How would you expect an insider threat to materialize in your organization? Could it be the recent new hire who just seems too keen? Or do you just expect that the signs will be obvious when a top software developer starts pushing for a raise, and they seem ready to make a move? It can actually be hard to imagine why people we know and trust might doing anything to hurt their employer. But you may be surprised at how innocently an employee can fall into a compromising situation that brings real risk to the organization.
Hidden personal issues can present security risks
Labor disputes are probably one of the top causes that people might think lead to insider threats. This may be the case, but more often people hit bumps in the road. Whether it’s a bad investment leading to large debt, a gambling habit or an addiction to drugs or alcohol, these are things people can hide from co-workers, friends and even family for quite a while. People slowly sink into a mindset that “if I can just deal with this one issue, I can get back on track”. Sometimes that’s true, but sometimes the lack of good judgement that got them into the situation can make it hard for them. They try to stay optimistic that things can’t get worse. But they can. All the while, co-workers may not suspect anything significant is wrong; after all, we all have ups and downs in life.
So, one alternative that might start creeping into employees’ minds when they reach this point is, “Maybe if I could leverage my access to the organization’s information and systems, I could earn a few extra bucks”. The employer probably won’t notice, and once they get through their crisis, they can just put it in the past. The employee might think of the small losses suffered by the employer as just an extension of the corporate Employee Assistance Program.
Even happy people can become good sources for attacker
Although we may find it hard to believe, even the happiest of employees can be targeted by attackers who are looking for access to the corporate network, data and systems. The actual threat scenario can be different from one in which an employee represents a vulnerability, simply by failing to follow corporate procedures or use security safeguards. While the employee may not intend to injure their employer, they can actually become the active agent in carrying out an attack. How does this happen? Often, it’s very slowly, and very innocently.
I’ve recently had my eyes opened by an associate who specializes in training organizations on counter-intelligence tactics. The tactics used by foreign states can exploit virtually any personality traits you can imagine, which has the potential to turn any well-intentioned employee into a reliable source for an adversary of the organization. Whether it’s a foreign government or organized crime ring, it doesn’t cost much to create a situation where an employee feels an obligation to cooperate, while covering up what they are doing.
It may even happen right under your nose, during legitimate business meetings. An employee could be getting a little too close to the adversary in a negotiation, or that new, large prospect may not be who they claim to be.
It may seem like fiction, but I’m starting to realize that this threat scenario is very likely to be the next evolution in social engineering and hacking of organizations. So, my belief is that your Human Resources team may be a valuable ally in helping identify the best ways to inform staff of these risks, and to train them how to recognize and avoid the slippery slopes that can lead to serious security breaches.
If you’d like to learn more about how your most trusted employees can be targeted by attackers, I can arrange for a jaw-dropping demonstration. Please contact me for more information. I’d also like to hear of any cases or stories you might know that illustrate how employees have managed to hide illicit activity, or how they may have been manipulated into taking dangerous actions.