Brave new world, old-school problems
Corporate Security Hinges on its People
HELEN OFOSU
© 2017 FrontLine Security (Vol 12, No 3)

We’ve all heard about the fast-approaching, brave new world where autonomous vehicles and other technology will save us time, trouble, and money. We look forward to private vehicles where we don’t need to focus on the road (many vehicles already feature early stages of this capability). We’ll be able to reclaim countless commuting hours and re-allocate that time to rest, catching up with family, or even productive work. It’s all very exciting, but there are significant risks.

The Key Issue is Security 

Cyber security has become an international obsession for good reason. But, there are other types of security breaches. In fact, it’s been argued that insider threats are an even bigger potential risk than external cyber attacks.

Insider threats can be defined as risks posed by rogue employees who deliberately cause harm, or by those who may be negligent in the workplace.

Some insider threats are non-malicious or accidental, whereas others are malicious and intentional. Malicious threats may be driven by principles or ideology (e.g., Edward Snowden), or they could be motivated by anger or disenchantment in the workplace. A malicious insider threat can also develop when someone on staff is recruited and groomed by an outside organization.

What do Technology Industries have in Common?

High-tech industries, including robotics, and artificial intelligence, have a lot of risk in common:

  1. The people and businesses that are best able to monetize this technology stand to earn a lot of money.
  2. The keepers of this valuable intellectual property need to protect it from falling into the hands of their business competitors (and sometimes adversarial nations) and endangering their corporate success and viability – their clients (in some cases the general populace) may also be at serious risk.
  3. The C-suite and the IT community seem focused entirely on protecting such assets by investing in various technical measures to prevent cyber-related breaches and threats.

Not only is technology or data at risk. If business plans and corporate strategies are shared (even verbally) with a competitor, that entity can leverage that information it to gain an unfair advantage. Whether the disclosure is digital or analog, describing an organization’s R&D pipeline is extremely damaging.

Employing the wrong person can cause a lot of damage

Technical measures designed to prevent digital theft, along with non-disclosure agreements, non-competition clauses, and patents are an excellent start, but they are not enough. Legal protection offers good layers of offence and defence, however, when we rely too heavily on them, the horse will have left the barn by the time the victim gets their day in court.

Similarly, when confidential client information is improperly disclosed or taken, it causes serious problems including identity theft and other consequences. Counting too much on technical, IT-based measures like digital monitoring, firewalls, and other software and hardware based interventions is like locking the front door but leaving the back door and windows wide open.

Simply stated, what employers don’t know about their employees can hurt them and make their business vulnerable to considerable liability.

The Human Factor is Critical

Although cyber security experts agree that humans and insider threats are a more pervasive concern than external cyber threats, few pay attention to the human factor. Whenever the notion of using HR or psychology to prevent insider threats is mentioned, people smile politely, acknowledge that this human factor is important, but do nothing to change their standard IT interventions.

As the saying goes, “To the man who only has a hammer, everything he encounters starts to look like a nail.” Most of the people who work to prevent or solve these problems have backgrounds in computer science, engineering, and other IT specializations. Generally speaking, these folks are not interested in being distracted by “soft” interventions that relate to human resources or psychology. That stuff just isn’t in their wheelhouse.

There are countless ways and means that can lead to valuable information flowing from inside an organization to criminals, competitors or foreign entities. Sometimes this leakage is due to issues that were overlooked during the hiring process. Many organizations treat reference checks as a formality that doesn’t offer much value. I’d argue that it’s a missed opportunity to complete due diligence. Other times, this leakage happens as an act of vindication in response to problematic HR processes (e.g., unfair/biased promotion processes) and workplace dynamics (e.g., bullying/harassment, subtle manipulation), or other related frustrations. Finally, valuable information can flow into troublesome places when someone who is forced out of an organization is filled with resentment and hostility while also feeling vulnerable due to new financial pressures.

My main concern is that when organizations focus threat detection solely on technical measures, we’ll miss the “human signals” that something is wrong and that trouble is coming. Some of these human signals relate to issues in employees’ lives or the lives of those close to them.

Some HR policies have, in fact, been linked to serious insider threats. On their final day at work, an employee doesn’t “empty” their brains and corporate knowledge while they are escorted out of the building following dismissal. With a focus entirely on IT solutions, you will miss many of the ways that you could experience a data or cyber breach.

The issue is bigger than we think

Quite often, when a security breach (including cyber crime) is reported in the news, the fact that it originated from inside the organization is not shared with the reporter an is therefore left out of the story.  Research by ipswitch reveals that 75% of security breaches start on the inside. These breaches reflect poorly on the targeted organization. It hurts the public’s trust in the organization’s ability to protect valuable corporate data, including clients’ and customers’ personal information. When an organization has a security breach, their clients, future clients, partners, affiliates, and the public are likely to see the organization as reckless and irresponsible.

These insider threat issues apply to large, medium, and small businesses. The U.S. National Cyber Security Alliance found that 60% of smaller companies are bankrupt within 6 months of a major security breach, so it’s no wonder this is kept quiet. A similar, yet larger scale example comes from recent headlines. Three senior Equifax executives sold shares worth approximately $1.8 million in the days after the company discovered a massive security breach in July 2017. These executives may not fear an actual Equifax bankruptcy but clearly, they knew there would be financial fallout and were determined to stay ahead of it.

Bricks and mortar are also vulnerable

At the beginning of this article, I focussed on the newer industries because it’s easier to see how external cyber threats and internal security threats are relevant to digital information. In some respects, this is misleading. The fact is, that whether we’re talking about glamorous newer tech companies or more established old-fashioned service and infrastructure companies (energy grids/plants/pipelines, water supply/treatment, public transportation), the risks associated with insider threats are huge, often downplayed, and even ignored.

Real Life Tragedy from Insider Threat

The Walkerton Water Crisis of 2000 is probably long forgotten by Canadians who don’t live in the area and lack a personal connection to the tragic events. Seven people died and another 2300 became severely ill when two employees falsified reports, drank on the job, and demonstrated other forms of negligence.

Morally, and in terms of liability, employers are ultimately responsible for the actions of their employees while working – particularly when it comes to essential goods and services that the public counts on. Organizations have a duty to protect their customers and the general populace from negative actions of their employees. Both in terms of protecting access to proprietary information and preserving the integrity and safety of our national infrastructure and public transportation, we are missing the point when all of our efforts are focused on technical IT interventions.

The good news is that organizations and businesses that take their responsibilities to the general public and their shareholders/owners seriously can take steps to improve their corporate resilience to digital and analog insider threats. Carefully hiring staff, including the appropriate due diligence, is a smart place to start.

_____
Dr. Helen Ofosu is an HR Consultand and Career Coach. She also helps organizations minimize the risks of cyber and other insider threats using her doctoral training in I/O Psychology and years of providing HR Services in Top Secret and regular environments.

 

References

1) https://digitalguardian.com/blog/insider-outsider-data-security-threats

2) http://securityintelligence.com/news/insider-threats-account-for-nearly-75-percent-of-security-breach-incidents/#.WaRwWQMNzDA.twitter

3) http://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/

4) https://news.slashdot.org/story/17/09/07/2056203/credit-reporting-firm-equifax-announces-cybersecurity-incident-impacting-approximately-143-million-us-consumers?utm_source=slashdot&utm_medium=twitter

5) https://en.wikipedia.org/wiki/Walkerton_E._coli_outbreak

RELATED LINKS

Comments

CLICK HERE TO COMMENT ON THIS ARTICLE