Agencies are sharpening their focus on insider risk, and the message from industry partners is clear: Move earlier in the lifecycle and make prevention the goal.
The Department of Defense (DOD) – which the Trump administration has rebranded as the Department of War – and the broader federal enterprise are confronting a risk landscape in which traditional monitoring and after-the-fact detection aren’t enough to deter theft of intellectual property, fraud, inadvertent or intentional disclosure of sensitive information, threats of harm, or other insider threats.
“We have to start finding technical solutions to bring these rich amounts of information together for a clear picture. We need people, absolutely, but we need technical solutions, and we must leverage technology to get ahead of the threat,” said Andrew Lochli, assistant director for counterintelligence and insider threat at the Defense Counterintelligence and Security Agency. He spoke at the agency’s Conference for Insider Threat last year, which drew more than 2,600 participants.
“By integrating insider threat analytics with cyber monitoring and enterprise data, we are enhancing our ability to detect, deter, and mitigate insider threats,” Lochli added.
In a recent discussion with General Dynamics Information Technology (GDIT) and Everfox, experts explored insider threats and emphasized that they go beyond cyber; they are a lifecycle issue – beginning with hiring and onboarding, continuing through employment, and extending into offboarding and beyond.
A new joint solution
This year, systems integrator GDIT and cybersecurity solutions provider Everfox announced a collaboration to deliver an insider-threat solution that operationalizes the Critical Pathway to Insider Risk® (CPIR) framework using linguistic analysis and scalable algorithms. The solution seeks to help organizations identify early signs of employee dissatisfaction and other risk factors before they escalate.
The CPIR framework is a widely used model for integrating predisposing personal factors, external stressors, concerning behaviors, and the impact of organizational responses into an index of insider risk. GDIT and Everfox say they have operationalized this science-backed structure at scale – helping agencies and organizations turn from reactive postures to proactive postures.
“Our psycholinguistic analysis capabilities help … organizations identify through authored communications the potential that someone is disgruntled,” Dan Velez, senior advisor for insider risk at Everfox said. Jon Besko, a program director, insider threat at GDIT, underscored the importance of the data stream: “Authored communications [are] probably the most valuable … whether that’s emails, chats, even social media posts or things that someone might be writing in a Word document on their desktop.”
What agencies should watch
While agencies have access to tools such as the Cybersecurity and Infrastructure Security Agency (CISA)’s Insider Threat Mitigation Program Evaluation and related frameworks, leaders need concrete behavioral and operational signals they can act on. The GDIT–Everfox discussion highlighted where agencies should focus their attention. The challenge isn’t adding more controls but recognizing the signals that matter. Three areas stand out:
1) Treat insider risk as a human-centric mission, not just a cyber problem. Even when activity manifests on networks, “it really goes back to that human behind the keyboard,” Besko said. Programs should align human resources (HR), security, legal, and IT across the employee lifecycle, measure how controls such as background checks map to CPIR stages, and educate HR organizations, supervisors, and other leadership about how to respond to potential threats.
2) Prioritize analysis of authored communications. Linguistics-driven analytics can triage high-volume email, chat, and other text-based communications and push alerts to analysts. Artificial intelligence-powered analysis enables organizations to analyze massive amounts of data at speed and scale.
3) Link automation to analyst action. Tips about risky behavior are useless if no one acts on them. Mature programs connect proactive signals to case management and response playbooks so analysts can focus on prevention.
Beyond data loss: employee wellness and program culture
Insider threat programs aren’t just about data exfiltration or sabotage. Since the COVID-19 pandemic, many programs report paying more attention to employee wellness and threats of harm to self or others. “It’s not just about… taking the badge off of someone’s chest,” Velez said. “Ideally, what we’re trying to do is get that person the resources that they require and get them back into the seat.”
These programs look for signs that employees may be under strain or mental stressors, including potential indicators of suicidal ideation, and work to connect them with resources and support. While the term “insider threat” often has a negative association, experts emphasized that the real goal is to protect the workforce.
The bottom line
Ultimately, insider risk programs are evolving from data loss prevention-centric monitoring to AI-assisted, analyst-led prevention. In the words of GDIT’s Besko, agencies want to get “left of boom,” flagging concerning behaviors sooner to avoid “a really big data leak or espionage investigation.”
To learn more, view the discussion and gain additional insights.