Nobody wants to be suspected of being untrustworthy, or acting against their employer or other employees. So, senior managers can be hesitant or unwilling to deal seriously with insider security threats. They may not want to face backlash from employees who feel they are being treated like criminals. Some Apple Store employees apparently complained to Apple CEO Tim Cook that some mandatory bag searches of employees leaving their shifts are unnecessarily embarrassing, and are sometimes even done in public.
It’s understandable that this is a touchy subject with employees; but there are ways that employers can start to take a reasonable position on reducing risks from insiders.
The Accountability Argument
In virtually all medium to large sized organizations, managers can and should emphasize the importance of accountability to shareholders (for companies) and the public (for government organizations). Management is clearly being held more accountable than ever before with respect to any foreseeable risks to their stakeholders, of all kinds. So, using this accountability is one way of helping employees rationalize the need for stricter monitoring on the inside.
Good examples of management being held accountable can be found in the cases of Target and the Office of Personnel Management (OPM). In both cases, the top executives had to step down after major security incidents. Whether or not the incident was initiated from the inside, the executives are ultimately responsible.
The Advanced Persistent Threat Argument
Even if employees know that management will be held accountable for security breaches, they may still feel that they are being treated with suspicion when security policies appear to be draconian. However, the emergence of many new advanced attacks use hacker tools, as well as social engineering to gain control of employees’ network accounts. When this occurs,even an outsider attack can look like it is being caused by an employee.
If an employee’s account has been compromised, and it has access to any sensitive resources, it can be used maliciously. So, management has an obligation, even if it is more concerned with external threats than internal ones, to monitor internal accounts closely. The same goes for monitoring physical access, because attackers can try to impersonate people with access privileges. So, sign-in and card-access logs should be managed carefully to catch these kinds of incidents.
These methods don’t guarantee that employees won’t be annoyed by increased monitoring that appears to be directed at them, but they are valid, and provide a good basis for expanding into the murky waters of managing risks from insider threats.
How does your organization prevent or monitor insider threats?
The Streetwise Security Coach