 |
| Who is the insider? |
I am not going to quote each and every definition (please use the web links opposite to visit some of the specific sites), but the important thing to remember is that an insider is a person to whom you have given legitimate access to your assets. In my opinion a former employee does not fall into this definition (and so is not an insider) as they no longer have legitimate access. In fact, their activities are likely to constitute a criminal offence in themselves.
In the counter terrorism arena we talk a lot about capability vs motivation. Terrorists have motivation in buckets but most lack the capability - for example they cannot access the materials to build an effective IED. On the flip-side the insider has the motivation but also the capability as they have the in-depth knowledge of your organisation and the way in which you go about your business.
Companies are understandably slow to come forward and admit about their insider incidents as it could demonstrate a weakness in their internal processes or systems. This weakness could lead to uncomfortable questions from shareholders and governing bodies. The majority of insider incidents are reported by co-workers who experience suspicious activity but many still go undetected.
An Insider can be anyone in your organisation, anyone from the part time cleaner right up to a member of senior management. There is no ‘one size fits all’ profile for the insider, but there are a number of warning signs which could identify that you have a problem (we will cover these in future articles). It is important to remember though that current staff can become an insider, so 'Jim' who has been at his middle management role for 6 years and has a clean record may have a sudden change in personal circumstances (he could fall into financial difficulties) and could become a threat!
There is a massive misunderstanding and a lack of experience when it comes to the insider threat and this stems from no one department taking responsibility for it. The HR department generally deals with pre-employment screening (although in our opinion the security team should), IT systems are taken care of by the IT geeks wearing sci-fi t-shirts and musical ties, and any resulting investigation is dealt with by the security team.
There are various different types of insiders and the threat they pose will be different to each of you but in general they are:
- Single Action Groups (animal activists or swampy students) – to cause harm, damage or media coverage
- Terrorists - to cause large scale harm and to maximise media coverage
- The Lone Wolf - because they want to and can! They are not part of any other group
- Journalists – to identify an loop hole and to sell more newspapers
- Foreign Intelligence Service
- Competitors (corporate espionage) - trying to gain trade secrets, insider trading information or just to gain the upper hand over you
- Disaffected Staff – revenge for not giving them that promotion/pay rise or someone who thinks they know better then the organisation itself.
- 3rd Party Facilitation – helping somebody else to gain entry or supplying someone else with the data to commit crime, admin account login/password or giving them your building access card.
- Unknown Pawns - exploited via various means but one way could be via social engineering or 'water cooler talk'. Normally these types of insider are unaware of the information they are supplying others with.
- Kudos
- Reward
- Personal Mission
- In the name of Public Interest
- Identify an issue or wrong doing
- Revenge
- Intelligence
- Facilitation of Crime
The effects of an insider can be far reaching but may include:
- Reputational Damage – poor media coverage, loss of investment opportunities
- Physical Damage
- Unrest Internally with Staff – potential a lack of trust between staff
- Loss of Operational Service
- Loss of IT Service (normally via denial of service attacks)
- Theft
- Fraud
- Poor International Relations
I keep coming back to it, but the single most important factor to consider is that these people have legitimate access, but what does it mean?. For me, this means they have already bypassed the majority of your physical and electronic security measures which protect you. Insiders are placed into organisations for the long term to build your trust, to gain a very in-depth understanding of your processes and the assets they are interested in. Even law enforcement are concerned that people with clean records will join in entry level roles and will raise through the ranks in order to supply serious organised criminals with information to assist them in committing crimes.
 |
| There have been numerous incidents of insiders |
There are many tools in organisations to prevent these threats and most fall under the security specialism of Personnel Security, some of these are:
- A robust pre-employment screening regime (most potential insiders can be detected at this stage - especially journalists and people that have clearly lied on application forms or CV’s)
- Having a staff exit (leavers) procedure
- Having a positive security culture – where staff are aware of the security risks that your organisation is susceptible to
- Good policies and procedures, which staff are aware of and read
- Awareness of the potential warning signs (we will cover some of these in a future articles)
- Support from the board and senior management
- A robust security audit process including auditing 3rd party providers (make sure all contracts include a 'right to audit 'clause)
- Utilising the electronic tools you have in place – system logs, forensic tools etc
Whatever approach you decide for your business, it must be risk-based and targeted. Each organisation’s risk appetite will be different, but one thing for sure is you ‘will’ experience an incident as a direct impact from insider action – it is purely a matter of when, and how significant the impact is.
The insider threat is a very vast subject and something that is impossible to cover in a single blog post. In my future articles I will give you some more details on this risk but until then expect the unexpected, these people are very difficult to detect but are easier to prevent.
Great post, guys. You've given some really useful reasons behind insider threats. They really bring to life what the threat is.
ReplyDeleteI also usually agree with taking a risk-based and targeted approach to screening. One of the (many) reasons is that it's far easier to communicate your goals and business cases to a diverse organisation.
David Chernick
http://www.TREACL.com
Thank you for your comments David.
ReplyDeleteFurther to the above, please read this news article as it further supports some of the info that I have provided: http://www.thisislondon.co.uk/standard/article-23919513-islamic-extremist-landed-dream-job-with-ba-in-spectacular-terror-plot.do
ReplyDeleteRegards, Paul
This makes for interesting reading. I was pleased to notice your listing of an issue that plagues many organizations, i.e., people who create unrest internally with employees whose actions carry the potential to create distrust among staff, people who are often motivated by a desire for revenge on those who have identified them as dishonest "around the water cooler."
ReplyDeleteA way to resolve such difficulties that can minimize harm is for all staff directly involved in the social difficulty to meet and discuss frankly and in a civil manner, the source of the strain between them. People have to trust each other to be able to work together as a team and one way to foster trust is honest and open communication. Only by making efforts to improve our understanding of where each of us is coming from and face the at times difficult emotions that often accompany a clearing of the air, will a contaminated work place be set right.
This requires a little courage and a certain amount of faith in our fellow employees and those are a good place to start. If the goal is for all staff to pool their individual talents and expertise and apply them to the tasks they were hired to perform, internal entanglements stemming from personal vendettas and retaliatory workplace gossip must stop. Focus must temporarily be placed on reaching a place of understanding so those affected can have an opportunity to accept responsibility for their own part in the problem and make honest apologies to one another.
If such agreement is reached it becomes crucial that all sides are made aware, both verbally and in writing, that any further mention of such problems will be considered a breach of the agreement and a furtherance of a matter the organization can no longer afford to entertain. Those responsible for not letting the matter go could then justifiably be fired.
Thanks for publishing this thought-provoking article.