Alex Clayton, a CISSP and security and continuity service manager at 3i, examines some interesting trends around the insider threat, and how effective management can ensure that the threat is not so prominent.
When dealing with my son's bad behaviour I have learned from bitter experience that being strict and dictatorial does not work very well. I now try and use positive affirmation (with the occasional shouting match), which encourages him to behave better and, as a result, we have a much happier, mutually beneficial relationship. This is neatly summed up by Haim Ginott, a 20th Century child psychologist: “If you want your children to improve, let them overhear the nice things you say about them to others.”
What are the parallels with the corporate environment? What are the benefits from a security perspective? Is it likely that a business will thrive if there is mutual respect and trust ingrained in the company culture?
An organisation can put in place all of the technology it wants to protect information and other assets. However, it will not necessarily stop people from stealing money or losing data. To put this in context, according to the most recent KPMG Fraud Barometer report, over 45 per cent of all recorded fraud in 2009 was committed by 'insiders', amounting to over £560 million.
Engendering a culture of commitment and mutual trust will go a long way to ensure that, although employees are able to do bad things, they won't.
It is clear from research in behavioural psychology that employees who are valued, respected and enjoy a fulfilled role are less likely to commit fraud, deliberately damage the organisation's reputation or steal confidential information. This is due to the fact that the individual will, in response to the positive treatment, be dedicated, loyal and productive. Why bite the hand of those who feed them so well?
A faithful employee is likely to treat company information with care and be maternally territorial with its use and distribution. I would however steer clear of recommending that people should treat corporate data as if it was their own, as many individuals are very liberal with their personal information, particularly on social networking sites!
Creating this culture is best done using 'carrots', for example recognition, responsibility, remuneration and promotion. However, for the sake of the company and its healthy and productive working environment, 'sticks' are sometimes required to emphasise the boundaries of acceptable behaviour within the organisation. Recent research on security awareness (Maximising the Effectiveness of Information Security Awareness Using Marketing and Psychology Principles by Geordie Stewart) confirms that if sticks are to be used, they must be struck consistently to be effective. Otherwise they are detrimental to company morale and ultimately its success.
Personal relationships are based upon ties of blood and love whereas the corporate relationship is only underpinned by a legal contract. So it is important for an organisation to appreciate that loyalty, for example, will only ever go so far.
This is particularly true when an employee has handed in their notice. Organisations should consider putting extra precautions in place to make sure that company information does not leave with the employee.
It is also often very difficult to extend this culture to third parties and contractors. So, when outsourcing services and buying in consultancy it is critical that organisations accept that the supplier is less likely to be loyal, go the extra mile and care passionately about the confidentiality of their sensitive information. This is especially relevant to the current excitement around cloud computing.
Bruce Schneier emphasises in his book, 'Schneier on Security', that 'security is often about technology, but it's always about people'. Investing in them and creating a culture of loyalty and trust will encourage positive behaviour, resulting in a productive workforce; one which naturally protects the interests of the company and its assets.