Insiders are one of the significant threats to information security every organization with employees faces. I like to note the incidents that occur as a result of insiders. A recent example of this threat was reported today on CNN, "Engineer guilty of trying to leak U.S. military secrets."

As a synopsis, an engineer, Chi Mak, born in China but a naturalized U.S. citizen working for a defence contractor, Power Paragon of Anaheim, was found guilty of conspiring to export U.S. defense technology to China, including data on an electronic propulsion system that could make submarines virtually undetectable, guilty of being an unregistered foreign agent, guilty of attempting to violate export control laws and guilty of making false statements to the FBI.

Some key statements from the story related to information security:

"Mak, 66, acknowledged during the trial that he copied classified documents and kept copies in his office. He maintained he didn't realize at the time that making the copies was illegal."

"Mak was arrested in 2005 in Los Angeles after FBI agents stopped his brother and sister-in-law as they boarded a flight to Hong Kong. Investigators said they found three encrypted CDs in their luggage containing sensitive military documents."

"Mak said he believed he was doing nothing wrong by giving the documents to his brother to take out of the country because they were papers that had been presented previously at international conferences."

Did Power Paragon have an information security area? Did they have information security policies, procedures, and training and awareness to ensure the employees knew what was and was not allowed with regard to handling information?

Much of Mak's defense was that he did not know he was not supposed to do the things he was found guilty of doing.

Claiming ignorance is commonly done by employees who do bad things. Having documented policies and procedures, and a well-documented, executive-supported and effective awareness and training program helps defeat this defense.

Several years ago in one of the organizations I worked for an employee, fired for sending pornographic emails to a co-worker on the corporate system, brought a suit for wrongful termination by claiming she did not know she couldn't do such activities and had never been told. The case did not even make it to the court because of the preponderance of documented evidence disproving her claim...information security policies, a login banner telling such activities are not allowed, training, numerous awareness messages, and her own signature indicating her understanding of the policies.

Power Paragon probably had a classification policy since they indicated the documents copied were "classified." Did they have supporting procedures for these policies? Did they communicate them, and the policy, to the employees with access to the documents? Did they have controls in place to help prevent these types of documents from being copied?

Did Power Paragon have a policy requiring classified information to be well controlled and not shared with anyone outside the company? Did they have a policy regarding the storage of such information on portable media, such as the CDs on which the sensitive information was found?

Were there policies about how sensitive information could and could not be used at conferences? Perhaps someone else in the company was doing something wrong by doing such presentations.

A comprehensive Information security program is necessary to help qwell the threat that mistakes and maliciousness of insiders pose. Tecnology alone can never successfully address the involved threats.