Insider threat programmes are difficult enough to run under the best of circumstances, since program stakeholders often have wildly different visions of who should be considered an “insider threat.” On the one hand, Human Resources types are loathe to label anyone other than the most blatantly disgruntled employee as such, while security departments often consider everyone with a slack attitude towards compliance as worth of consideration. As in most security activities, the truth lies somewhere in the middle of these opposing perspectives.
Take, for example, Arturo’s story. I met Arturo years ago through a mutual friend. We bump into one another every time our mutual hosts an event. We’ll catch up, trading funny office stories, since our work lives are similar. Arturo works as a process administrator for a large corporation by day and ghost writes on the weekends. That alone gives us plenty of common topics to chat about. His commissions, my columns, etc.
This last Saturday, I ran into Arturo at a 4th of July event where we chatted for fifteen minutes or so. Arturo told me he planned to bail out of his current corporate role as soon as possible.
“It’s hopeless now,” Arturo said. “Our site has missed all of our financial targets every month for six months straight … which of course tanked our quarterly targets. What’s crazy is that instead of fixing our broken processes, management keeps increasing our production goals as if the additional ‘challenge’ will somehow straighten everything out.
“It’s not just our site either,” he said. “From what we’ve heard, all of our sister sites around the country are failing right along with us. It’s obvious that there’s no way the company overall can meet these ridiculous new financial targets, so people have given up trying.”
I empathized and asked what he planned to do. Arturo has been with his emploer for several years and seems to have earned a good reputation there.
“I’m freshening my résumé and am planning to apply for work at a lot of different companies,” he said. “It’s easier to get a job when you already have a job. So, I need to lock in my next move now before the inevitable layoffs and site closures start.”
I agreed, having been laid off a few times myself. It’s best to change employers on your own terms (if you can), if only to avoid a gap in health insurance coverage.
Arturo joked that he hoped his company’s economic difficulties would continue. “It’s been slow around the office,” he said. “If it gets any slower, I can start working on my job applications from the office and no one will notice. The rest of my team will probably be doing the same thing anyway so no one will complain.”
Just based on what I’ve shared about him, would you consider Arturo to be a potential “insider threat? He’s not malicious. He doesn’t want to actively hurt anyone. That said, I argue that he qualifies.
Arturo and his fellow pessimists in his organisation have lost faith in their leadership chain. They believe that their company is struggling to function across the board. They have many solvable problems that would help improve productivity if addressed, but management doesn’t seem interested in fixing anything. Instead, their management seems to be doubling down on an obviously failed gambit. This has corroded the workers’ confidence.
Additionally, from Arturo’s perspective, it seems that management doesn’t care whether the workers have safe, productive working conditions or not. So, if management doesn’t care, why should they? Why should he stay emotionally invested in the company’s future if management has been repeatedly warned about the proverbial iceberg in their path and has run the engines up to full instead of attempting to turn?
Arturo’s emotional disengagement might not be as strong a motivator as revenge, greed, or spite, but it’s still a perfectly adequate motivator for him to bypass, corrupt, or ignore the correct and consistent execution of mandatory security controls. If his company’s going to fail anyway, why waste time doing things the “right” way when convenient shortcuts will free up more time to address important tasks … like applying for work at a better company? Tasks that really matter to him and his co-workers …
Arturo’s attitude makes perfect sense. From a strictly individual perspective, Arturo and his teammates need to do what’s best for themselves and their families. They need steady paying work to stay housed, fed, and covered by health insurance. Arturo isn’t wealthy; he can’t live off his savings or investments. Arturo is motivated by survival … and when the threat of unemployment looms in America, the genial expectations of office propriety tend to be the first social expectations jettisoned overboard.
That’s a very bad thing for Arturo’s company. As he and his peers stop trying to live up to company expectations and instead focus on their own individual needs, their security behaviour will become progressively sloppier until a preventable breach is all but assured. This probability is nearly guaranteed when their local line managers are just as emotionally disengaged, thereby no longer enforcing standards of conduct.
Can anything be done about this? Probably, yes, but that’s a topic for another column. I want to stay focused on my opening point: should Arturo be considered an “insider threat”? I say that he should. Arturo’s not a bad person in any way. He works hard, he wants his company to succeed, and he doesn’t want to hurt anyone. You’d think he’d be an ideal employee … and you’d be right.
I submit that even the best employees become insider threats when working conditions become so strained that workers feel their organisation and management chain simply no longer care … about them, about their work, or about their future. Anyone can become an insider threat once they’re no longer motivated to fulfil their personal responsibilities. Malice isn’t required; a non-malicious insider threat can still do plenty of damage simply through indifference.
The obvious need to search for such precursor actions is complicated by the fact that internal surveillance is a deeply disquieting notion for most companies. That makes perfect sense. No one likes the idea of having a faceless stranger reading all your emails and listening in on all your Zoom meetings. It feels like an invasion of privacy no matter what the company’s Acceptable Use Policy says. Just the thought of being constantly watched feels like our employer doesn’t trust us, which actively degrades morale and workforce cohesion.
So, the act of looking for budding insider threats – especially the non-malicious types – is both disquieting and has the potential to create a new insider threat where none need exist. On the other hand, taking a hands-off approach and waiting for an obvious and indisputable insider threat to manifest facilitates preventable breaches by failing to spot and act on early warning signs. Both sides of the argument have their merits.
This conundrum poses a difficult challenge: it’s one thing to ask your users to report suspicious or disruptive behaviour. How does your security team identify possible non-malicious insider threats like Arturo and his office mates in item enough to take pre-emptive mitigating action? Perhaps more importantly, how will you convince your more conservative key stakeholders to let you monitor and interdict people who don’t fit the classic “angry disgruntled workers” profile?
I have yet to see a “right” answer to this. That said, I think it’s a vital argument to have in every organisation. Your company is going to be judged harshly for what you might have done differently after every breach. Best to consider all the factors, decide your moral position ahead of time, and be prepared to defend it. At least then you can honestly say you were running your insider threat programme based on your principles.