15 April 2017

Insider Threat: Duty of Care in the Workplace...

The summer of 2017 is approaching and soon thereafter the world will view the new documentary film "Risk" by Laura Poitras, about Wikileaks founder Julian Assange.  This week in Washington, DC, the CIA characterized Wikileaks as a "non-state hostile intelligence service".

Almost the same day, another case of insider threat was unveiled by the US Attorney for the Southern District of New York.  The alleged theft of proprietary trading code for a trading platform from a financial services firm by a software engineer named Dmitry Sazonov will not be the last case in 2017.

The ongoing theft of trade secrets and proprietary data from both private organizations and our governments remains a global epidemic.  A tremendous amount of effort continues by Operational Risk Management professionals, to address the growing plague.  Insider Threat's as a whole and the theft of trade secrets, continues as a significant challenge for CISO's, Chief Privacy Officers and the Human Resources executives.

Whether the incident is the lone software engineer, the contractor analyst, or a disgruntled employee does not matter.  They all are motivated for different reasons to carry out their actions as a "Trusted Insider".  Mark Pomerleau explains that technology alone may not be the answer:

Insider threats have disclosed and improperly removed troves of sensitive information from government networks that compromise secrets and highly secretive security programs. While various technical and cyber-enabled monitoring tools have been applied to prevent such actions, the intelligence community’s top counterintelligence officer believes understanding the human element is the most important component.

“The mind of the insider threat: That is what I believe to be the critical component of stopping, if we can,” the individual that wants to be nefarious and do malicious behavior, said William Evanina, the national counterintelligence executive within the Office of the Director of National Intelligence.

All the technology and software will not be able to eliminate this kind of "Insider Threat" for continuous monitoring.  It is however a key component no different than any other layered-defense risk management system.  Sometimes, it just comes down to good management practices from one person to another.

The education necessary for mid-tier management is imperative, if this layer of defense in the enterprise is going to work effectively.  Observing first hand an fellow employees behavior in the workplace or after hours in social settings, could be the "Early Warning System" each organization has been seeking for decades.

The learning and education associated with elevating managements understanding and policy implications in the workplace around counterproductive work behaviors is vital.  A malicious insider who is trusted in the workplace environment may be there operating for years.  Yet what are some of the key areas of observable behaviors:
  • Production Deviance:  Poor attendance, poor quality of work, misuse of resources and time
  • Property Deviance:  Destruction of property, misuse of information and theft
  • Indirect Aggression:  Unsafe behaviors, politically deviant behaviors
  • Direct Aggression:  Inappropriate verbal or physical behavior
Source:  Assessing The Mind of the Malicious Insider  White Paper - Security Policy Reform Council - INSA - Insider Threat Subcommittee
"Introducing sophisticated new tools and effective monitoring immediately raises a host of questions that require further discussion to assess how best to incorporate them in Continuous Evaluation programs. These include how to balance privacy and security, assess the impact on workplace morale, determine the triggers for undertaking additional monitoring and action, and incorporate oversight and protections for civil liberties."
The 21st century organization with flexible work schedules, telecommuting, work from home policies and the utilization of cloud computing will accelerate the "Insider Threat".  The naive enterprise that perpetually operates without a comprehensive education and continuous learning program in place, does so at its own peril.

Simultaneously, the organization shall utilize the corporate governance tools known for years as the Office of Professional Responsibility, Employee Assistance Program (EAP) and other emerging capabilities such as Ginger.io.

You have an opportunity to provide your organization with the protection of your intellectual property and trade secrets, while synchronizing the privacy and civil liberties of your employees.  Wikileaks or some other entity will exist for years to come.  Your particular "Trusted Insider" will not be the last person to steal proprietary or classified information or be the perpetrator of workplace violence.

As a senior executive in your organization, your "TrustDecisions" will make the Duty of Care difference...

No comments:

Post a Comment