top of page
Search

Cybersecurity Isn't Just Technology: Don’t Overlook Insider Threats & Personnel Security

When people think about cybersecurity, they generally picture firewalls, encryption, and multi-factor authentication. They think about the technical controls we spend so much time implementing to meet CMMC requirements. Don't get us wrong: those controls are absolutely essential, but we need to talk more about how some of the most significant security breaches don't happen because of weak passwords or unpatched systems. They happen because of people.

A wolf in sheep's clothing in an office saetting

Insider Threats & Cybersecurity

The impact of insider threats in cybersecurity is highlighted by a recent press release from the Department of Justice regarding a former Google software engineer was convicted of economic espionage and theft of trade secrets after stealing over 2,000 pages of confidential AI technology and attempting to transfer it to companies in China. While this case isn’t explicitly tied to defense, it’s a perfect example of why personnel security and administrative controls matter just as much as your technical defenses.

The Google Case: What Happened

Between May 2022 and April 2023, Linwei Ding—a Google software engineer with legitimate access to highly sensitive AI trade secrets—systematically copied confidential information about Google's custom chip designs, supercomputing infrastructure, and AI training systems to his personal Google account.

While doing so, behind the scenes he was:

  • Negotiating to become CTO of a China-based technology company

  • Founding his own AI company in China (where he planned to serve as CEO)

  • Applying for Chinese government "talent plans" designed to accelerate China's technological development

  • Telling potential investors he could build an AI supercomputer by "copying and modifying Google's technology"

Less than two weeks before resigning from Google in December 2023, Ding downloaded the stolen trade secrets to his personal computer. A jury has since found him guilty on 14 counts related to economic espionage and theft of trade secures, and he now faces up to 15 years in prison for each count of economic espionage.

Technical Controls Alone Weren't Enough

Google almost certainly had world-class technical security controls in place. They're Google. They have all the technical safeguards you'd expect from a company at the forefront of technology. Yet, an insider with legitimate access was able to exfiltrate massive amounts of sensitive data over the course of a year.

This is the insider threat problem in a nutshell: when someone is supposed to have access to sensitive information to do their job, technical controls can only do so much. You need to make sure they’re only using that information in way they’re supposed to.

Enter: Personnel Security & Administrative Controls

This is where NIST SP 800-171 practice families like Personnel Security (PS) and Security Assessment (CA) come into play—the ones that often get less attention than the flashy technical controls. Let's look at what these "boring" administrative controls are designed to catch:

Personnel Screening (PS)

CMMC Level 2 requires screening individuals prior to granting access to organizational systems containing CUI. This includes background checks appropriate for the sensitivity of the information.

Real-world application: If Ding had been required to disclose his affiliation with Chinese companies or his application to government talent programs, that might have triggered a conversation. At minimum, someone should have been aware of potential conflicts of interest.

Insider Threat Awareness (AT)

Security awareness training under CMMC Level 2 specifically requires training on insider threats. Employees must be aware of indicators like unusual data access patterns, attempts to copy large amounts of information, or undisclosed foreign contacts.

Real-world application: Ding's behavior showed classic insider threat indicators: accessing information beyond what his role required, copying data to personal accounts, and doing so while establishing competing business interests. Training helps employees recognize and report these red flags.

Conflict of Interest Processes

While not a standalone CMMC practice, conflict of interest management falls under broader personnel security. Organizations need processes to identify when employees have outside business relationships that could compromise their loyalty or create incentive to use sensitive information illegitimately.

Real-world application: Ding was simultaneously employed by Google while serving as CEO of a competing AI company and negotiating CTO roles elsewhere. A robust conflict of interest disclosure process might have surfaced this immediately.

Data Access & Usage Monitoring (AU)

Technical controls work better when paired with administrative oversight. This includes monitoring system activity for unusual patterns and investigating anomalies, such as frequent access to personal accounts and conversion of files & data to alternative filetypes.

Real-world application: Uploading 2,000+ pages of confidential documents to a personal cloud account over several months should generate alerts, but someone has to be responsible for reviewing those alerts and taking action. Having audit logs shouldn’t just be for post-incident investigation; they should be used to drive responses in real-time.

How This Applies to Small Defense Contractors

You might be thinking: "We're not Google. We don't have AI trade secrets worth stealing. Does this really apply to us?"

Yes. Absolutely yes.

If you handle Controlled Unclassified Information (CUI), you have sensitive data that adversaries want. It might be technical drawings for defense systems, specifications for sensitive programs, or operational details about defense-related logistics. The scale is different, but the threat is the same.

In fact, insider threats are often easier to pull off at smaller organizations because you may have:

  • Less formal HR processes for background checks

  • No conflict-of-interest disclosure requirements

  • Minimal oversight of who accesses what data

  • Limited monitoring of unusual activity

CMMC Level 2's personnel security requirements exist precisely to close these gaps.

Administrative Controls Can Help Stop Insider Threats

When we're helping clients prepare for CMMC, there's always a tendency to focus on the technical challenges: setting up MFA, implementing network segmentation, configuring firewalls. Those are important, and they take real effort.

But don't sleep on the administrative controls. They're less exciting, but they're equally critical:

  • Conduct background checks before granting access to CUI (appropriate to the risk level)

  • Establish conflict-of-interest policies requiring employees to disclose outside business relationships

  • Include insider threat awareness in your security training (not just generic phishing awareness and CUI handling)

  • Monitor for unusual data access patterns and have someone responsible for investigating alerts

  • Document personnel security procedures so everyone knows the process, not just one person who "handles HR stuff"

  • Conduct meaningful exit interviews before employees’ last day that could flag risks from departing employees (e.g., they’re leaving to become the CTO of a Chinese tech company)

  • Require periodic re-screening for individuals with ongoing access to sensitive information

These aren't technically complex. You don't need expensive software or specialized IT skills to implement most of them. What you need is discipline, documentation, and consistency.

The Human Element Can't Be Ignored

The Google case is a reminder that cybersecurity is fundamentally a human problem. Yes, we need firewalls and encryption and access controls, but we also need to pay attention to who has access, why they have it, whether their interests are aligned with protecting our information, and what they're doing with that access.

As you work toward CMMC compliance (or as you maintain your certification) don't treat Personnel Security practices as checkbox exercises. They exist because insider threats are real, they're common, and they can be just as damaging as external attacks.

Your technical controls will only take you so far. The rest comes down to people, processes, and paying attention to warning signs before they become front-page news about trade secret theft.

About Triumvirate Cybersecurity

Triumvirate Cybersecurity is a CyberAB Registered Practitioner Organization specializing in CMMC compliance for small and mid-size defense contractors. Based in Dayton, Ohio, we help organizations implement both technical and administrative controls to protect CUI and achieve certification.

Need help implementing these controls at your organization? Reach out via our Contact page or directly via email (info@triumviratecyber.org) to discuss how you can build effective personnel security processes and administrative controls that fit your business—and technical controls too!


Responsible AI Usage Disclosure: An original draft of this post was created using generative AI tools based on our analysis of the referenced press release in the context of CMMC, then reviewed and edited by our team to ensure accuracy and suitability before publication.


_edited.jpg

Sign up for our newsletter to get exclusive updates

By submitting this form, you are providing your consent for Triumvirate Cybersecurity to contact you about its products and services. We will not sell your information to third parties, per our Privacy Policy.

Recent Posts
Connect with Us

Contact    Subscribe to Our Newsletter

LinkedIn
CyberAB-RPO-Badge.png
Navigation

Home    About    Services    Pricing    Insights

Privacy Policy

info@triumviratecyber.org

31 S. Main Street, Suite 390, Dayton, OH 45402

(937) 203-8443    CAGE: 9ZW92

TRIUMVIRATE CYBERSECURITY CONSULTING LLC

© Triumvirate Cybersecurity 2026

bottom of page