"We can offer you £20k extra per year and a £10k golden hello if you bring your client lists with you." a computer specialist job applicant was told. This is how Lisa Forte, partner at Red Goat Cyber Security LLP opened her presentation: Insider Threats: How far would you go to stop an attack suring Digital Transformation Expo Europe yesterday.
As delegates considered how tempted they might be by such an offer, they confronted the variable tipping point for becoming an intentional insider threat to their organisation, and how their own mix of personal and professional circumstances might play a part.
Insider threats come from anyone given legitimate access to information, and the reasons for those acting with Intent to steal data can be varied and complex, including malice, whistleblower, economic or personal, putting the security professionals in a position of defending against someone they should ordinarily trust.
Forte noted how Snowden and Manning, who became ‘poster-boy/girl’ for insiders were actually not typical, except in so far as, like almost all insiders, they fly under the radar.
Another point of similarity with other incidents is that after the breach, colleagues come forward, and start saying what ttey thought was strange about their behaviour, such as coming in on Sunday etc - which would obviously have been better if they reported before.
So Forte addressed, what factors make it more or less likely to report suspicious behaviour?
She reported how research had shown a chronic under reporting of suspicious behaviour, with senior staff behaviour entirely ignored and able to get away with anything, and people were more likely to, report their friends, and certainly contractors and new starters.
They much preferred to report to HR rather than security staff, but generally had a lack of confidence their reporting would be kept confidential, and these were the main deterrents - along with the psychology of ‘not snitching’.
Forte also noted, "Reporting is an elective act, they do a cost/benefit analysis. And currently, all the costs are on the individual - potentially being ostracised by colleauges, losing their job after reporting a manger, etc. Whereas all benefits went to the company - not to the individual, hence the balance is skewed in favour of staying quiet."
A consequence is that the people with the most power and access are the least likely to be reported for suspicious behaviour.
So how to tackle this situation? Forte emphasised that deterrence is generally a better approach than detection, as both easier and achieving results before the damage is done. And to achieve deterrence requires staff training and instilling confidence in confidentiality - though 72 percent of research respondents report having had no training and a similar percentage didn't believe their name would be kept confidential.
Forte’s advice was to first identify what data, if stolen, would bring company to its knees, suggesting its not usually PII, its intellectual property, R&D, and market data. Then identify who has access to this data and monitor those people, not the entire population. A programme should be drawn up that includes:
Training - letting people know that the issue is taken seriously
confidential reporting - via HR, so liaise closely with HR
HR front and centre - hold regular meetings between HR and security
senior staff endorsement - senior staff need to buy-in
crowdsourced security - get staff suggestions. They know the business well and it reduces backlash when new measures are implemented
robust technical controls. Only deploy against those with access to critical data.
In conclusion, Forte reiterated the key advice - create a programme and focus on deterrence rather than detection.