There’s a pernicious myth in the cybersecurity world that an “insider threat” program should focus exclusively on disgruntled employees. The idea is to constantly surveil an organisation’s entire population to detect the rare “worker with an axe to grind.” That’s a fine start … at least when implemented well. Identifying malicious insiders is a necessary part of a good insider threat program; it’s just not the be-all, end-all of said program. To be effective, security departments need to pay attention to everyone in their organisation for signs of dangerous conduct, not just those people who seem seriously angry.
As an example of why it necessary to consider everyone, my mate Pablo [1] brought me some good news last night. “Bob,” he told me with a huge grin, “finally got herself terminated.”
Bob [2] was up until very recently the third shift supervisor at Pablo’s plant. I recognized the name immediately because Pablo had been griping to me about Bob’s staggeringly poor performance for at least a year. According to one discussion I had with Pablo and some of his buddies from the plant, their site’s third shift was so ineffective that their company would’ve been better off firing the lot of them and doing without the shift entirely. Nothing was ever better in the morning than it had been the night before.
The way Pablo described it, Bob was a high-energy manager. Every time a problem arose on the floor, she would sprint to the incident site and throw everything she had at the issue. Leading from the front … right up until a new problem arose, at which point she would abandon the first problem and sprint off to the next one. Repeat endlessly, with very little getting done before daylight. Bob’s frenetic behaviour became a running joke across the entire facility. [3]
The thing was, Bob had team leads under her that she should have delegated tasks to. She didn’t. Pablo didn’t know why she didn’t and declined to speculate. For whatever reason, Bob tried to sort every issue personally and required her staff to wait patiently for her until she showed up to fix things. It was sort of like how car manufacturers in the 80s could all shut down the entire assembly line if they noticed a problem. Unfortunately, Pablo’s site is a shipping office, not a manufacturing site. They can’t stop moving cargo without losing money.
I asked Pablo if Bob’s legendary inefficiency had finally got her sacked. Had upper management made any attempt to mentor her? Re-train her in how to use her subordinate leaders? Maybe work through a PIP? Pablo couldn’t say, as he’s not privy to upper management’s decisions. What he could share was terrifying: it seemed that Bob was still enthusiastically banging away at her workload in the site’s computer network day after day a full three weeks after she was sacked!
I was shocked. Was Bob so irrationally dedicated to her job that she was coming back to the site every night and working for free? No, Pablo said, it was worse than that.
He related that one of the ways Bob had held off her termination for months was through the use of dirty tricks to keep her shift as productive as possible despite her terrible management habits. One of the best ways to multitask, she’d discovered, was to share her company login credentials with everyone on her shift. That way, whenever she had to sprint out of her office to work an issue on the floor, one or more of her workers could take over processing paperwork on the network as her.
Obviously, this wasn’t allowed by company policy: one user, one set of credentials. No one was allowed to log in as anyone but themselves. By policy, divulging one’s user ID and password to anyone else triggered immediate termination. Unfortunately, the company was neither organised for or emotionally ready to enforce their own policy.
According to Pablo, the company’s entire “IT department” consisted of a half-dozen contractors at an Eastern European call centre. When you called their “help desk,” these well-meaning fellows would run their official troubleshooting scripts, fail to solve anything, and then dispatch a work ticket to the one IT worker stationed at each facility. That poor grunt had no admin rights and couldn’t do much beyond rebooting PCs and checking cable connections.
Making things worse, Pablo’s company doesn’t seem to have a cybersecurity function. There’s no reporting phone number or email address for security incidents. No one to contact about policy violations or suspicious activity. As such, the entire site had been aware of Bob’s transgressions, yet no one did anything about them. How could they? For that matter, what was the point in trying to report her if the company had no one capable of taking corrective action?
This where that pernicious myth I mentioned comes in: let’s imagine an alternate universe where Pablo’s company had a fully operational cybersecurity department with a mature insider threat program. Had they bought into the myth that their surveillance targets were all the disgruntled employees, they would never have caught Bob. For all her faults, Bob was neverdisgruntled. Quite the contrary, she seemed to love her job and threw herself bodily into every crisis with admirable (if ill-advised) gusto. She was what we call a “non-malicious insider” … someone that doesn’t intend to cause any harm yet still creates harm through their inappropriate behaviour.
This example illustrates why a good insider threat program needs to monitor all user behaviour. Not to “punish” people or act like the Stasi, but to swiftly detect and correct non-malicious mistakes like Bob’s before those mistakes can be exploited by criminals. A simple scan for user logons outside of assigned shift hours would have picked up Bob’s staff using her credentials from multiple PCs at the same time and at all hours of the day and night … something that obviously can’t happen unless those credentials have been shared (in violation of policy).
In its own way, Bob’s story is a bit tragic. She clearly wanted to succeed as the site’s third shift supervisor but was woefully unprepared for the job. She needed training, mentoring, and supervision to help her find her feet. A good boss could have set her straight after each of her mistakes, helping to channel her enthusiasm into good work habits. Instead, Bob was left to make her own mistakes without corrective feedback until the company had enough and gave her the boot. What a waste …
What’s really ironic about the whole story is that Bob’s termination might well have caused a bunch of her former workers to become disgruntled. Management’s inept handling of the shift and the sacking of their leader will surely have a demoralizing effect on the surviving workers. They’ve now seen a direct correlation between enthusiastic, earnest leadership and excessively harsh management punishment. Why didn’t their former boss get the support and attention that she needed to grow into her role? More importantly, if Bob got sacked out of the blue, what hope do the line workers have of avoiding a random, vindictive redundancy?
That’s the last missing component of a good insider threat program: don’t create new insider threats through your corrective actions! A strong program should constantly communicate with the user population. When someone is found to have made a mistake, security should use it as a teaching moment. Explain what happened, why it happened, what should have been done, and why the correct process is necessary. Understanding leads to confidence, and confidence inspires action. Empower your users not only to perform their tasks correctly, but also to speak up when they see someone acting incorrectly. Encourage peer accountability and give your workers a hotline for when on-the-spot corrective isn’t possible.
An insider threat program must focus on improving both individual and collective behaviour, else it’s just a box-checking exercise for the auditors. Any program that ignores rampant violations until and unless a worker crosses some arbitrary point-of-no-return is worse than useless.
[1] Not his real name, as always.
[2] Not her real name either. Y’all know how this works.
[3] No, I do not apologize!
Pop Culture Allusion: none this week
