The changing face of Insider Risk: how to counter today and in the future
The issue of insider risk is an extremely complex one and there could potentially be many shades of grey involved. Insider Risk cannot be looked at in isolation, and in many ways, it reflects the issues which impact on our wider society.
When I first started working in the field of personnel security and insider risk, I had a relatively simplistic view: Organisation = Good, Insider = Bad! Since then, I have developed a broader view.
Are all insiders bad?
For me, a key revelation was that insiders who act illegally or against the organisation need not always be ‘bad people’. While there will always be malicious or hostile insiders, who aim to commit some form of criminal act to the detriment of their organisation, other insiders may not have such a hostile intention. Instead, they may simply fail to follow recommended security practices, thereby creating security vulnerabilities for the organisation. These actions could have the same critical impact as the actions of a malicious insider.
Additionally, the creation of a vulnerability could be the fault of the organisation itself, if it fails to properly train and educate its staff on how to protect both themselves and their workplace.
What about the whistle-blower?
One of my favourite films is ‘The Insider’, strangely enough! The film addresses the issue of an insider from a totally different viewpoint. The main character, Jeffrey Wigand, was an American biochemist who worked for a tobacco company in the 1990s. He found the company was adulterating its tobacco blend with carcinogenic chemicals that increased the nicotine effect in the cigarette smoke. When he tried to challenge this practice, Wigand was fired. He then went public and became one of the most high-profile whistle-blowers of his time.
At their most basic level, whistle-blowers are individuals who disclose wrongdoings such as criminal activity, health and safety breaches, or miscarriages of justice at their work which affect others, including the general public. In the above case the organisation, or individuals within it, could be viewed as ‘bad’, and the whistle-blower as ‘good’. However, it is equally important to ensure that the whistle-blower is not seeking to maliciously blame other colleagues due to personal grievances.
What has changed about insiders and their motivations?
During the Second World War and Cold War, many insiders such as Julius Rosenberg, Klaus Fuchs, and the ‘Cambridge Five’ betrayed their countries for arguably ideological reasons. Nowadays, I believe some of the motivations may have changed, and insiders do not operate separately from the environment they live and work within. In our current financial and cost of living crisis, this could potentially make financial motivation more prevalent in insider activity, both at a micro and macro level.
In the last century, technological advances have dramatically increased the impact of espionage-based insider activity. From the days where documents were photographed, photocopied, or hidden in microdots, gigabytes or terabytes of data containing millions of documents or records can now be stolen. The NSA believes that in 2013 one of its contractors, Edward Snowden, stole/leaked an alleged 1.7 million documents. These documents contained highly classified data and information about NSA tradecraft.
Espionage by insiders is not necessarily limited to the state-sponsored variety. It can also include commercial espionage. Intellectual property and innovative solutions can be worth billions of pounds and rather than spend vast sums on research, unscrupulous organisations/countries will seek to gain these products through espionage and insider attacks. A survey commissioned by Symantec of 3,317 employees in six countries, found that approximately half of these employees took confidential company data with them on leaving, and 40% of those who took data planned to use it to help them get a new job.
In 2021, Forrester Research predicted that 33% of data breaches would be caused by insider incidents. Put in context, if you have been an employee, have you ever been tempted to download documents or data you have been working on, when you leave the company?
The introduction of COVID and homeworking has had a huge impact on the ease and accessibility in which insider activity can be carried out. Outside a secure office environment, employees have had to work remotely or from a home environment. This presents a number of physical and technological security challenges. In addition, the psychological impact of working in relative isolation can leave some employees feeling isolated and disengaged with their organisation. This can lead to disaffection, leaving them vulnerable to outside influence by hostiles.
How can we mitigate the risks from insider activity?
There are some basic actions that can be taken, including creating greater insider awareness and training with all employees and management, understanding how to respond to insider incidents, and ensuring that vulnerable employees are supported to prevent them becoming an insider risk. These people-based approaches can be used to support existing technological solutions. Hopefully through greater understanding of the risk and adopting such an integrated approach, organisations will be able to counter existing and future insider threats.
Dr David BaMaung CSyP FSyI
Security Institute
