Skip to main content

Request SaaS Deployment

Contact Sales


Key Features of an Insider Threat Protection Program for the Military


Insider threat protection is essential for government institutions — especially national defense organizations. As these organizations handle highly classified and sensitive information related to national security, military operations, and intelligence, they are particularly vulnerable to cyberattacks.

In this article, we reveal the main insider threats in the defense sector and how to spot them. We also give guidelines on building an effective military insider threat program. 

The importance of cybersecurity in the military

Defense organizations have complex systems and networks containing lots of sensitive data including state secrets and personal data of employees and service members.

These organizations must continuously enhance their cybersecurity to protect:

  • Government secrets
  • Communications and information systems
  • The personal information of employees and service members.

“Malicious cyber activity targeting the Department of Defense’s (DoD) Defense Industrial Base (DIB) can result in the unauthorized access and release of sensitive US Government data, proprietary information, and intellectual property, as well as the destruction of data, inability to conduct business, denial of services, and physical damage to property.”

Defense Industrial Base Cybersecurity Strategy 2024.

The military sector is vulnerable to both external attacks and internal attacks. However, threats that come from within are more difficult to detect and contain. For this reason, they may cause serious damage, compromising the personal information of citizens, government and military secrets, and more. 

To protect sensitive data, organizations should be aware of the main types of insider threats in the defense sector.

See Ekran System in action.

Find out how you can leverage Ekran System’s insider threat prevention capabilities.

Types of insider threats in military cybersecurity

Just like in any other industry, threats in the military often come from people within the organization, including former employees, service members, contractors, or anyone else with access to sensitive data.

There are five distinct types of insider threats in the military sector:

Insider threats un the military

  • Sabotage is the act of deliberately destroying, damaging, or obstructing the processes and systems of a defense organization. An insider may decide to engage in sabotage due to a negative work experience, to get revenge, or in response to a work-related conflict.
  • Theft in military cybersecurity usually involves stealing intellectual property (software, programs, tools) and sensitive data (government and military secrets, personal information of enlisted individuals and civilian personnel, etc.), typically with the intent to resell information to third parties or demand a ransom.
  • Fraud is the act of exploiting sensitive information for one’s own benefit. The two most common motives behind fraud are financial gain and intellectual property theft. Fraudulent activities in the military sector can have serious consequences, including financial losses and compromised national security.
  • Espionage refers to a number of practices that malicious actors use to obtain classified information. Foreign powers may engage in cyber spying to gain a strategic advantage by stealing military technology, revealing vulnerabilities, or intercepting strategic plans.
  • Negligent insiders are individuals who inadvertently cause serious damage to an organization’s cybersecurity. For example, employees may fall victim to phishing emails or messages, leading to the compromise of sensitive information. In addition, when negligent insiders use weak or easily guessable passwords, attackers can exploit this vulnerability to gain unauthorized systems access.

Insider threats within defense organizations can come in various forms, and all of them pose significant risks to sensitive information and operational integrity. Identifying signs of potential insider threats is crucial for detecting malicious activities.

Signs of potential insider threats

To detect potential insider threats, it’s essential to pay close attention to employee behavior since a combination of personal and workplace issues may provoke a person to perform a malicious action. Here are a few examples of warning signs in employee behavior:

  • Working irregular hours
  • Changing political or religious views
  • Showing interest in information extending the scope of duties
  • Copying data not related to work
  • Becoming more aggressive in communication with colleagues
  • Taking trips for unexplained reasons
  • Showing signs of disgruntlement
  • Extravagant spending
  • Breaking or trying to circumvent rules.

The reasons behind this behavior may vary. The US Army Cyber Command (ARCYBER) in their factsheet on insider threats highlights the key factors motivating employees to perform malicious actions:

  • Greed or financial need
  • Anger, revenge, or disgruntlement
  • Lack of recognition
  • Dissatisfaction with the job 
  • Disagreements within the team
  • Pending layoff
  • Ideology or identification
  • Divided loyalty
  • Adventure or thrill
  • Drug or alcohol abuse
  • Inflated ego
  • A desire to win the approval of someone who can benefit from insider information. 

The United States Department of Defense (DoD) asks its employees to remain vigilant and pay attention to changes in their colleagues’ behavior.  When an employee notices someone struggling, it’s essential to notify the appropriate security or insider threat program staff. These interventions not only prevent severe security incidents but also benefit the personal and professional lives of employees.

Data breaches in the military: examples and consequences

Although all military organizations have cybersecurity departments responsible for the continuous improvement of their security, data breaches can still happen.

Below, we take a look at some examples of the most significant data security breaches in the US Military.

The biggest data breaches concerning the US Military

The Edward Snowden case — American whistleblower Edward Snowden is responsible for one of the most significant leaks in US history. The motives behind this insider threat incident are still unclear. Although Snowden claims he leaked information to expose the real surveillance state, some sources still suspect him of espionage. 

In 2013, Snowden leaked highly classified information from the National Security Agency (NSA), revealing, the existence of the PRISM program, previously unknown details of a global surveillance apparatus run by the NSA, the NSA’s top-secret black budget, and the existence of the MonsterMind program.

The Reality Winner case — Former Air Force linguist and intelligence contractor Reality Winner was arrested in 2017 on suspicion of providing news website The Intercept with confidential information. Winner leaked a classified intelligence report about Russian interference in the 2016 US elections.

According to United States Attorney Bobby L. Christine, the leaked report contained sources and methods of intelligence gathering, and its disclosure “caused exceptionally grave damage to US national security.” In 2018, Winner was sentenced to five years and three months in prison as part of a plea deal.

The AutoClerk database leak — In 2019, 179 gigabytes of data were made accessible due to an unsecured cloud server run by a travel services company. Along with information about civilians’ trips, the travel details of large numbers of US government and military personnel were exposed.

The AutoClerk database leak is an example of how third-party contractors can become insider threats to defense organizations. The exposed data included sensitive personal information including names, birthdays, addresses, phone numbers, and travel details.

Cloud email leak — In February 2023, sensitive US military emails were inadvertently exposed on the Internet. Thousands of messages sent out by the Defense Intelligence Agency (DIA) spilled online due to a misconfigured US government cloud email server hosted on Microsoft’s cloud platform. The misconfiguration allowed users to access the emails without a password.

This email data spill impacted US Special Operations Command (USSOCOM) and DoD customers — SF-86 and other sensitive data was exposed. In this breach, humans played a key role since misconfigurations in the system resulted in a missing server password.

Discord leaks — Jack Teixeira, Massachusetts Air National Guard member, was indicted on six charges related to exposing government secrets on Discord. Teixeira initiated a massive data leak that exposed many US government secrets, including the prospects for Ukraine’s war with Russia, spying on allies, diplomatic fires for the White House, and the precariousness of Taiwan’s air defenses. Teixeira eventually accepted a 16-year prison sentence as part of a plea deal.  

Jack Teixeira’s disclosure of documents was unique in that he exposed highly classified intelligence documents only a few weeks after the information was provided to senior military brass. Teixeira posted information on a small Discord group. In February 2023, somebody spread the documents outside the group and exposed them to the public. 

The internal investigation found that a “lack of supervision” and a “culture of complacency” enabled Jack Teixeira to expose US military secrets. The Air Force disciplined 15 people for failing to restrict Jack Teixeira’s access to classified systems and facilities.

Each of these data breaches revealed weak points in defense cybersecurity that must be eliminated. A comprehensive insider threat program is essential for identifying, mitigating, and addressing these vulnerabilities effectively. Let’s examine the key DoD insider threat program features.

Explore the power of Ekran System!

Discover how Ekran System can help you manage insider threats.

A look at the DoD insider threat program

According to the US Department of Defense’s memorandum on Army Directive 2013-18 (Army Insider Threat Program), an insider threat protection program is an integrated departmental effort to manage the risks of employees or service members who may represent a threat to national security. 

The DoD insider threat program aims to secure critical resources and sensitive data, including the personal information of service members and their families, civilians, and military contractors. The main goals of the program are:

  • Ensuring the safety and security of military computer networks
  • Facilitating information sharing to recognize and counter insider threats
  • Evaluating employees’ security information
  • Educating personnel about insider threats and their reporting responsibilities
  • Gathering information to establish centralized analysis, reporting, and response capabilities.

Military organizations should put the details of their insider threat protection program in writing so that all employees can read it and understand which actions are allowed and which are not. The information security policies within the program should include best practices that show how to detect, respond to, prevent, and mitigate security incidents.

To ensure your insider threat program is effective, it’s essential to revise it regularly. It should always be updated after security incidents, modifications to your IT infrastructure, or the introduction of new policies.

The National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs highlight the importance to “deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and mitigate the risks through administrative, investigative or other response actions”. The document also points to five minimum standards that an insider threat protection program should meet:

  • Gather, integrate, centrally analyze, and respond to critical threat-related information
  • Assign personnel to the insider threat program
  • Manage personnel access to classified information
  • Monitor employees’ use of networks
  • Provide personnel with insider threat awareness training

Now let’s take a look at the key steps for developing an insider threat protection program for the military.

5 key steps for developing an insider threat protection program for the military

1. Plan and research

Before creating a program, organizations need to carry out thorough research and planning.

First, military organizations have to map the laws and requirements they need to comply with, explore recommended programs, and conduct independent research and reviews of cybersecurity in the defense sector. It’s also vital to explore various documents related to insider threats within government and military organizations.

Here are a few essential documents to review during the planning and research stage:

The next step is to analyze cybersecurity incidents caused by insider threats and explore how similar situations could be avoided in the future.

2. Identify potential attack vectors

Although each organization must develop an insider threat protection program tailored to its specific needs, all insider threat programs have some things in common. For instance, every military security program should include information about employees that may pose a threat to the organization’s cybersecurity.

An insider attack is more likely to come from:

3. Establish rules to cover key threats

After identifying potential threats, military organizations should establish the relevant measures and procedures to minimize the risk of insider threats:

  • Conduct a thorough background check for each employee and contractor
  • Manage privileged user accounts 
  • Block all access for departing employees 
  • Remove all access for contractors on the last day of collaboration
  • Make sure new employees know and understand all cybersecurity rules before providing them with access to critical assets.

The DoD calls for additional security measures to be taken in the CIO Memo Compliance Confirmation [PDF]. According to the document, DoD CIOs need to:

  • Implement the principle of least privilege. System owners of data repositories must restrict access to classified data based on the need-to-know principle. System owners must also minimize the privileges for software products to execute.
  • Provide optimized audit capabilities. System owners must ensure auditing capabilities are activated on systems processing, storing, or transmitting classified information.
  • Ensure optimized user activity monitoring (UAM) capabilities. System owners must deploy UAM capabilities, triggers, and analysis on classified endpoints.

Moreover, the DoD is on a 2027 deadline to complete the shift to zero trust

To comply with these measures, cybersecurity departments will need to deploy effective insider threat management software.

4. Implement cybersecurity software

Monitoring and logging information about user access and actions is one of the best insider threat detection and prevention techniques. Insider threat detection software can provide security officers with the details of who accessed critical assets in the event of a security incident.

Navigating the abundance of military and government cybersecurity solutions available on the market can be overwhelming. The most important features to look for in cybersecurity software for the military are:

  • Monitoring and logging functionality to oversee user activity with sensitive assets
  • Robust authentication and authorization systems to secure critical data from unauthorized access
  • Access management capabilities to grant elevated privileges to sensitive resources only to employees who need them to perform their duties
  • Incident response capabilities to instantly notify security officers about security threats
  • Third-party monitoring functionality to track how vendors and contractors handle data.

5. Educate employees

Insider threat awareness among employees is crucial.

The Cybersecurity 2023 Legislation calls on government agencies to:

  • implement cybersecurity training
  • set up and follow formal security policies, standards, and practices
  • have incident response plans in place
  • report security incidents.

The more efforts are made to educate employees about cybersecurity rules, the less chance there is of unintentional data leaks. Moreover, trained employees are more attentive while handling data and can spot rule violations by their colleagues.

Educating employees usually consists of the following steps:

  • Ensuring that every employee is familiar with the policies within the insider threat protection program
  • Giving employees the opportunity to ask questions about anything that is unclear
  • Providing regular training for employees to inform them about new security measures and procedures
  • Testing employee knowledge through formal exams or practical challenges (for example, sending mock phishing emails and seeing how many employees click on them).

Take note that employee training and awareness is listed by the DoD as one of the 10 best practices for a resilient cybersecurity program. 

How can Ekran System protect the military from insider threats?

Ekran System is a comprehensive insider risk management platform that can help military organizations detect suspicious user behavior, prevent unauthorized access, and respond to potential threats coming from within. 

Ekran System functionality for mitigating insider threats

User activity monitoring

  • Real-time and recorded user sessions give you a clear view of user actions within your critical IT infrastructure. Sessions are recorded in screen capture format accompanied by informative metadata.
  • Search for the information you need by setting various parameters within the current session and across all recorded sessions. Export a fragment or an entire monitored user session in a protected forensic format for in-depth investigation.
  • Implement third-party vendor monitoring to oversee how contractors, partners, and other remote users with access to your critical endpoints handle sensitive data.

Privileged access management

  • Implement the principle of least privilege by granting users granular access to your critical endpoints. Limit the time for which access is granted and manually approve access requests. 
  • Add an additional layer of protection by verifying user identities with two-factor authentication. Identify users of shared accounts with secondary authentication.

Alerts and incident response 

  • Receive pre-defined alerts on abnormal user activity or configure custom alert rules to cover other potential insider threat scenarios.
  • Use Ekran System’s incident response functionality to prevent security incidents by sending warning messages, killing suspicious processes, or instantly blocking users.
  • Prevent theft of sensitive information by blocking unapproved USB devices.

Auditing and reporting

Case study

US-Based Defense Organization Enhances Insider Threat Protection with Ekran System


Creating and enhancing an insider threat protection program for military organizations is a complex task that requires thorough research, planning, analysis of security incidents, and education for personnel. In addition, organizations need to form the foundation of such a program by deploying dedicated insider threat protection software.

As an effective insider risk management platform, Ekran System offers a wide range of features to help military organizations secure sensitive information and mitigate insider threats. By leveraging Ekran System’s capabilities, military and defense organizations can enhance their cybersecurity posture, safeguard national security interests, and maintain the integrity of critical operations.

Ready to try Ekran System? Access the Demo now!

Clients from 70+ countries already use Ekran System.



See how Ekran System can enhance your data protection from insider risks.