What is an insider threat? An insider threat is a malicious threat to an organization that comes from people within the organization. Insider threats have the ability to cause an organization a lot of money in damages, fines, and lawyer fees. Insider threats can occur when employees or privileged users leave their doors open to a secured facility, allowing user to piggyback on their access, leaving their computer screens unlocked, having usernames and passwords exposed, or pretty much anything that will allow for a “bad guy” to compromise the system through the network or through physical security. Insider threats usually occur through personal negligence, poor or inadequate security practices or a combination of both. Employee morale also has the potential to play a significant role in how employees and user protect against insider threats.
Target had a major security breach in 2013 and this can be classified as a perfect example of negligence and insider threat. In the unlikely event that no one is aware of Target’s massive security breach in 2013, I will provide a brief synopsis of the incident. Target had to spend about 18 million dollars to resolve the investigations of the cyber-attack that affected over 40 million customer payment card accounts. The investigation into the cyber-attack was determined that hackers gained access to their computer gateway through stolen credentials from a third-party vendor. Incidents such as this stress the importance of implementing least privileges within organizations, two-factor authentication, performing quarterly security assessments, and segregated systems and duties.
Users with elevated privileges are exposed to system designs, privileged server and have the ability to download the software as they see fit. Many times, a user will be granted elevated privilege to perform only one task on their computer but due to some system administrator’s laziness, they will be granted the user full administrative rights to the system. Administrative right or any elevated privileges such as these are given to user users various reasons but generally, the issuer does not require training, which is wrong. A comprehensive annual information security training should be a requirement for all employees, but often time I found that employees go through the motion of completing the training because it is a requirement and does not really care about how their actions could affect the health of the organization. Separate training should also be a quarterly requirement for any user that has elevated privileges as well and a requirement for them in order to keep those privileges. Within all information security training regardless of the users’ title, insider threats should be discussed. When an employee is exposed to this training any blatant disregard to company policies requirements could result in the termination of the employee.
Aside from training employees could feel like they are unappreciated or not respected and may tend to display certain behaviors that may violate an organizations policy and demonstrate a blatant disregard to the security posture. The morale of an employee can make or break an organization by creating low productivity and high turnover. A consistent turn over can create holes within an information security program and increase the potential for insider threats.
Supervisors and managers need to create an environment that is nourishing to the mental health of their employees in order to make them feel appreciated. Small things such as a simple thank you for a job well done can make the employee or user of a company’s resources take great pride in its security protection. Making employees passionate about the organization could possibly make them want to take the extra measure to keep the organizations’ infrastructure secured. Many times, when an employee “act out” or shows a blatant disregard for the security of the network it is because they feel as though their supervisors or management do not appreciate them. I am not by any means saying that the Targets’ security breach in 2013 was a direct result of employee negligence nor that they were not treating their employees fairly. I feel as though the CIO and company executive were to blame for the lack of protection and implementation of company policies for the security of their infrastructure and any third-party access to their secure accounts.
However, if managers and/or supervisors cannot remember the last time that they heard their employees laughing, feeling eager to attend work, or volunteering for projects, then management needs to reevaluate their practices.
There are a few things that managers can do to increase the morale of their employees:
- Make the employee feel as though their work is to work more than just requirements to get a paycheck.
Employees want to feel like the work that they do gets recognized and rewarded. Sometimes something as simple as an email sent to all the staff member congratulating an employee for a job well done can mean a great deal to an employee. This act would make other employees do well as they would want the same recognition.
- Take time out of the workday to celebrate the accomplishments of the team.
This also helps the team to take time out to reflect on the achievements of the team and also shows respect to the staff members while building trust.
- Offering incentives and time off for employees to pursue assignments that they are passionate about.
Offering activities within the organization such as Zumba or company talent shows can offer an outlet for employees and could make them more productive.
- Cross-train employees
Employees could start to feel bored and unenthused in their jobs more so if they have been doing the same thing for years. Granting employees, the opportunity to learn a new skill could increase their moral.
When employees and users feel appreciated, they are able to deliver a better product to their organization and the risk of insider threats have the potential to greatly diminish.