IT leaders have known for years that their own coworkers may turn out to be their worst enemies, but identifying the potential rogue actors isn’t easy. Unless, of course, you learn to watch out for certain personality traits the way a network monitoring solution might look for malware.
At an event focusing on insider threats hosted by the Conference Board of Canada earlier this year, Dr. Eric Shaw of the consulting firm Stroz Friedberg presented elements of a cumulative risk model to stay one step ahead of such problems. After years of working on several cybersecurity investigations, Shaw noted that those who might become an insider threat tend to share a number of attributes. These include sensitivity to criticism, an unusual need for attention, revenge fantasies and chronic frustration at feeling unappreciated.
“They can’t let go of a grievance. They ruminate,” he said, noting that in some cases, a certain amount of narcissism and drive can help employees thrive in certain roles, but not if they take them to an extreme. “You need them to be able to handle massive amounts of data and need that obsession to detail, but not so much they might go over the edge.”
Of course there are other indicators that might suggest an employee could pose such risks — illnesses such as alcoholism, for example — but organizations can’t legally screen for them, Shaw noted. Social network ties may also indicate danger, if employees are in touch with people who are potential adversaries or have interest in competitors. When privacy settings are managed for social networks, however, they would be invisible to HR departments.
Shaw suggested companies increase their potential risk from insider threats depending on the culture that allows security policy violations to slip through the cracks. “There may be more of a sense you can get away with something if you come from an organization where rules aren’t taken seriously,” he pointed out. “It could be as simple as a refusal to comply with information requests.”
It may not take a behavioral psychologist of Shaw’s calibre to know the biggest trigger for insider threats, of course: when companies carry out an abrupt termination without consideration of blowback.
“If you mistreat them, no matter what they’ve done, you’re setting yourself up for a bad situation,” he said. “There’s a way to ease people out, to avoid potential problems.”
Obviously the biggest insider threats in many firms would be those working close to IT systems. But in areas like the help desk, Shaw said, contact with other employees or executives may be limited and therefore their disgruntlement is not known. “The employee simply withdraws, and you see a maladaptive organizational response,” Shaw said.
All this means CSOs, CISOs and CIOs may need to spend as much time thinking about the human factors that threaten corporate data as well as the technology. In fact, the Information Security Group’s “Insider Threat Spotlight Report,” surveyed 500 cybersecurity professionals, 62 percent of whom said the problem has gotten worse in the past year.