Author: Chris Bowen
Chief Privacy and Security Officer and Founder, CISSP, CIPP/US, CIPT
Learning How to Identify Insider Threats
Why I would never hire that ex-Twitter employee:
These are just a few adjectives that come to mind when I reflect on the antics of the now ex-Twitter contractor, who on her last day on the job, decided it would be cute to delete the President’s Twitter account.
I would never hire this employee – not because of her politics, but because of her flexibility on ethical behavior. In fact, my team and I spend considerable time, effort, processes, tooling and expense to try to identify this type of person – preferably before they’re ever hired – and stop them from malicious behavior. We do this to prevent the damage they can do to our company, to our customers, and to our investors. We call these “cowboys” the quintessential “malicious insider” (with all due respect to real cowboys).
These are the people who snoop, click on that email, give up their creds, copy information, steal intellectual property (ask Google about this one), skirt the rules, or generally have a point to prove somewhere to someone. The truth is, the list of characteristics of malicious insiders runs a mile long.
According to the National Cybersecurity and Communications Integration Center here are a few characteristics of insiders becoming a threat:
- Greed/ financial need
- Vulnerability to blackmail
- Compulsive and destructive behavior
- Rebellious, passive aggressive
- Ethical “flexibility”
- Reduced loyalty
- Entitlement – narcissism (ego/self-image)
- Minimizing their mistakes or faults
- Inability to assume responsibility for their actions
- Intolerance of criticism
- Self-perceived value exceeds performance
- Lack of empathy
- Predisposition towards law enforcement
- Pattern of frustration and disappointment
- History of managing crises ineffectively
While employees are your greatest asset, malicious and careless employees and contractors are a real problem.
If you’re as worried about malicious insiders as I am, you should be. They cause a massive amount of damage. According to Tripwire, insider threats were the main security threat in 2017.
Here are a few tips on how to prevent a malicious insider from pulling a “Twitter Exit” on your company:
- Before you hire, thoroughly vet your candidates. This includes rigorous background checks, reference checks, and validation of work history and education claims.
- Try to foster a positive, mission-driven culture, including giving employees and contractors a means to express concerns. That means you really need to sincerely listen to the talent you hire.
- Continually educate your workforce on how to recognize insider threats.
- Understand what levels of access your employees and contractors have to sensitive information and systems. Regularly try to reduce those levels of access where possible. We call this access by least privilege.
- Centralize your access logs and review them on a frequent and regular basis.
- Require identification for all company systems and property. This includes unique accounts, badges, keys, and limited access to sensitive areas.
- Note frequent visits to websites sites that may indicate low productivity, job discontent and potential legal liabilities (e.g. hate sites, pornography).
- Announce the use of policies that monitor events like unusual network traffic spikes, volume of USB/mobile storage use, volume of off-hour printing activities and inappropriate use of encryption.
There are many other ways to mitigate the insider threat risk, but my recommendation is that you take the time with your management teams to really think through the best way for your organization to identify these risks and reduce the likelihood of that risk from ever happening. No one size fits all.
My hope for this young, rogue ex-Twitter contractor is that she learns that this kind of behavior should not be tolerated. And for all of those employers out there looking to hire this kind of employee, be careful. And by all means, give me a heads up before we do business!