GILES COCKERILL CBE FIET FBCS sets out the workplace and behavioural indicators that drive people to become an insider threat to their organisation.
When it comes to cyber security, ‘insider threat’ is a challenge that most organisations find very uncomfortable addressing. Usually, organisations emphasise the importance of effective teamwork and employers strive to make staff feel valued, to foster engagement and boost morale. Even discussing ‘insider threats’ feels like a betrayal of those values, as it implies that you do not trust your staff, your colleagues, or your friends.
But it is vitally important in building a resilient and secure organisation to be able to discuss the issue. Why? Many of the most devastating security breaches in history have been initiated or assisted by those working within the breached organisations. Nobody is immune – not spy agencies, national banks, major global corporates, or your own organisation.
Non-Malicious ‘Insider Threats’
A good way to introduce this topic in wider discussions may be to focus on the non-malicious aspects – the term ‘insider threat’ is widely applied to non-malicious activity by insiders who unintentionally do harm. That does not necessarily mean they are blameless. People under pressure often do things they know they should not: take risks, shortcuts, and workarounds, despite the best cyber security training. Usually they get away with it, sometimes they do not.
This is an important ‘litmus test’ of a company’s culture:
- How does it respond to the threat?
- Does it encourage people to report, as part of a genuine ‘no-blame’ culture, and help them to learn the lessons they need to (whilst moving urgently to repair the damage)?
- Do staff trust their managers and their HR department?
- Is it safe to be honest? Or do staff try to hide their error and leave the company exposed to the consequences of inaction?
More broadly, what is it about the culture of the company that drives people to take these risks in the first place?
- Excessive delivery pressures
- Dissatisfaction with compensation
- Unworkable security policies
- Poor IT
- Bad management
These are all common factors that create the conditions where staff feel they have no option but to ignore their cyber security training. That is the company’s fault, but all too often staff are left feeling exposed and carry the can when things go wrong.
As a general counsel you are in an influential position within the company. It is not your responsibility to fix the IT or run the HR department – but you do have a position and a responsibility that enables you to hold up a mirror to the organisation and challenge bad practice.
There is a world of difference between a company that mandates unworkable cyber security policies and fires anyone caught breaking them, and a company that works with staff to implement workable cyber security policies, changing working practices where necessary to manage risk effectively. And as these include regulatory and legal compliance risks, you are very much a stakeholder in that.
Malicious ‘Insider Threats’
But what about the malicious insider, the member of staff who sets out to do harm to their employer and their colleagues? The first point is that few people join an organisation with the intention of becoming a malicious insider. In the great majority of cases, they evolve into a malicious insider over time, fundamentally because the way they are treated or rewarded is not aligned with their expectations or their perception of their self-worth.
For the most part, malicious insiders are reacting against their employer in general or their line manager in particular:
- Promises broken
- Being bullied
- Discriminated against
These are all potent motivations for ‘lashing out’ or ‘getting even’ – in short: toxic cultures breed toxic staff.
That said, some individuals are completely unreasonable. They have inflated views of their own worth or believe promises were made that were not, and no fair and reasonable employer will be able to satisfy them. Fortunately, most take themselves off to another job and the cycle starts again, but some decide to take ‘revenge’ first.
From the employer’s point of view, defending the organisation against malicious insiders is very difficult – especially if the insider is savvy enough to link up online with criminals or others intent on hacking their employer.
An insider with access within the company’s perimeter defences, working collaboratively with a sophisticated hacker outside the company, is a nightmare scenario, especially if the insider has legitimate access to the core of the company’s IT systems or its most sensitive data.
There are many technical tools that can help; it is vital for an organisation to be able to monitor its internal networks and devices as much as its perimeter, and this should be a standard part of the organisation’s cyber security strategy. Is it in your company?
Use Your ‘People Compass’ to get on the Front Foot
By the time those tools spot something, the company already has a major problem on its hands. Preventing, or at least spotting, the problem much earlier in its development is the best approach, and that is fundamentally a people issue not a technical issue.
It is about good management practice and skilled managers; a healthy and balanced corporate culture; effective HR policies and practices; being alert without being suspicious; being trusting without being naive. Everyone has a part to play, from the board to the shop floor, from line managers to HR. And getting this right should be in the wider commercial interests of all successful organisations, so this should not be a difficult conversation to have internally if it is approached from a positive rather than a negative perspective.
What should people be looking out for?
All these things are potential warning signs that something is wrong. Any organisation that has a duty of care towards its staff and values them should be looking for these and picking up on them anyway. Done properly, this is an opportunity for early intervention and support that can turn things around for the individual and the company. But where they are ignored, or mishandled, or just not spotted at all, the brewing problem will fester and multiply and is likely to result in misery for the individual and their employer.
Steps general counsel can take
Again, as general counsel you are in a position of influence and responsibility to hold up the mirror to the organisation:
- Make sure the topic is on the table for an open discussion
- Make sure somebody knows they are responsible for having an effective strategy
- Make sure HR is alert to the challenge and somebody is going to recognise and act on emerging warning signs before they get out of hand
- Ensure there is appropriate investment in management skills training and mentoring for new managers
- Ensure there is an effective leavers’ process that includes closing IT accounts immediately
- Ensure the organisation has, or can quickly access, a capability to investigate signs of malicious insider activity and mitigate it
Giles Cockerill CBE FIET FBCS is a Senior Advisor with S-RM. He has over 38 years’ experience in risk management, cyber security and technology. The majority of his career was spent with UK government in senior executive roles across various organisations, and more recently he has been a non-executive director and risk committee chair on the boards of various private sector companies. He regularly advises boards and senior management teams in the private sector, on data analytics, cyber security and technology risks and how to better understand and mitigate them. He was appointed CBE for ‘Services to Defence’ in the Queen’s Birthday Honours List in 2014, and is a Fellow of the Institution of Engineering and Technology, and a Fellow of the British Computer Society.
THIS ARTICLE IS PART OF S-RM’S ‘IN THE EYE OF THE STORM: INTELLIGENCE AND THE CHANGING ROLE OF THE GENERAL COUNSEL’ REPORT
DOWNLOAD THE FULL REPORT HERE