By Gopal Padinjaruveetil, Chief Security and Compliance Architect, Capgemini
Why does an employee decide to bite the hand that feeds him? Is this a design fault in the human cognitive behavior system, just like Cancer (the disease) is a design bug in the human design? Can both be detected in time before the damage is done?
For the most part, when employees initially join a company, their intentions are good. However, in some cases, at some point, things take a turn for the worse. Maybe they didn’t get the promotion they were hoping for or maybe they wanted to pursue a project that was rejected by upper management. Whatever the issue may be, how the employee handles it could define not only their career future but also the future of the company. The employee may try to mitigate the problem, quit, or, in the worst case scenario, seek revenge which at that point makes them a serious threat.
So how does a company know if one of their own chooses the vengeful route? More often than not, they don’t, until it’s too late. Evaluating and analyzing human intent is one of the biggest challenges facing organizations today. It falls under the umbrella of ethics and culture – both of which are human behavior issues that are tough to quantify with metrics. That’s why so many companies struggle to combat insider threats. They don’t know how to get inside people’s heads, predict their next move and stop them before they do something detrimental to the business.
Insider threats can be broken down into four areas.
IT fraud: We have seen several cases during the past few years where insiders, mainly employees, used technology to commit fraud. The Volkswagen case is a classic example. Earlier this year, 11 million vehicles were outfitted with defeat devices that turned on during clean air tests so diesel vehicles would appear to meet emissions standards. The employees who manipulated the diesel engine software knew they were doing something illegal yet followed through with it anyway and now Volkswagen faces a storm of controversy including losing trust from customers, their own dealerships and may need to recall millions of vehicles in 2016.
IT fraud can be committed by anyone within an organization and not always with a malicious intent. For example, let’s say I work for a software development company and my boss mandates I create a program that’s supposed to calculate the reimbursement costs for mileage yet he wants me to manipulate the program so it doesn’t accurately calculate the mileage traveled. I know it’s the wrong thing to do, but my boss is telling me to do it. What do I do? In many cases, the employee would follow through with the boss’s orders so that he doesn’t risk losing his job or getting a demotion.
Sabotage: If a bitter employee seeks to cause major damage, they may purposely take action, unbeknownst to the employer, to sabotage the company. Going back to the software developer example, malicious insiders may write back doors into applications they are developing so that criminals can break inside and break down the company’s systems.
Theft of intellectual property: We have seen an increase in criminals and nation-states breaching organizations to steal their intellectual property but what about insiders using it for their own benefit? In some cases, when employees create something while working at a company such as writing a program, they believe that program belongs to them, not their employer. Therefore, when they leave the company, they take their work with them, believing they have full ownership rights when in reality that’s not the case. They may use that program to launch a competing company or sell it to an already existing competitor.
Espionage: The United States is a top target of nation-states due to its continuous innovation and advanced technology. They will pay for top secret information to advance their own capabilities. While the threat stems from the outside, it affects those on the inside. Bad actors may use blackmail, coercion or offer money to persuade employees and other insiders to share top corporate secrets. Whether the insider is sharing it maliciously or not, the information is still illegally leaving the organization and going someplace where it doesn’t belong.
The anatomy of each of these types of threats is very different but they all can be equally damaging. Here are three things organizations can do to minimize their cyber risk and avoid falling victim to an insider threat:
Good behavior anomaly detection: Organizations need to know what their employees, third party vendor users and any other insider that has access to their sensitive data are doing on their network. How do those individuals typically behave? What information do they access? How do they gain access to that information? Once they understand the typical behaviors of their insiders, they can identify any unusual behavior not only for that individual but also compared to the typical behavior of their peer group and line of business. For example, if an employee typically logs onto the corporate network at 9AM every day but then suddenly starts logging on at 2AM, that may indicate they are up to something.
Behavior Anomaly Detection is a complex topic “Psychological expertise is increasingly recognized as valuable in, for instance, understanding the ecosystem of human inter-relationships in fraud matters (beyond fraudster-victim). Specialized knowledge of human psychology—including mental architecture, behavioral drivers, irrationality, and response patterns, to list only a few—and group and organizational dynamics are additionally useful in rendering three-dimensional profiles of the fraudster, his network of affiliates, and their organizational operations” says Dr. Alexander Stein of Dolus Advisers
Behavior modification: In the case of non-malicious insiders, those who are unknowingly posing a cyber risk to their organization, it is critical organizations identify the risky behavior and then address it directly with the insider and their manager. For example, if an organization sees an insider visiting potentially risky websites that have nothing to do with their daily work activities, they should send the insider to targeted security awareness training, explaining exactly how that person is posing a risk to the organization and how to remediate that risk. That type of immediate action helps change behaviors organization-wide because it gives insiders a better understanding of what they are doing wrong and how they can fix it.
Surveillance: Yes, the word is controversial. Where should companies draw the line between security and privacy? From a security standpoint, monitoring what insiders are doing on the network is the best way to stop a breach before it happens. On the flip side, monitoring insiders 24-7, many of whom are not doing anything wrong, could be looked at as an invasion of privacy. What does reasonable surveillance look like? It starts with identifying where organizations’ most sensitive data lives and who has access to it. Those who have the most access should receive tighter surveillance first and foremost. The level of surveillance also depends on the industry, sector and team they work on and the amount of damage that can be done if something goes wrong. For example, if an insider’s risky behavior could lead to a loss of human lives due to the role he/she plays and access he has to sensitive information, that individual should be monitored more closely. Unfortunately, in the world we live in today, security cannot take a back seat to privacy.