Organizations continue to invest heavily in hardware and software as their primary defenses against the loss of data and property, but recent studies would suggest that those same companies are seeing an increase in the number and the severity of data security breaches. The big question is: why? The likely cause is these same companies are failing to address the human factors in security -- the insider threat -- even when statistics indicate that most breaches occur at the hands of a current or former employee.
So why are companies still not embracing the idea that there employees are the single biggest threat? In today's business environment management has to be concerned with finding quality staff in a competitive market. As a result, they may overlook a negative background or perceive an issue as being minor in order to fill a job. Worse yet, they may choose to ignore a problem employee out of fear of losing that employee to a competitor, especially if they are generating income for the company. In addition, they need to be concerned with litigation as a result of disciplinary actions, termination and hiring practices.
Societe Generale: A cautionary tale of insider threats: The $7.2 billion in fraud against French banking giant Societe Generale wasn't your garden variety cyber attack, but it illustrates an insider threat that gives IT pros nightmares.
The single biggest issue companies fail to address with insider threat management is having clear and concise policies and failing to train staff on the expectations of those policies. Most companies will fall into three groups when it comes to policies: the company doesn't have a policy, the policy the company has is outdated and no longer valid, or the company has chosen not to enforce or selectively enforce their policies. Regardless of what category companies reside in, they are all likely to end up with a breach or in litigation and suffer significant losses in both data and assets as a result of not having or failing to enforce effective policies.
Employees are human and are subject to emotions that lend to making bad decisions. Some of the common reasons why employees make bad decisions are stress, arrogance, revenge and a sense of entitlement. Stress can come from either the work itself or from outside factors and behavior like arrogance and a sense of entitlement can be found in any employee. However, it's more likely to be an issue within the management ranks were the attitudes of "the rules don't apply to me" would exist. This can be hard to weed out, as managers tend to work without close supervision and problems go unseen until it's too late.
Revenge on the other hand can come from any employee regardless of position. This is normally the result of anger or the feeling that the company has treated the employee wrongly. This behavior is probably the easiest to mitigate by removing terminated employee access to systems and facilities. Employees who might respond badly to reviews or other decisions should be sent home and given time to adjust to the information. During this time, access to system and facilities should be restricted or blocked.
So what can companies do to help mitigate the human factor in security? In every case companies need to start with well-developed policies that are embraced by senior management then adopted as part of company culture. They need to train employees to understand what's in the policy and the company's expectations. Training should be done annually and employees should be required to sign an acknowledgement form indicating they have read and understand the policy.
Security columns by Brian Sears:
Conficker: When a worm becomes a botnet: Conficker may be backed by a well funded group or
government intending to silently collect information. Though the hype has waned, Conficker could
lead to a much larger threat.
Social engineering training could disrupt botnet growth: Security pros should address social engineering attacks with end users, helping them identify the tactic and possibly have an impact on botnet viability.
Policies need to be enforced equally throughout the company; selective enforcement of a policy or simply failing to enforce a policy negates that policy. This will make it difficult to enforce later or result in legal action against the company if an employee claims they have been singled out.
Checking out job candidates
Companies should conduct background investigations on all employees regardless of their role in the organization. The level of background should be equal to or greater than the job the employee will be doing. For example, an employee in finance should have a background check that includes financial and criminal history. While someone hired as a receptionist may only require a basic background of a criminal history. Backgrounds should be repeated annually on employees in key rolls. Finally, companies need to be clear that any offer of employment and continued employment is contingent on the background check.
Review security policy
Policies are fluid. They are designed to change as the company changes. They should be reviewed and updated at least annually to ensure they are still in-line with and support the goals and direction of the organization. Any time a change is made those changes have to be communicated to the organization's employees. I would also recommend that companies enlist the help of legal counsel when writing the policy and then for reviews anytime a change is made. While this comes with a cost, it's cheaper than defending an action in litigation or what a company could end up paying in judgments.
Managers also play key roles in identifying potential problems with employees. This begins in the hiring process were managers need to screen employees for not just job skills, but for personality traits and ask the question: Will this person fit in the culture of this company? Potential employees that don't seem to fit in or have personalities that may be counterproductive should not be hired.
Enlist management to monitor employee behavior
Managers should establish good working relationships with employees directly under their management. They should have a sense of each employee's personality, work habits and activity outside of work. Having this knowledge lets managers identify changes in behaviors that could potentially lead to a breach.
A good example of this is an employee that suddenly begins to come in late, or maybe they have been borrowing money from co-workers. These are warning signs that would only be apparent to a manager that is in tune with their staff. This employee may be having financial, personal or even substance abuse problems. If they are in a key role with access to sensitive information these behaviors represent a significant risk to the company.
Employees demonstrating significant behavior changes should be removed from key roles until management can determine the source of the problem and then either assist the employee in correcting the issue or terminate the employee.
Some warnings to managers on dealing with staff: You can't rely on others to report behavior changes. Human behavior has shown that most employees will not report another staff person, because they don't want to be the person who tells on a fellow employee.
Managers should maintain good working relationships but avoid personal types of relationships. These tend to cloud the lines between their supervisory roll and the employee. Managers who establish friendships with employees often find themselves making bad decisions by failing to address issues over concern for the friendship.
So yes on top of everything else mangers need to be part profiler, psychologist and counselor. Taking these steps will help limit a company's exposure to a data security breach, but regardless of the behavior, emotion or motivating factor companies need to understand that technology alone will not prevent or solve security problems.
As long as human exist in the workplace there will always be some level of risk, and how companies manage their employees can greatly reduce that risk.
Brian C. Sears is director of information systems at Benson & McLaughlin.