Sergey Ozhegov, CEO at SearchInform
Insider attacks – personal and confidential information leaks – are the most concealed and least discovered among cybercrimes.
Insider threats can be:
Situational: new employees have an opportunity to steal, their moral principles allow them to do it and they commit fraud. Specialists who have been working in a company for a long time one day might think that they are underrated. By stealing they try to make up for what they’ve been undeservedly deprived of.
Information security officers of our client - building materials wholesale supplier – intercepted statutory documentation with the help of the DLP system. It was revealed that the documents were used by Deputy Commercial Director: for two months he had been confronting top management of the company after which he decided to launch his own business. InfoSec officers prevented sensitive data leak but there were losses anyway. The ex-deputy director had enough time to persuade some employees to join him.
Planned: industrial espionage is a popular subject of movie scripts and books. Sometimes employees might leak information to get revenge on someone. Their schemes are elaborate, every detail of the strategy is considered, they know all the traps and security policies.
An incident happened at the bakery. A newly employed specialist got a job in a company to access corporate assets and obtain information on contractors. If competitors received the data the enterprise would be seriously damaged – the number of clients would decrease and the financial loss for the year would amount to $20 000.
People going undercover are not necessarily movie characters or employees who just got hired. Top management might become an antihero. In 2018 a South African branch of British American Tobacco was put under investigation. The directors of BAT SA got accused of industrial espionage, money laundering and bribery of government officials. The management of the branch became subject to monitoring conducted by UK Serious Fraud Office and EU anti-corruption unit in 2017. In summer, 2017, a former employee of British American Tobacco informed UK authorities of Kenya, Burundi, Rwanda and Comoros governments being bribed by BAT. The company’s execs were trying to get insider information which included the strategies of their competitors and details which would help BAT SA make local tobacco control laws work for them. BAT managers cooperated with law enforcement and state intelligence agents to harm local cigarette manufacturers. Forensic Security Services, BAT SA’s former security service provider, facilitated spying on other companies.
BAT SA directors allowed FSS to access secret bank accounts and gave them limitless resources to keep track of local companies’ business and undermine their efficiency. Limitless resources included the police, state intelligence agents, CCTV cameras. The unhealthy competition went far beyond legality. Not only local companies’ strategies were monitored, the families of those who were involved got under control.
So how do you know there’s an insider?
There’s hardly a moment good enough to tell to someone’s face that he or she is an insider. But there are typical behavioural aspects that can be noticed and taken into consideration. Potential scammers will surely show their propensity sooner or later.
It’s not that difficult to detect employees who are ready to commit fraud – you should examine their moral values, decisions they take, the capability of self-regulation, their attitude towards colleagues, work, money and laws.
According to Roger Martin, business might pressure humans significantly making them act against norms of healthy society – morality standards are corroded gradually. People get used to live a lie, believe in one thing and do the other. They understand that long-term rapport with clients is important but behave as if there’s only a quarterly report they work for.
Francesca Gino, Lisa D. Ordóñez and David Welsh have done some research on unethical behaviour becoming a habit. The conclusion was made that “the assumption that unethical workplace behaviour is the product of a few bad apples has blinded many organizations to the fact that we all can be negatively influenced by situational forces, even when we care a great deal about honesty. Yet approaches to warding off the slippery-slope problem need not to be drastic”.
HR departments conduct tests using special software which analyze data automatically facilitating data processing.
There’s an algorithm a company may follow:
- HR department conducts tests when employing new staff/during regular attestation
- Test results go to information security service
- InfoSec officer detects potential insiders among employees
- If an employee is an owner of some type representing a risk group, the priority control should be administered
What else can be done?
- Think of the specialists or departments you consider the riskiest when it comes to compromising info security: those who work with sensitive data, personal data, trade secret documents and so on
- Introduce some regulations, normative documents which would include all do’s and don’ts when working with confidential information
- Define the job requirements: which competences HRs would and wouldn’t like this or that specialist to have
- Select some methods or techniques for analyzing moral and psychological attributes
- Take preventive measures: use solutions to be aware of info leakage before it happens (DLP systems)
- Implement information security policies and monitor unauthorized use of confidential data. Inform your colleagues – this will raise the awareness among employees and keep them from data theft
- Remember to conduct explanatory work: there are no security policies which will save you all the troubles, only specialists who use them correctly and configure properly can help you to avoid reputational and financial loss
- Remember to keep track of warning moments: incidents are caused by insider malicious motivation the signs of which can be discovered before the event happens
- Employees can be persuaded by their colleagues to do something wrong. This often happens when employees get demoted or consider themselves underrated
- Top management, HR department and info security officers should be informed every time an employee or an ex-employee accesses critical data, downloads it and so on
Following these steps you can guard yourself and your company against potential insiders turning into violators. Thanks to risk group guide you will learn how to keep track of employee activity and detect atypical behavior within the team.
By Sergey Ozhegov, CEO at SearchInform