Comments on: The Insidious Insider Threat!

By: Emmanuel Carabott

Emmanuel Carabott — Thu, 14 Jul 2011 10:56:46 +0000

I have to agree with Carter, hoping to keep employees in line by controlling every aspect of their daily activities is likely to make you more insecure than secure because either:

A. People will leave the job forcing the organization to hire frequently and having to lax its standards to quickly fill in the vacant places

B. Angry employees will get an opportunity to pay the company back!

As with everything else, there should be a balance when dealing with security.

By: Carter Rubens

Carter Rubens — Mon, 11 Jul 2011 17:56:14 +0000

@Uninymous – the brute force attack you are suggesting won’t work, unless the employee is real stupid. If the employee is smart enough, he can take the adequate measures. For instance, if you fire an admin, I can bet my life that a smart one will leave numerous backdoors that allow him access.
Trust isn’t useless – it just depends whom you trust. Well, even the best psychologist might be fooled but when you hire crap and hope to control it with brute force, expect lots of damage.

By: Emmanuel Carabott

Emmanuel Carabott — Tue, 05 Jul 2011 09:42:10 +0000

I follow what you’re saying Uninmymous and yes, at some stages you can be proactive. It should be standard practice to limit employees’ internet access when they are fired, access to systems should be revoked immediately and HR should be clear with employees when hiring.

But in other instances you have nothing more than trust to go on really. You cannot fully prevent an employee from missusing what he/she learns while at work. Furthermore, how can you be 100% successful in preventing an employee form learning what he/she shouldn’t during work hours? This can happen in various ways; in this post the employee simply looked at the titles on the CMS system.

Employees might learn information by overhearing a conversation in the cafeteria, catching a glimpse of a printed report on a coworker’s desk, having a conversation with a coworker who isn’t careful with what he/she says, there are even stories of people talking about what I would consider confidential information on social sites! And all this has to do with accidental disclosure; imagine how much worse the situation is when someone gets a job with your organization specifically because s/he believes they can use that job to get insider information!

There are steps you can take to limit the risk, of course, but at some point you just have to trust your employees. The only other option is to assign a person to watch their every move and another person to watch the watcher – an option which is quite impractical and which would probably still not guarantee 100% safety!

This brings us back to what Anthony was saying, if you focus too much on actual control employees will be unhappy and that makes it more likely that they act against the company’s best interest as opposed to happy employees. It’s a case where too much security actually makes you less secure.

By: Uninymous

Uninymous — Tue, 05 Jul 2011 07:08:53 +0000

For me trust is useless for this kind of situation. When it comes to insider threats, both the HR and IT departments should be vigorous and proactive enough to their strategies.

For instance, when an employee is about to leave or resign from the company, the said departments should limit the worker’s access to business documents (both online and offline). At the employee’s last days, the company should not give him or her integral assignments. The HR should make sure the employee is cleared.

By: Emmanuel Carabott

Emmanuel Carabott — Fri, 01 Jul 2011 08:32:50 +0000

You’re right Anthony in that it is impossible to completely eliminate the problem. All you can do is try to mitigate it and reduce the risk as much as possible and have controls in place to detect breaches as early as possible.

By: Anthony Lanzano

Anthony Lanzano — Fri, 01 Jul 2011 00:41:50 +0000

It is certainly true that happy employees will probably not engage in such outside activities, mostly out of fear for losing their job. Of course, if you hire in somebody who on the outset is trying to run such an operation, there isn’t much you can do. Definitely a tricky situation but keeping your security tight and open dialogue between IT, management, and employees, things like this can hopefully be spotted early.