The insider threat has long posed a risk to organizations, regardless of the industry. Essentially any field in which sensitive data or intellectual property changes hands is ripe for attack.

Not to be overlooked, the food and agriculture sector has its own crown jewels; critical assets that companies are required by law to protect, not to mention food industrial control systems that if disrupted, could have a dramatic effect on the nation's agricultural supply chain.

To address these shortcomings in the industry and more importantly, reduce trade secret theft, the U.S. government this week issued best practices around mitigating insider risks.

While published by two entities, the National Counterintelligence and Security Center (NCSC) and the Department of Defense’s Center for Development of Security Excellence (CDSE) published the document, both groups solicited opinions from other groups including the Food Defense Consortium and the Food and Drug Administration.

Not all of the information in the document is relative to infosec; there's instructions around food adulteration and active shooter incidents, both which can be perpetrated be insiders as well, but there's some helpful advice here on building the foundational blocks of an insider risk management program.

"Trusted insiders, both witting and unwitting, can cause grave harm to your organization's facilities; resources including raw materials, finished products, and information; brand, reputation, and personnel,” the guide reads. “Insider incidents account for billions of dollars annually in actual and potential damages related to food safety, food defense, tampering, terrorism, trade secret theft, fraud, sabotage, damage to an organization’s reputation, acts of workplace violence, and more.

If organizations in the food and agriculture field haven't developed and deployed an insider risk management program, they're encouraged to review the guidance for instructions.

For instance, there's guidance on how to build your insider risk mitigation program leadership team, how to make sure they're all trained properly, and how to ensure they all follow the same rules. For what it's worth, NCSC and CDSE recommends rolling out a team consisting of a wide variety of viewpoints: Legal Counsel, Security, Cybersecurity, Mental Health and Behavioral Science, and even Human Resources or Human Capital experts.

Naturally, as in any field, organizations need to take the time to identify their critical assets – what are they? Who has access to them? Can we prioritize them? – before going on to identify high-risk users that interact with them. This is the first step that NCSC and CDSE recommend in its risk management process - a circular method of collecting and evaluating your organization’s data.

The guide also provides case studies, including several on intellectual property theft in the food sector: a story about a chemical engineer who conspired to take proprietary data on how to create the white color in cookie cream and automotive paint and another on six individuals who were arrested after attempting to steal genetically modified corn seeds.

The report also directs stakeholders, if they're not already aware, to training materials from CDSE and the Department of Homeland Security's CISA, along with the National Institute of Standards and Technology’s (NIST) risk assessment framework. There are further food and agriculture-specific resources the guidance points organizations to as well, including the DHS’ Food and Agriculture Sector-Specific Plan and the FDA's Food Safety Modernization Act rule on Mitigation Strategies to Protect Food Against Intentional Adulteration.