Derailment: how to stop malicious insiders?

It took twenty years for Robert Hansen to be discovered when he was doing his final dead drop. He left important intelligence under a bridge for the Russians to pick it up. No doubt he was one of the most highly capable double spies in US history. He had been spying for three different Soviet and Russian intelligence agencies in the 80s and 90s when working in counterintelligence for the FBI. At one point he even lead the investigation against himself when the FBI got suspicious of a mole.  Hanssen was also one of the first ‘moles’ or ‘insiders’ who used some basic hacking techniques to attain information from the FBI computers. He caused unprecedented damage to the FBI, its operations and its people. Before his arrest, the FBI’s security program was based on trust. Pre-employment screenings were limited and in-employment screenings non-existent. This incident raised the awareness that simply trusting people with such secrets could not be maintained. It required a new vision on managing insider risks.

The internet fundamentally changed the problem of ‘insiders’

If we fast forward to this day and age. Computers are fully intertwined with our lives, and the internet changed insider risks on all levels. This includes our responses to minimize the risk. Part of our world has moved from the physical to online space. The majority of organizations have become totally digitalized and the internet is being used for distribution. We did too, including our behaviours, our work life (working from the cloud) and our private life (FaceBook) and both lives have become intertwined. Access to and availability of information is now heavily facilitated by the internet and all at very high speed. The flip side of this is the increased vulnerability to information leaks. Chelsey Manning and Edward Snowden have demonstrated the vast amount of information that can be taken from even the most secured agencies in the world, but they’ve also been able to have a global reach by distributing this information via the internet at great speed. The impact has, hence, been gigantic.

Insider versus whistle blower

Both Manning and Snowden instigated and even polarized the debate between whistle blowing or being an ‘insider’. To a certain extent this poses the question of who did actually ‘derail’: the person or the organization or even the institute of the government. Their cases pose an important point that, whatever label it has, there is always a responsibility of an organization to uphold strong ethical standards and have proper processes, procedures and care for the employee to promote and uphold a healthy culture of trust. At the same time this organizational ‘health’ and care for the employee means that there needs to be a good understanding of indicators of ‘derailing’ employees. And here’s the good news: people don’t derail instantly. Case upon case have shown it’s a gradual process in which the environment plays its part and, thus, is also part of the solution.

Roads to derailment

Debates about right or wrong, insider or whistle-blower have often clouded similarities between people accused of espionage, theft of intellectual property, sabotage or acts of violence. Perhaps surprisingly, there are clear commonalities in disgruntled individuals in their predispositions, motivation, experiences and interactions with their environment.

Understanding there is a pathway is understanding there are options for prevention, detecting and early response. The “critical pathway to insider violations” (Shaw and Sellers) explains there’s a pattern with cumulative risk factors, but also that there’s a role for the environment to mitigate the risk. So why is this important to know?

Solutions require a comprehensive effort in technology, processes but especially people

Depending on risk profile and risk appetite, companies are offering technological solutions to organizations to gain a better understanding of employee online behaviour and to intervene early if employees cross ethnical and organizational boundaries. Nowadays all activity is online and the risks have also moved to the online space. However, the pathway explains this can never be a standalone solution and neither a starting point for a solution. The ‘why’ comes first. Why is such a solution needed? This comes down to first and foremost understanding organizational, system and employee risks. As a consequence proportionate actions can and should be taken to maintain a safe working environment for all. With respect for company culture.

The pathway or road to derailment also indicates the need for comprehensive action. Action and due care towards the employee every step of his/her way: from recruitment towards end of employment or even longer. Actions towards the organization internally include the mentioned risk assessments, policies and controls, detection, incident and response mechanisms, governance and living by the book. Practicing what you preach!

No quick fixes!

There is no one quick fix, but there are good steps to take that will improve organizational strength to manage such risks, both on the technical as well as non-technical side. Digitalization requires a more systematic approach for systems to be built and operated to detect early warning signals. However, we don’t just live and work online, we are still physically present somewhere as well and hopefully interacting too! Often times, your employees are said to be your weakness but let them be your strength in detecting odd, off the mark behaviours. Not even because they could be derailing, but because you care for each other’s wellbeing. When you get to work tomorrow, try to be aware of your colleagues’ personal and professional stressors and what can be done about it!

Eventbrite - UK-NL Cyber Security Showcase 2017

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s