The New Insider ThreatSigns to Look for Before Good People Go Bad
As you walk back to your office, you suddenly wonder whether he might take the next step from mere words to potentially serious actions. You know he's a good guy, but you start to question his intent, and the ramifications on your own career if an insider incident were to occur on your watch.
Your mind shifts to Bradley Manning, the Army intelligence analyst who allegedly leaked 250,000 diplomatic cables to WikiLeaks, in the belief that he acted in the nation's good. Could your colleague be angry enough to leak your organization's sensitive data in a conviction he's doing good? How can you tell and what should you do?
How can you recognize the intent of your colleague and perhaps prevent him from manifesting as a true insider threat?
This is new type of insider threat. Unlike the traditional insider, who knowingly commits crimes, this new type harbors the illusion that his or her actions will serve a greater good. And, yet the end result is no different: it's a data breach.
What do you do?
"Unfortunately, there is no single sign or a simple checklist to follow," says Shelley Kirkpatrick, behavioral and security expert at Management Concepts, a leadership training company. "Human behavior is complex, and there is no guarantee."
Still, Kirkpatrick suggests you look for three traits that are typical red flags:
- Intent: Employees on the edge usually need to communicate their purpose and look for a sounding board to let others know what they are seeking. Leaders should have their ears open when they hear employees talk or threaten to do something. They should always treat this talk seriously.
- Past behavior: Best predictors of the future are past activities and experience. If employees had a track record of engaging in something inappropriate in the past, chances are very high that they will repeat their activity in the future. In Manning's case, he was a hacker when he enlisted.
- Commitment to another cause: In cases such as Manning's, their action is often dedicated by their belief in ideals and values far different from their commitment toward their job. Such employees act in accordance to their values and have the desire to express their beliefs. Again, leaders need to pay attention to these details. Manning was seeking a change in the government, and he acted accordingly, risking his job.
Kirkpatrick also recommends adopting a comprehensive security policy based on team. Establish a culture where it is OK for employees to go to their supervisors and say, "Can you tell me what so and so is downloading during lunch hour behind closed doors?"
The policy needs to accommodate a proper reporting structure for employees to openly discuss these issues. Another key element is a supportive culture, which helps employees understand that by raising red flags, they are not harming their friend's career, necessarily, but instead helping the organization.
Equally important is training leaders in ethics and interpersonal communication, focused on areas such as rapport building, ability to hold discussions with team members and emotional intelligence, which enhances a leader's capacity to relate to employees and understand human behavior.
What is your experience in these matters? How should information security leaders be prepared to spot these grey areas and prevent breaches that cost their organizations - or even their careers?