header image

Insider Threat: A Very Human Affair

Giles Cockerill CBE 26 April 2021
26 April 2021    Giles Cockerill CBE

IN THE EYE OF THE STORM: INTELLIGENCE AND THE CHANGING ROLE OF THE GENERAL COUNSEL

Today's rapidly evolving risk landscape places more demand than ever on general counsel, who are often found in the ‘eye of the storm’ when their organisation faces a crisis.

Download Report

GILES COCKERILL CBE FIET FBCS sets out the workplace and behavioural indicators that drive people to become an insider threat to their organisation.

 

When it comes to cyber security, ‘insider threat’ is a challenge that most organisations find very uncomfortable addressing. Usually, organisations emphasise the importance of effective teamwork and employers strive to make staff feel valued, to foster engagement and boost morale. Even discussing ‘insider threats’ feels like a betrayal of those values, as it implies that you do not trust your staff, your colleagues, or your friends.


But it is vitally important in building a resilient and secure organisation to be able to discuss the issue. Why? Many of the most devastating security breaches in history have been initiated or assisted by those working within the breached organisations. Nobody is immune – not spy agencies, national banks, major global corporates, or your own organisation. 

Non-Malicious ‘Insider Threats’

A good way to introduce this topic in wider discussions may be to focus on the non-malicious aspects – the term ‘insider threat’ is widely applied to non-malicious activity by insiders who unintentionally do harm. That does not necessarily mean they are blameless. People under pressure often do things they know they should not: take risks, shortcuts, and workarounds, despite the best cyber security training. Usually they get away with it, sometimes they do not.

This is an important ‘litmus test’ of a company’s culture:

  • How does it respond to the threat?
  • Does it encourage people to report, as part of a genuine ‘no-blame’ culture, and help them to learn the lessons they need to (whilst moving urgently to repair the damage)?
  • Do staff trust their managers and their HR department?
  • Is it safe to be honest? Or do staff try to hide their error and leave the company exposed to the consequences of inaction?

More broadly, what is it about the culture of the company that drives people to take these risks in the first place?

  • Excessive delivery pressures
  • Dissatisfaction with compensation
  • Unworkable security policies
  • Poor IT
  • Bad management

These are all common factors that create the conditions where staff feel they have no option but to ignore their cyber security training. That is the company’s fault, but all too often staff are left feeling exposed and carry the can when things go wrong.

As a general counsel you are in an influential position within the company. It is not your responsibility to fix the IT or run the HR department – but you do have a position and a responsibility that enables you to hold up a mirror to the organisation and challenge bad practice.

There is a world of difference between a company that mandates unworkable cyber security policies and fires anyone caught breaking them, and a company that works with staff to implement workable cyber security policies, changing working practices where necessary to manage risk effectively. And as these include regulatory and legal compliance risks, you are very much a stakeholder in that.

 

Malicious ‘Insider Threats’

But what about the malicious insider, the member of staff who sets out to do harm to their employer and their colleagues? The first point is that few people join an organisation with the intention of becoming a malicious insider. In the great majority of cases, they evolve into a malicious insider over time, fundamentally because the way they are treated or rewarded is not aligned with their expectations or their perception of their self-worth. 

 

 

 

For the most part, malicious insiders are reacting against their employer in general or their line manager in particular:

  • Promises broken
  • Being bullied
  • Overlooked
  • Underpaid 
  • Discriminated against

These are all potent motivations for ‘lashing out’ or ‘getting even’ – in short: toxic cultures breed toxic staff.

That said, some individuals are completely unreasonable. They have inflated views of their own worth or believe promises were made that were not, and no fair and reasonable employer will be able to satisfy them. Fortunately, most take themselves off to another job and the cycle starts again, but some decide to take ‘revenge’ first.

From the employer’s point of view, defending the organisation against malicious insiders is very difficult – especially if the insider is savvy enough to link up online with criminals or others intent on hacking their employer.

An insider with access within the company’s perimeter defences, working collaboratively with a sophisticated hacker outside the company, is a nightmare scenario, especially if the insider has legitimate access to the core of the company’s IT systems or its most sensitive data.

There are many technical tools that can help; it is vital for an organisation to be able to monitor its internal networks and devices as much as its perimeter, and this should be a standard part of the organisation’s cyber security strategy. Is it in your company?

Use Your ‘People Compass’ to get on the Front Foot

By the time those tools spot something, the company already has a major problem on its hands. Preventing, or at least spotting, the problem much earlier in its development is the best approach, and that is fundamentally a people issue not a technical issue.

It is about good management practice and skilled managers; a healthy and balanced corporate culture; effective HR policies and practices; being alert without being suspicious; being trusting without being naive. Everyone has a part to play, from the board to the shop floor, from line managers to HR. And getting this right should be in the wider commercial interests of all successful organisations, so this should not be a difficult conversation to have internally if it is approached from a positive rather than a negative perspective.

 

What should people be looking out for?

  • Classic signs of stress and disengagement from colleagues and from the organisation as a whole
  • A change in behaviour, temperament, attitude, performance
  • Evidence of absenteeism, drinking, drugs
  • Escalating disciplinary or grievance processes (especially if they are concentrated in one department or around one individual)
  • Signs of emerging mental or other health issues
  • Signs of unexplained wealth, or financial difficulty

 

All these things are potential warning signs that something is wrong. Any organisation that has a duty of care towards its staff and values them should be looking for these and picking up on them anyway. Done properly, this is an opportunity for early intervention and support that can turn things around for the individual and the company. But where they are ignored, or mishandled, or just not spotted at all, the brewing problem will fester and multiply and is likely to result in misery for the individual and their employer.

 

Steps general counsel can take

Again, as general counsel you are in a position of influence and responsibility to hold up the mirror to the organisation:

  • Make sure the topic is on the table for an open discussion
  • Make sure somebody knows they are responsible for having an effective strategy
  • Make sure HR is alert to the challenge and somebody is going to recognise and act on emerging warning signs before they get out of hand
  • Ensure there is appropriate investment in management skills training and mentoring for new managers
  • Ensure there is an effective leavers’ process that includes closing IT accounts immediately
  • Ensure the organisation has, or can quickly access, a capability to investigate signs of malicious insider activity and mitigate it
The key thing to remember is that this is not an IT problem, although there are technical solutions that can help to manage it. This is a human problem, and the best solutions are about people.

Giles Cockerill CBE FIET FBCS is a Senior Advisor with S-RM. He has over 38 years’ experience in risk management, cyber security and technology. The majority of his career was spent with UK government in senior executive roles across various organisations, and more recently he has been a non-executive director and risk committee chair on the boards of various private sector companies. He regularly advises boards and senior management teams in the private sector, on data analytics, cyber security and technology risks and how to better understand and mitigate them. He was appointed CBE for ‘Services to Defence’ in the Queen’s Birthday Honours List in 2014, and is a Fellow of the Institution of Engineering and Technology, and a Fellow of the British Computer Society.

 

THIS ARTICLE IS PART OF S-RM’S LATEST REPORT ‘IN THE EYE OF THE STORM: INTELLIGENCE AND THE CHANGING ROLE OF THE GENERAL COUNSEL’

DOWNLOAD THE FULL REPORT HERE

To discuss this article or other industry developments, please reach out to one of our experts.

Giles Cockerill CBE
Giles Cockerill CBE FIET FBCS and S-RM Senior Advisor Email Giles

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report