Far too often, the crucial flaw that undermines a company’s “insider threat” programme isn’t a lack of technology; it’s insufficient vision. The people running the program convince themselves that the only potential miscreants they’re searching for are workers with some sort of financial motive: greedy or disgruntled workers who want to steal money, valuable company information, or property. Sure, those are legitimate threats … but greed isn’t the only motivator that compels an otherwise productive employee to commit harmful acts. There are many other character flaws just as corrupting as greed that we should be watching out for in a comprehensive insider threat programme.
Lust, for example. Consider the recent scandal that brought down New York State Governor Andrew Cuomo. This story has dominated front page news in the U.S. lately, competing with out-of-control COVID infections for our attention. Back on the 10th, New York Times reporters By Luis Ferré-Sadurní and J. David Goodman summarized the fall of the flamboyant politician:
“The resignation of Mr. Cuomo, 63, a three-term Democrat, came a week after a report from the New York State attorney general concluded that the governor sexually harassed nearly a dozen women, including current and former government workers, by engaging in unwanted touching and making inappropriate comments. The 165-page report also found that Mr. Cuomo and his aides unlawfully retaliated against at least one of the women for making her complaints public and fostered a toxic work environment.”
The New York State Attorney General’s office described the effect that Gov. Cuomo’s reprehensible conduct had on his staff. Page 9, paragraph 1 of the report summarizes his impact thusly: “As [victim] described her interactions with the Governor, ‘[I]t was deeply humiliating on some level. . . . I was really senior and I had worked my whole life to get to a point where I would be taken seriously and I wasn’t being taken seriously and I worked so hard to be some little doll for the Governor of New York, and that was deeply humiliating.’”
Imagine if that had happened to you. Consider how it might have affected your morale, productivity, trust, or commitment to your organisation. If that’s too disturbing, imagine that it happened to your significant other … or parent … or child …or best mate. Yeah. Sexual harassment insider threats can be indescribably corrosive to an organisation’s esprit de corps.
Oddly, many companies tend to consider sexual harassment to be exclusively a Human Resources problem; a subset of the company’s “code of conduct,” to be reported through complaint lines, sorted by supervisors, and solved by a formal disciplinary process. All well and good, except that such a perspective ignores the security ramifications of an offender’s actions.
Security programs rely on consistent implementation of personal security controls. Actions like “use strong and unique passwords” or “keep all security doors shut and locked.” These so-called “security hygiene” behaviours are low-skill practices that everyone must follow all the time. Once people stop following the rules, the rules’ prophylactic effect stops. What good does it do to keep nine out of ten facility doors closed and locked if the tenth is propped open with a cinder block so the smokers can come and go without needing to “badge in”? Many such controls are an all-or-nothing solution.
Universal compliance with basic security behaviours requires far more than just publishing rules. Most companies have ten obscure rules hidden in their doctrine for every rule that their employees actually know. Of the ones that are understood, it’s a constant fight to convince workers to follow them. Simply telling people your rules once a year isn’t compelling in and of itself. Leaders must model correct behaviour, perform immediate on-the-spot corrections of failures, and hold people accountable for repeat violations. Compliance demands unceasing effort.
That said, it’s challenging to get people to comply with burdensome or complicated security processes when they’re demotivated or disgruntled. Even when people know the rules, they’re unmotivated to follow those rules faithfully when they believe their organisation has broken faith with them. By ignoring a sexual harasser in the ranks, for example. By minimizing or refusing to recognize an employee’s trauma. By shielding an abuser rather than following proper process to rein in egregious behaviour. After all, if the company protect them from being groped by a colleague, why should they make any extra effort to protect the company from a hacker?
My empathy is with the victims here. Take Owen S. Good’s article in Polygon titled “Activision Blizzard: How a ‘frat house’ workplace led to a sexual harassment lawsuit.” I want to quote two of Owen’s paragraphs here because – I believe – they tell the entire disgusting story:
“The lawsuit’s allegation of a ‘frat house’ or ‘frat boy’ culture is directed at Blizzard Entertainment. There, DFEH says, women were subjected to ‘cube crawls,’ a kind of office party whereby male employees, who had been drinking, prowled the workplace and subjected women to unwanted advances, lewd behavior, and other sexual harassment. …”
“J. Allen Brack, who until this week was Blizzard Entertainment’s president, allegedly knew of this and other misconduct, but he only gave ‘a slap on the wrist’ to the only offender named in the complaint, former World of Warcraft creative director Alex Afrasiabi. … Brack is also said to have been told in early 2019 that female employees were quitting ‘due to sexual harassment and sexism,’ but, apparently, he did nothing about that.”
A slap on the wrist … for actions that warranted severe disciplinary action, potential termination of employment, and (in my opinion) a thorough public bludgeoning. Living in such a dysfunctional culture, why would anyone in Blizzard’s office bother to follow any basic rules of conduct? When senior leadership turns a blind eye to “cube crawls,” the entire office population might well turn a blind eye to basic security discipline.
This is why security staff need to get involved in preventing, interdicting, and recovering from sexual harassment, assault, and boorish interpersonal conduct problems. HR might do its best to handle the conduct problem (I certainly hope that every HR pro takes this threat seriously!), however HR isn’t positioned or equipped to address the security behaviour problems that follow each groping incident like the burning oil slick in the wake of a torpedoed freighter.
It’s our job as security professionals to consider the potential behavioural and cultural ramifications of abhorrent misconduct and to take immediate action to adjust our security controls to account for the new, poisoned dynamic between the company and its walking wounded. It’s our mission to change how business is performed until employee trust can be repaired … which will take quite a long time … assuming it can be repaired at all.
We must be actively involved in the recovery process. That, then, necessitates that we’re alos involved in the detection process. Even though sexual harassers often aren’t directly violating cyber protocols, they are undermining the effectiveness of every human control that depends on user trust and compliance. Therefore, we in security have a vested interest in finding these fiends early. These people are insider threats, no matter what the academic models might suggest.
Most organisations’ security architecture and processes models assume good faith compliance among the human components. People aren’t robots. If they believe their organisation has failed them and has no intent to right it wrongs, the people will rightly see their employer-employee covenant as fractured and no longer feel bound to hold up their end. Once that happens, no amount of security “education” will make a difference.