Last month, I appeared on BBC Breakfast to discuss some of the wider cyber security issues raised by the Edward Snowden case, in particular the threat posed by ‘malicious insiders’. A malicious insider is someone within your organisation who purposely uses information they have accessed as part of their position to cause harm to the organisation and / or to bring benefits to themselves. Some steal commercial secrets to sell to a competitor, others use information they have gleaned for blackmail purposes, and so the list goes on. Most are disgruntled employees or ex-employees who have, at least in their own minds, a reason to seek revenge on their organisation and ‘get their dues’.
The Snowden case reminded me of a report released by Symantec in 2011 which explored the psychology of malicious insiders; a number of their points are worth considering if you don’t want an insider to steal, leak, sell or corrupt your data.
Most IP theft is carried out by individuals in technical positions, and Snowden’s role as Network Administrator (in a contracting capacity) for the NSA certainly enabled him to view and download more data than most of his colleagues: he could access parts of the network that were restricted to most, and he had permission to use a USB stick whereas they were banned for most of his colleagues. At the time of Snowden’s appointment, the NSA had 1000 network administrators: as a result of his disclosure, they are now cutting this figure by 90% . Who are you trusting with your most important organisational assets? Who’s watching the watchers?
Malicious insiders tend to take information they know and work with. As in the Snowden case, 75% steal material they are authorised to access. How do you determine, and restrict, who has access to what in your organisation?
- More than half of malicious insiders steal data within one month of leaving their organisation. What are your exit procedures, and can ex-employees still access your network?
- Snowden has stated that he was motivated by the common good (“My sole motive is to inform the public as to that which is done in their name and that which is done against them”), but in general malicious insiders often act following a professional set-back (or what they perceive to be a professional setback). Having the right organisational culture is crucial in underpinning your approach to cyber security. How do you support those who might not be progressing as fast as they would like? Do your staff members feel appreciated, and are you rewarding those who are loyal, committed and hard-working? Staff members who feel looked-over and under-appreciated pose more of a threat, so building a culture that rewards positive behaviour and punishes negative behaviour is good for everyone.
- The vast majority of malicious insiders have signed IP agreements. While having the right policies in place is undoubtably important, remember that policies need to be actively enforced. Is there a system in place to ensure staff have understood and digested your policies? How are they monitored and enforced? Training and awareness are hugely important here.
- The Symantec report stresses the importance of pre-employment screening to mitigate the risk of hiring a ‘problem employee’. Checking potential employees out before you sign them up can help you determine if they are going to be a good fit for your organisation. Edward Snowden had a fairly high profile, before he joined the NSA, as an Internet forum contributor. His posts commonly expressed views that were anti-authority, anti-government, pro-privacy and pro-free flow of information. On top of that, apparently the NSA hired Snowden despite discrepancies in his job application. One could argue that if the NSA had undertaken as much surveillance on Snowden as they are seemingly undertaking on the rest of the World, then they might have realised that he had political views which were not aligned with their own.
- Understand that cyber security is a multi-faceted issue which needs a multi-disciplinary approach. It is not simply technical. Have an empowered information security team that includes HR, IT and legal professionals to create policies, drive training and monitor and reward employees appropriately. Each member of the team has an important role to play (for example HR drive a culture of reward and penalty, and IT security monitor the network for unexpected, excessive downloading) and together the team forms a much-needed holistic approach to organisational cyber security.
- Take a step back and look at your organisation through fresh eyes. So often, we can become desensitised to the most valuable information in our organisation, because we are handling it everyday, and to the biggest threats posed, because they are right in front of us. It can be so easy to not see the woods for the trees. What information does your organisation rely on? What would be most damaging if it fell out of your hands and into a competitors? Following the Snowden story, many organisations are now re-evaluating their approach to contractors. Is this something you need to consider?
Finally, the majority of malicious insiders are males, between the ages of 25-37. Snowden was 29 at the time of his leak. I’ll leave a discussion about the fact that most (known) malicious insiders are young men until another time!