Language

Security “inside the firewall”: what can organisations do about malicious insiders?

2nd August 2018

Categories: Latest News

come create the future

Dr Emma Barrett OBE, CPsychol, FRGS Professor of Psychology, Security and Trust, The University of Manchester

In 2014, a disgruntled employee of Morrisons grocery store leaked the payroll data of 100,000 employees – including their bank account details and salaries.  5518 of those employees subsequently won a case for compensation for the distress the leak had caused. In a landmark ruling, the High Court ruled that despite a malicious employee being responsible for the leak, the company was responsible for keeping personal data secure and thus vicariously liable for the disclosure. On top of the £2M costs already incurred because of the breach, Morrisons is now facing a huge compensation bill. The judgment is the subject of a pending appeal.

Humans are a critical part of effective cyber defence

The ruling is a reminder to organisations that they must apply strict controls on personal data to reduce the risks posed by ‘insiders’. But it is also a reminder that effective cyber security is not just about technology – humans are a critical part of effective cyber defence.

Whether through malice or by accident, employees are often the source of data breaches. At one extreme, we have people like the Morrisons’ leaker, who deliberately misuse their access to an organisation’s data and systems to sabotage the organisation and/or for personal gain. At the other, we have well-meaning employees who cause a data breach by carelessness – clicking on a phishing link, for instance, or accidentally sending a sensitive email to the wrong recipient.

Somewhere in the middle we have employees who would not normally commit an insider act but who are persuaded or coerced into working for ‘outside’ cybercriminals. A recent Kaspersky labs report suggested criminals, armed with embarrassing material harvested through leaks of customer data from adult websites, use blackmail as a potential means of recruiting an insider.

Recognising the critical role of employees in the cyber security is not new. Yet ‘insider threat’ remains a significant and growing problem.

What can organisations do to mitigate the threat from malicious insiders?

Carrying out pre-employment checks (screening out those with a criminal history or record of disciplinary problems, for instance) is an obvious risk reduction measure.  Some have suggested that pre-employment screening should go beyond checking past behaviour and look at a potential employee’s personality traits, their potential vulnerabilities (are they significantly in debt, for example?), or even their ideological views.

But such approaches can be problematic. Take personality screening, for instance. Research shows that people who engage in counterproductive workplace behaviours are more likely than the rest of the workforce to have narcissistic, Machiavellian, and psychopathic personality traits (the so-called “Dark Triad” of personality).

But this doesn’t mean that everyone who has those traits will engage in malicious insider activities, or that people that don’t have those traits will not. And let’s not forget the legal, ethical, and practical challenges of measuring personality traits – or, indeed, any other personnel ‘risk factor’ – and making employment judgements based on such measurement.

Another reason why ‘vetting’ of potential employees may only be partially successful in managing the risk is that that employees who carry out malicious insider acts often do not join an organisation intending to carry out such acts. One recent UK government study reported that only 6% of more than 120 serious insider cases involved pre-employment intent to commit an insider act.  Pre-employment screening is clearly not enough to prevent all potential insiders. It may, however, give an organisation false reassurance that it has mitigated the risk. 

A common theme in studies of how normal employees can become an insider threat has been disgruntlement, as with the Morrisons case. Feeling underappreciated or unrecognised can be a trigger to counterproductive workplace behaviours, from cynicism and apathy to actively causing harm. Conversely, when employees feel appreciated and supported by their organisation they may be less likely to engage in such behaviours.

Leadership and management behaviours, in particular, have a significant impact on an employee feeling appreciated by (and perhaps therefore more loyal to) an organisation. So it is no surprise that badly-managed organisational change, incompetent management, or poor leadership role modelling have all been associated with increased risk of counterproductive workplace behaviours.

Given all this talk of ‘insider threat’, you can see why so many claim that “humans are the weakest link” in organisational cyber security. But this profoundly underestimates the important role employees can play in preventing and managing security risks. Whether it’s looking out for unusual behaviour or signs of disgruntlement in colleagues, being an attentive and competent manager, or a leader who role models exemplary security behaviour, employees at every level can be an organisations’ greatest asset in managing the risk of malicious insider threats.

If you’re attending Black Hat USA 2018, click here for more information and to book a meeting with Andrew Toolan, Business Development Manager, MIDAS and find out how Manchester, the UK’s emerging cyber security hub, can help you. If you’re not going to Black Hat USA, you can always get in touch with Andrew here.

News

December 2018

November 2018

October 2018

September 2018

August 2018

July 2018

June 2018

May 2018

April 2018

March 2018

February 2018

January 2018

December 2017

November 2017

October 2017

September 2017

August 2017

July 2017

June 2017

May 2017

April 2017

February 2017

January 2017

December 2016

Follow MIDAS