (www.cert.org/insider-threat/).
There are three primary areas of focus with regard to insider threat: 1) fraud; 2) sabotage – the intent to cause harm; and 3) theft of intellectual property. Thus, in plain terms, the area of insider threat largely deals with threats or risks to a company, organization, or law firm from an internal standpoint, delving into areas such as information security, privacy law, employment law, and information technology, to name just a few.
Why is insider threat such a growing area of concern?
Mainly because of the great risks these threats pose to companies and law firms. Practically every day there is a story in the media about insider threats – from hackers, to the theft of intellectual property. While these threats are generally not tantamount to the fallout of Edward Snowden (who, by the way, is a classic example of an insider), there is no doubt that these threats are becoming a growing area of concern.
Companies are, or should be, concerned about competitors obtaining their “secret sauce”; the government is worried about data exfiltration of classified information and economic espionage; and law firms, especially, are worried about protecting client information as much as possible.
Recognizing the need from a government standpoint to protect classified information on computer networks, President Barack Obama signed Executive Order 13587 in 2011. One of the order’s key components is that the heads of agencies operating classified computer networks must implement an insider-threat detection and prevention program. Although the private sector has not been mandated to start these types of programs, many companies and organizations have proactively followed suit – and rightfully so, considering the enormous risk of data exfiltrated and future cost or loss to the business. In fact, I recently learned that the government is going to mandate formal insider-threat programs for all cleared defense contractors in the very near future. It’s clear everyone is now taking notice of the seriousness of these types of threats.
What are some examples of insider threats?
Most recent position: Investigative Lead, Insider Risk Program, Rockwell Automation
Law school: Marquette University Law School 2014
A good example was publicized in the Milwaukee Journal Sentinel in 2014. In that case, a Chinese engineer at a GE Healthcare subsidiary in Waukesha was caught and charged with stealing trade secrets and confidential information. Using his access and know-how as an engineer, the employee began stealing source code and other technical documents, then sent them to China via USB drives for approximately 18 months before being caught. He intended to use the confidential and proprietary information at a new company in China, which he had plans to join, following his resignation at the GE Healthcare subsidiary.
Something to be aware of is the breadth of the term “insider.” Anyone who possesses access to your organization’s sensitive data or systems and aims to maliciously wreak havoc with that access, in some manner, is an insider. Thus, an outside hacker who gains access to your data or systems is considered an insider. Employees, contractors, and interns all fall under the term insider, depending on their level of access, but notwithstanding their actual role in your company or firm. For instance, the cleaning crew who stumbles across confidential information on a partner’s desk, then uses it maliciously is an example of an insider. Another example is a lawyer who, hoping to jumpstart success when starting his or her own firm, copies client or other firm-specific information before tendering resignation.
Insider threat encompasses fraud, sabotage, and theft of intellectual property. In your opinion, which of the three poses the biggest threat?
I think it all depends on your firm or company and what it is most concerned about. If your business only sells firewood, for example, you may not have any trade secrets to protect and thus, IP theft may not be an issue for you. So it all depends on what your business does and what you want to protect. I think sabotage, which is the intent to cause harm, is the most serious of the three, mainly because of the level of sophistication that goes into committing it, the type of people that generally come to commit it, and its dangerous effects.
Know a lawyer we should talk to? Email us.
When it comes to which insider threats I see most publicized in the media, I would say it’s a tie between sabotage and the theft of intellectual property. Both have serious consequences – the theft of IP can take away a company’s competitive advantage, while sabotage can impact operations, or even lives in certain companies. I think these types of insider threats get so much publicity because the cases are often litigious or the facts surrounding them are “sexy,” rather than one of the three posing more of a threat than the others.
At Rockwell Automation, insider fraud typically falls under the scope of the internal audit team, and so it is not addressed directly by our program, except to assist in technical investigations when requested. However, fraud can definitely be a major concern for any business.
What is the effect of the threat on companies, and especially law firms?
The effects can range from something as simple as being inconvenienced for a couple of hours while your systems reboot, to something more drastic, such as the threat of costing your company millions of dollars or even worse, its reputation. There have been numerous cases across the country with varying degrees of effects – an angry technical employee entering malicious code into a company’s system, causing chaos to ensue; an employee stealing personally identifiable information from an entire company; someone leaking client information and tainting potential litigation; a group of lawyers colluding to start their own firm and steal data from their current firm by setting up Dropbox to automatically synch client files from the law firm’s servers. The lawyers in the last example not only stole client information, but also changed client data, syncing the invalid data back to the law firm’s servers after they left, ruining the integrity of the firm’s data.
What can companies and law firms do about insider threats?
First, if you are a company that produces and values confidential or proprietary information, you should ensure your employees are signing acceptable-use-of-technology policies, IP agreements, and nondisclosure agreements, as you see fit.
Another big piece to consider is simply educating your employees, customers, and contractors on what insider threats are and reminding them of their responsibility to keep data private and safe. In fact, representatives from Rockwell Automation have given continuing legal education (CLE) programs at law firms to educate lawyers about the severity of these threats.
Finally, many companies have begun implementing insider threat programs in house. Rockwell Automation has been one of the companies at the forefront of taking insider threats seriously, going so far as creating a dedicated program to address these types of threats.
What is your role as it relates to this emerging field?
As the investigative lead at Rockwell Automation, my role is three-fold: I am the case manager for all cases related to insider threat, globally; I assist with creating processes and procedures with relation to the program; and finally, and arguably most importantly, I am the investigator for all cases that are potentially related to insider threat. In this role, I interact daily with employees, managers, and human relations, legal, and information technology personnel to get to the bottom of cases, and to ensure our intellectual property and systems are protected. I also regularly give presentations regarding insider threat, as well as company-specific programs, both internally and externally. My hope is that every organization takes heed to how important it is to protect their sensitive data.
How did you come into this role? What are the qualifications needed?
After graduating from law school, I took a position as an intern in Rockwell Automation’s Insider Risk Program. The position called for an attorney, and was an attractive opportunity, given my research on the theft of trade secrets and economic espionage during my tenure on the Marquette Intellectual Property Law Review. The investigative lead position was created, which called for a keen attention to detail, and strong writing, communication, and analytical skills, among other characteristics. These qualities, coupled with a desire to “right wrongs,” so to speak, are integral to a role like this. I received my Insider Threat Program Manager certification from Carnegie Mellon University in 2014, which furthered my education in this specific realm, and I regularly attend CLE programs, workshops, and other courses related to investigations.
What is one of the most challenging aspects of your work?
Trying to strike a balance between being proactive and reactive. I want to be as proactive as possible without coming off as overly paranoid. But at the same time, the nature of this work requires a level of caution and skepticism, which I think most lawyers can relate to, regardless of their area of expertise.
What do you do in your spare time to unwind?
When I’m not trying out a new recipe or curling up with a good book, I am working on my passion project, which is an organization called Brunch of Professionals. One of my law school classmates and I formed the organization about a year ago, and we host monthly brunches geared toward professional women at various restaurants in Milwaukee.
The organization’s core purpose is to build all of our professional networks by discussing topics related to career development and personal wellness. By building these bonds, we help each other flourish personally and professionally. The brunches attract women from all industries, from entrepreneurs to engineers, and at times even professional men at certain events.
Thanks to a generous food donation from Movida and volunteers, we were able to host a brunch for the women at the Milwaukee Rescue Mission around Thanksgiving, which was one of my favorite brunches to date. I truly enjoy regularly interacting with such tenacious and ambitious women. Not to mention sampling delicious food from different restaurants every month.