Outside Of The Box – by Karl Wabst

According to a post on Banking Information Security Blogs, companies should be paying more attention to insider threat. Many corporate cultures promote the view that threats come from outside. See the blog post: Insider Threats and Cyber Vigilantes.

Changing this view, without turning the perceived mission of security departments into something akin to “secret police” forces can be difficult and potentially damage the trust relationship between security and the business groups they need to work with.

The insider threat has been with us since people started working in groups. Quotes like this may ring true, especially after the recent increase in hacks and various financial scandals that resulted in new legislation and compliance requirements.

“When it comes to cybersecurity threats, it’s not the unknown foe you should most fear; it’s the employee or executive who knows you and your organization best”.

The traditional view on insider threat is that it typically involves disgruntled employees that hack, steal and / or sell customer or corporate information for monetary gain.

The updated theory is that the economic downturn increased the number of disgruntled employees causing a heightened concern over insider threats.

“These are people on your workforce: ideological insiders that have access to your information, and they’re using it for a cause or to prove a point. … This is a whole counter-culture thing”.

If true, this new motivation to make a social, political or philosophical point may be stronger than the drive to hack, steal and cheat for monetary gain.

There are other possible explanations for the rise of insider fears, for example, bad termination processes during the downturn. When there is a higher percentage of workers being laid off or fired, there is a higher chance that access privileges are improperly or not terminated at all.

What happens when those terminated employees are in the security department? This may be an issue in the recent SONY hacks. According to news reports, SONY laid off a significant number of security staffers right before they were hacked. See: Suit Alleges Sony Laid Off Network Security Employees Just Before PSN Breach.

Another consideration is the increased rate of customer data collection and storage for use by Sales and Marketing, or for patient care. Again, higher collection rates for personal information increases the chance that inappropriate access may be granted or not rescinded.

Could the perceived uptick in insider threat be the result of sloppy HR termination or perhaps overly permissive business resource access processes that create opportunity for inappropriate access rather than the birth of a counter-culture? All of these examples are types of insider threat.

I propose that you need to explore the cause(s) in your particular environment and not jump to conclusions. The path a company chooses may greatly effect expenses for training and controls. If you place emphasis on the technical, your company might opt for content and access monitoring tools. If emphasis is placed on bad process, your company may need training for HR on terminations and data classification to make better access control decisions. Perhaps overworked employees are making bad decisions. There is research to indicate that Lack of Sleep Leads to Unethical Conduct.

What do you think? Are organizations witnessing the birth of a new counter-culture or perhaps the heightening of frustrations from a long, tough recession? Maybe you think insider threat is overblown and corporate borders should be the main concern?

I agree that there is, and has always been, potential for insider abuses. I also agree that more attention needs to be paid to internal processes, since both means and motivation exist, for whatever reason. In times of change, the difference may be the level of trust that employees feel toward the organization. For more, check out Dealing with the Ghosts of Change Management.

Firms with higher failure rates of change initiatives are likely to experience higher rates of employee mistrust, attrition and likely hacking. This would be in line with findings by many change leaders and not necessarily indicate the rise of a counter culture.

If you stop and think about the number of social media channels available to employees, disgruntled or not, investors, activists and just plain folks it seems to me that there would be an accompanying surge in the  number of attacks through other channels if the counter-culture argument was correct. This is not to discount the rising tide of frustration caused by the economy, layoffs and world-wide unrest.

Monitoring mentions of your company in blogs, Twitter, searches and other channels would be wise to raise awareness of your company’s reputation among customers and other constituencies. Internal monitoring may bring threats to light, but pay attention to the privacy laws in each jurisdiction, especially when monitoring groups in the EU.

Trust plays an important role in maintaining employee, investor and customer loyalty. Manage changes in a way that empowers others to be part of the process. Communicate frequently to avoid alienating parties and never stop looking for ways to lead change rather than manage the status quo.

Today’s status quo is tomorrows failure.