Organizations in many ways contribute the actions of their employees.
Either through not wanting to lose a star player who sometimes does things that they shouldn’t to not monitoring who is accessing what, and are those accesses in the performance of their job duties.
While organizations are contributing to insider theft, or insider damage to systems, from the CERT Systems Dynamics Workshop they found there are other contributing factors to not paying attention to what employees are doing. Those additional factors can be:
- Giving star players free reign because of fear of losing those employees.
- Ignorance (either on purpose or due to naivet) of indicators of insider threat
- Disregard for information security best practices.
- Poor human resource practices with respect to pre-hire screening of employees, ongoing monitoring of employees, and provision of facilities to help employees deal with problems (e.g., employee assistance programs, AKA EAPs)
- Lack of training and education of employees on the reliance and trust that the company has in employee job performance
- Lack of training and education of employees on the consequences of violations of employee trust, e.g., prosecution
- The tendency of organizations not to report the problem and seek legal remedy for fear of damage to their reputation does not deter future insider threat attacks
Many of us have worked in organizations that really did not pay attention to what we were doing or why we were doing it. Often we find it easier to just go do something, and ask for forgiveness later if it all goes south.
These kinds of work habits should be giving management some clear indications that they have employees who are not going to abide by company policy, or that company policy is weak or non-existent when it comes to dealing with rogue employees. Given the statistics that have been published at Dark Reading on the insider threat, having the company even somewhat participatory can open up the company to negative press, and economic or legal consequences of having a rogue insider.
Many of us want to trust our employees, but while we want to do so, not everyone is equally trustworthy. Bernie Ebbers of WorldCom fame was a church going, say a prayer before company meetings kind of person, but still had issues when it came to working within an ethical framework that would have allowed WorldCom to survive.
Looking at our information security employees, we need to judge the ethical frameworks that they work within, and knowing what they are doing on the job, with the accesses, that they have will help define if they have a suitable ethical framework for the company.
While no one is going to advocate big brother types of actions within any company, knowing what the employees are up to, and where they are going with the permissions that they have will help management make better decisions about how their employees view the ethical framework of the company in relationship to themselves. This will help companies develop a framework to assess and manage the risks involved with insider theft, or insider crime.
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.