Categories
Article

Rising Risk: The Escalating Menace Of Insider Threats In Small To Medium-Sized Businesses

Rising Risk: The Escalating Menace Of Insider Threats In Small To Medium-Sized Businesses

When considering insider threats, the familiar mental image often involves envisioning an undercover operative or a double agent with a singular objective: The covert extraction of sensitive information from large and technologically advanced corporations. The portrayal of such scenarios in James Bond films effectively establishes the backdrop for this perception.

However, insider threats are much more widespread than many people realise.

While we may think that large organisations are the perfect target for such scenarios, small to medium-sized businesses (SMEs) also suffer the consequences of a breach of trust.

In fact, insider threats pose a serious risk in any business environment, but they can be disastrous for SMEs.

Take the Example of the Largest Municipal Fraud in American History

What happened?

Rita Crundwell stole over $53 million of public funds across two decades in office as the City Comptroller and Treasurer for Dixon, Illinois, a town with a population of just 16,000.

She used the funds to build one of the nation’s leading quarter horse breeding empires and threw lavish parties for community leaders at her home, all while the town endured cuts to public staff, emergency services budgets, and work on maintaining public infrastructure.

In 2012, after a close colleague turned whistleblower finally uncovered her scheme and alerted the Mayor, the FBI arrested Crundwell as the largest municipal fraud perpetrator in American history.

Questions

  • How did Rita Crundwell steal over $37,000 daily from a town with an annual budget of around $6 million?
  • How could such embezzlement go undetected in annual audits by two independent accounting firms and in annual audit reviews by state regulators?
  • How did local residents not become suspicious of Crundwell’s extravagant wealth and frivolous spending?

Feature film

This story has turned into a feature film called “All the Queens Horses” and tells the story of Rita Crundwell, the perpetrator of the largest case of municipal fraud in American history.

When business owners focus towards safeguarding their enterprises, the primary emphasis is frequently placed on countering cybersecurity threats.

Cyberattacks like phishing, social engineering, malware and other direct cyber assaults aimed at compromising the integrity of business computer systems are a vital concern.

However, not all threats originate from outside your organisation. Insider threats are a real security risk, and there are many types that you should be aware of if you want to ensure your business is protected.

This article will examine why SMEs must proactively identify hidden dangers to their business.

What Are Insider Threats?

To start with, let’s define insider threats.

An insider is anyone who has or had authorised access to your business assets. This insider can be your employee, a contractor, a former employee, a trusted third party, a partner, a vendor, or even a former employee.

Insider threat can be defined as the potential for an individual who has or had authorised access to an organisation’s assets to use their access, either maliciously or unintentionally, to act in a way that could cause harm to the organisation’s assets.

Types Of Insider Threats

Insider threats can be broken into two groups: Malicious and non-Malicious.

What makes them different is the intention. There is a motive.

  • Malicious threats are those that intend to cause harm and negatively affect their organisations.
  • Non-malicious (accidental) are those people who, through their actions, unknowingly (without intention) cause harm.

Malicious Insider Threats

The principal goals of malicious insider threats include espionage, fraud, intellectual property theft, sabotage and misuse of information. They intentionally abuse their privileged access to steal information or degrade systems for financial, personal and/or malicious reasons.

What motivates people to intentionally cause harm to their organisation? The most simplistic explanation that the community tends to talk about is “MICE”, which can be explained as follows:

  1. M for Money: This refers to individuals motivated by financial gain. Insider threats driven by the desire for monetary rewards may involve theft, fraud, or the unauthorised sale of sensitive information.
  2. I for Ideology: Individuals motivated by ideology are guided by strong beliefs or convictions. Insider threats in this category may arise when employees align themselves with a particular ideology or cause that conflicts with the organisation’s interests.
  3. C for Coercion: Coercion involves using force, threats, or other pressure to compel individuals to act against their will. Insiders may become threats if they are coerced into compromising the organisation’s security.
  4. E for Ego: Ego-driven motivations involve individuals seeking recognition, status, or personal satisfaction. Insider threats with ego motivations may manifest as employees who attempt to prove their capabilities, challenge the system, or seek revenge for perceived slights.

Non-malicious Threats

Although “malicious insider threats” tend to be the subject of newsworthy media stories, most insider incidents are caused accidentally through carelessness, negligence, or ignorant actions.

  • Negligence refers to taking those who do not take reasonable care or fulfil a duty of care. Such people may disregard safety protocols or rush through their jobs without reasonable care, which can harm themselves or their organisation. For example, someone who clicks on a link or opens a malicious attachment.
  • Carelessness refers to a lack of attention that results in mistakes or accidents. For example, someone who may leave sensitive information lying around.
  • Ignorance refers to someone making poor decisions and failing to follow the rules or guidelines due to a lack of knowledge or awareness about a particular situation.

Common Examples of Unintentional Insider Threats:

  • Clicking on malicious phishing links
  • Opening up malicious attachments
  • Falling for social engineering attacks
  • Send confidential data to the wrong recipient
  • Ignoring security policies
  • Oversharing personal and confidential information on social media
  • Careless use of USB drives
  • Using easily guessable passwords

What Are The Most Significant Insider Threats Facing SMEs?

While I have outlined the different types of insider threats above, here are some of the more troubling threats that SMEs need to be aware of.

Workplace Embezzlement

Embezzlement is the misuse or theft of company funds or company property. Embezzlement occurs when funds or resources from a business are misused for personal gain.

There are a variety of ways that an employee or business owner can steal or misappropriate resources. Here are some of them:

  • Stealing money from cash registers – Employees may void the transaction and keep the money for themselves
  • Cashing customer checks – Employee sets up a bank account similar to the company, and they then cash customer money
  • Overbilling customers – Employee may charge customers more than the company’s rate and pocket the difference
  • Forging payments – Employees writing company checks to themselves
  • Faking vendor payments – Employee sets up a fake vendor account and sends that money to themselves
  • Stealing customer credit card details – Employee uses customer card to buy goods and services for themselves
  • Stealing cash – Taking small amounts of money and hoping no one notices.
  • Stealing office supplies – Stealing the company’s assets and tasking it home
  • Stealing tax funds / returns – Employees responsible for tax payments may keep that money.
  • Using company resources to start/run their business – Employee uses company time, equipment, or funds to start their own business without their knowledge
  • Creating ghost employees – Employees who control payroll may set up fake employees on the system but pay these false employees to accounts that this person owns.

Employee embezzlement can have significant and wide-ranging impacts on an organisation. Some of the critical consequences include:

  • Financial loss
  • Erosion of trust
  • Reputation damage
  • Operation disruptions
  • Legal significances
  • Loss of productivity
  • Employee morale
  • Increased security measures
  • Long-term effects

The following is a real story of how an IT manager defrauded the organisation for which he worked.

Example: IT Manager Defrauded $1.7 Million from a TAFE in Western Sydney

What happened?

Ronald Cordoba was acting manager of information and communications technology services at the TAFE NSW South Western Sydney Institute.

He admitted using his position as ICT manager at the TAFE to sign off on $1.7 million worth of invoices from a company he had set up called ITD Pty Ltd.

For example, he charged the TAFE $150,000 for two year’s worth of Dropbox enterprise licenses, which he had bought from Dropbox for a little over $70,000.

He conducted email exchanges between himself and a fake ITD account manager called ‘Alicia’ to copy in colleagues and maintain the semblance of a legitimate third-party provider.

He also admitted to buying dozens of products that the TAFE never received.

Workplace Theft

The above example clearly demonstrates the interconnectedness between the physical-cyber-human world. No amount of cybersecurity tools would have stopped this crime from taking place

Managing Risk And Uncertainty

At first glance, “employee theft” might evoke images of a staff member discreetly leaving with office supplies like pens or a stack of paper. However, upon closer inspection, it becomes clear that this issue extends beyond physical items. Employee theft manifests in diverse forms and complexities, from the misuse of company time for personal activities to more intricate forms of dishonesty.

  • Time theft – Using company time to conduct personal businesses or simply not working while on the clock
  • Data theft – Stealing company intellectual property and other company data, including sensitive or confidential information
  • Financial theft – Stealing company funds, including diversion of funds or payments before they get recorded by the company
  • Customer theft – Pocketing payments from customers without recording the transaction
  • Identity theft – Using a colleague’s personal information for identity theft or fraud
  • Software theft – Stealing organisation software and licenses for personal use or to sell
  • Hardware theft – Taking organisation hardware for personal use or to sell
  • Inventory theft – Taking the company’s equipment, tools or inventory for personal use or sale.
  • Services theft – When an employee uses a service for personal gain without permission from their company

Workplace theft can significantly impact an organisation’s financial health, reputation, and overall functioning, similar to workplace embezzlement.

Here are some statistics that you should know:

  • 34% of fraud cases in small businesses are internal/employee-related (Verizon Report – Very Small Business Cybercrime Protection Sheet)
  • 22% of small business owners have had employees steal from them (Business.org)
  • 88% of employee theft cases include attempts to hide the fraud (Association of Certified Fraud Examiners: Occupation Fraud 2022)
  • Small businesses are more likely to deal with check and payment tampering and skimming than other businesses (ACFE)

What Can You Do To Mitigate The Risk?

While large enterprises have taken considerable measures to combat insider threats through an insider threat program (through prevention, detection, deterrence and response measures), small and medium-sized businesses have been left vulnerable due to their lack of financial, IT resources and internal expertise.

While it’s essential to understand how devastating insider threats can be, there is a way to reduce the risk for your organisation.

Some Essential Points

  1. Insider threat is a business, not a technology problem. You are dealing with people’s beliefs, values, emotions, habits and needs that change dynamically over time.
  2. It is essential to realise that every organisation is unique, and the type of threats it faces will be different due to the type of assets it holds and the strategies it tries to execute.
  3. Protecting everything is a useless goal. While perhaps it’s not impossible, it is economically impractical and will likely impede important business initiatives.

Concept Of The Three-legged Chair

The three-legged principle works as follows: It takes only three principles working together to protect yourself, your family or your organisation from insider threats. If one of the three-legged stools is missing or broken, it will not support you

  1. You must accurately judge trust.
    • Begin with the hiring process – Companies should verify a candidate’s character capabilities and skill set with thorough background checks.
    • Establish clear security policies – Establish and enforce organisation cybersecurity policies. So much of the employee conduct will be guided by what the organisation considers safe and acceptable use.
    • Nurture cyber awareness within the organisation – Create a cyber and insider threat awareness culture. Staff should undergo regular training so that they have the confidence to identify both external cybersecurity threats and internal risks that could potentially harm the organisation. People cannot protect themselves or the business from risks they aren’t aware of
    • Have strict offboarding procedures – Since many malicious insider threats originate with former employees, it is critical to take fast action to terminate employee accounts and access them as soon as an individual leaves the company. This should significantly reduce any risk imposed by disgruntled or departed employees.
  2. You must accurately judge access
    • Know your critical assets – Inventorying your assets is crucial for implementing the required security controls and policy measures to protect them.
    • Limit strict access controls on what people can do – Organisations should use stringent password and account management policies and practices to prevent insiders from compromising user accounts.
    • Enforce separation of duties – Separation of duties requires dividing functions among multiple people to limit the possibility that one workforce member could steal information or commit fraud.
  3. You must be vigilant
    • Anticipate and manage risky behaviour – Ensure clear and consistent communication with your workforce about acceptable workplace behaviour to avoid any unexpected negative situations.
    • Pay attention to possible insider threat indicators – One of the most effective ways to reduce the risk of insider attacks is to monitor employee behaviour for known threat indicators. For example, if their behaviour has changed somewhat from their everyday activities.
    • Maintain good cybersecurity Hygiene – Practicing strong cyber hygiene goes a long way towards protecting your business from insider threats and deterring would-be bad actors in the first place.

Takeaway

Damage and the risk of damage from trusted insiders are not new for small to medium size businesses. There are plenty of stories, both malicious and unintentional, that have caused damage and sorrow.

A common misconception for SMEs is an idea of security through obscurity that your business is too small to be a target, but unfortunately, this is not the case.

SMEs hold valuable assets and are a much easier target given that they have less stringent technological defences, less awareness of threats and less time and resources to protect themselves effectively.

The impact of security breaches on SMEs is more substantial than for larger organisations. The costs to the business are proportionately higher. Lost customers. Lost brand confidence. Lost proprietary IP. Lost vendor relationships. Loss of reputation. And potentially loss of business.

Running a business is no small feat. It requires dedication, hard work and smart decision making.

When it comes to securing your business from insider threats, consider the three-legged analogy. Remember that no security measure is future-proof, so doing the little things well and continuously adapting to new changes within your business is the key to protecting your business.

Categories
Article

Risky Behaviour Of An Insider Threat — The Cheating Employee

Risky Behaviour Of An Insider Threat — The Cheating Employee

In 2015, Volkswagen admitted to creating a device that allowed the company’s vehicles to cheat emissions tests in the United States and had a $5.7 billion settlement.

The following year, Wells Fargo revealed that 5,300 employees had secretly opened millions of phony accounts in an attempt to hit sales targets and receive bonuses.

Close to home, a report from the Australian Securities and Investments Commission (ASIC) found that clients were being charged fees without providing advice by banks and major financial institutions.

What Is Cheating?

Cheating can be defined as behaving dishonestly or unfairly to gain an advantage or achieve a desired outcome.

In many cases, cheating involves breaking the rules, regulations, or social norms to obtain an unfair advantage or benefit.

Cheating in the workplace refers to the act of intentionally misrepresenting information, data, or behaviour for personal gain or advantage.

Employees may cheat by engaging in fraudulent or unethical behaviour, such as misrepresenting their qualifications or experience, falsifying records, or stealing company resources.

In the workplace, cheating can have severe consequences for the individual and the organisation.

When employees cheat, they can undermine the organisation’s trust and credibility and harm the company’s reputation.

In addition, cheating can lead to financial losses, legal consequences, and a loss of trust among customers and other stakeholders.

Example: Australia’s Biggest Insider Trading Heist

What happened?

It is alleged that an employee at the Australian Bureau of Statistics (ABS) who had access to unreleased jobs, retail and trade data could provide this information to his friend working at the Australian National Bank.

They used the yet-to-be-released government data to place bets in the foreign exchange market. The former National Australia Bank trader turned $10,000 of seed money into $7.8 million before both men were arrested in May 2014.

Fictitious Scenario:

John is a mid-level manager at a manufacturing company. He has been with the company for several years and is well-respected by his colleagues and superiors.

However, John has recently fallen on hard times financially and has started to feel pressure to maintain his lavish lifestyle.

To maintain his lifestyle, John manipulates the company’s inventory records. For example, he starts to record that certain high-value items have been sold when in reality, they are still in stock. He then takes the items and sells them on the black market for a significant profit.

John’s fraudulent behaviour goes undetected for several months, during which time the company starts to experience a significant loss in revenue.

As the company’s profits continue to decline, the CEO launches an investigation into the company’s finances.

Through the investigation, it is discovered that John has been manipulating inventory records and stealing high-value items for his own personal gain.

The company is forced to take legal action against John and terminates his employment.

The damage to the company is significant, not only in terms of the financial losses incurred but also in terms of the loss of trust and reputation in the marketplace.

What Causes Employees To Cheat At Work?

There are many reasons why individuals may engage in cheating in the workplace.

One reason is that they may face life pressure or must meet unrealistic targets or deadlines. This can create a sense of desperation and lead them to engage in unethical behaviour to meet their goals.

Another thought, employees may cheat in the workplace if they feel undervalued or under-compensated for their work. This can lead to a sense of entitlement and a belief that they are justified in cheating to make up for what they perceive as a lack of recognition or compensation.

Another reason, employees may perceive their behaviour as acceptable or even encouraged by their superiors. If management turns a blind eye to cheating or fails to punish those who engage in it, employees may believe that cheating is an acceptable means of achieving success in the workplace.

Additionally, some employees may cheat simply because they do not see it as wrong or unethical. This may be due to a lack of moral education or a belief that the ends justify the means.

Warning Indicators

Something To Think About

Overall, cheating is a negative behaviour that undermines fairness, trust, and integrity.

It can occur in many different contexts and seriously affect individuals and the organisation.

Questions For You

  1. What policies and procedures are in place to prevent and detect fraudulent behaviour in the workplace?
  2. How do you encourage employees to report suspicious behaviour or fraudulent activity?
  3. Do you monitor employee behaviour and detect potential red flags indicating fraudulent activity?
  4. How do you ensure that employees are aware of the consequences of engaging in fraudulent behaviour, both for themselves and the organisation?
Categories
Article

Behind Closed Doors — The Silent Peril Of Employee Burnout, Escalating Dangers Of Insider Threat

Behind Closed Doors — The Silent Peril Of Employee Burnout, Escalating Dangers Of Insider Threat

“If you can’t stand the heat, leave the kitchen.”

Is This Happening To You?

Waking up in the morning can sometimes be challenging as everything seems too overwhelming — the brightness, noise, and pace of the world.

It seems like every noise is really bothering you, every bit of brightness is causing discomfort to your eyes, and every motion makes you feel uncomfortable.

Every night, you struggle to sleep, tossing and turning in search of rest.

Thinking about work makes you feel anxious. The routine you used to know now feels like a confusing maze of tasks.

Every email task seems incredibly hard. The motivation that used to burn brightly is now just a weak, flickering light.

As you head to work, your patience is stretched thin like a worn-out rope. Your colleagues’ voices irritate you, and your boss’s requests appear unreasonable, even absurd.

The most minor inconveniences trigger an explosive irritation within you. You wonder how you’ve become this person, unlike your former self.

Standing there, utterly exhausted and frustrated, you realize you’re on the verge of reaching a breaking point.

Are these your symptoms? If so, you may be experiencing a “burnout” state.

The term “burnout”, according to the World Health Organisation, is defined as a “syndrome resulting from a chronic workplace stress that has not been successfully managed”.

Burnout is caused by chronic workplace stress, which can be low-level and irritating for months, if not years before a person realizes or is confronted by the problem.

If you have ever felt “stressed at work,” and who hasn’t? Chances are it’s because you thought you didn’t have enough time to do what you wanted.

Stress often results from feeling “stuck” in a particular time frame.  You can feel this frustration and irritation because you are focusing exclusively on the demands of the moment — The requests, the challenges and the events. They are all piling up with no break.

Those who are stressed and burned out have little understanding of how “urgency” and “importance” control their decision-making about what to do with their time.

Let’s explore some scenarios…

To-do lists are pervasive tools that employees employ to manage their time. They work their tail off to complete every task on their to-do list.

Unfortunately, most to-do lists are filled with “urgent” tasks. They require your attention at the moment, but rarely are they essential — the things that make a difference in the long term.

Urgency seems to control our lives. The phone rings, and we have to pick it up. It now becomes urgent if the phone call is important. This alone breaks your concentration and effectiveness.

The worst interruptions are meetings. They are typically scheduled like TV shows. The agendas are vague, and no one understands the goal. They tend to drift off subject, wasting everyone’s time. It’s too bad if it only requires five minutes to accomplish the objective. Meetings tend to stretch to an hour…and then the next meeting is ready to go.

According to the Global Workplace Burnout Study, burnout is a growing industry problem.

There are three dimensions to burnout:

  1. Feelings of energy depletion or exhaustion
  2. Increase mental distance and feelings of negativity towards work
  3. Reduced professional effectiveness.

What Causes Burnout?

There are three conditions:

1. Personal

  • Predisposition behaviour refers to certain qualities that might have been connected to someone’s early childhood experiences. These qualities could include feeling anxious, fearful, intense phobias, or dealing with mental disorders. These factors can influence how they behave now. That’s why people react to the same situation differently. No two people are the same.
  • Perfectionism is when you want to do everything perfectly, but it can hurt you significantly. People who struggle with it have difficulty making choices and often delay getting things done.
  • Lifestyle mismatch refers to a situation where a person’s personal habits, preferences, and daily routines clash with the demands of their work environment. A disconnect between how someone naturally lives their life and the expectations of their job can lead to increased stress at work. For example, if a person who values work-life balance finds themselves in a job that demands long hours and constant availability, it can create a sense of imbalance and strain.
  • Time mismanagement occurs when individuals struggle to allocate their time wisely. Tasks and deadlines can pile up, leading to a sense of overwhelm. As stress mounts, concentration and productivity tend to decline, creating a vicious cycle.

2. Team*

  • Lack of manager support – Managers are on the frontline of burnout. They can be central to preventing burnout or driving the problem. An absent or disrespectful manager leaves employees feeling isolated, exploited, and stuck in survival mode.
  • Unreasonable time pressure – When deadlines are unreasonable, and pressure is excessive and/or unending, this creates a pressure cooker environment that fosters burnout.
  • Unmanageable workload – The number of hours people work each week does matter, with burnout risk increasing significantly when employees exceed an average of 50 hours per week. This escalates even more substantially at 60 hours per week.
  • Unclear and inconsistent communication from managers – When expectations and accountability are inconsistent or unclear, employees can become frustrated and exhausted simply by trying to figure out what their manager wants.
  • Unfair treatment – When people are treated fairly and respected, they are more resilient and form stronger, more collaborative and productive relationships. When the treatment is biased unfavourable, or they feel they are mistreated compared to others, trust breaks. This allows burnout to take over.

3. Organisation*

  • Poor senior leadership – Senior leaders have the most influence over how an organisation operates and the environment that it creates. When senior leadership don’t “walk their talk”, they provide an atmosphere of unhealthy work conduct or even toxic culture.
  • Lack of support structure and guidelines – When employees feel that their work environment is supported, their workload is manageable, and expectations are realistic, employees will feel supported. But the converse is true.
  • Under resourcing – Do more with less is a commonly used corporate mantra for efficiency, but it often seeds burnout within the organisation. For example, budget cuts can lead to greater long-term costs through under-resourcing.
  • Outdated modes of working – Outdated ways of working such as endless meetings, excessive administrative work, ‘the client is always right’, hierarchical approval processes and the normalisation of working weekends are the structures that burnout thrives.
  • Value mismatch – People are increasingly craving purpose, both in their lives and in their work. However, when the value of the employee does not match the organisation’s worth, it will cause significant angst.

* The 2021 Global Workplace Burnout Study by Infinite Potential

What are the impacts of an employee who is exhibiting burnout?

As stated earlier, “burnout” is caused by unmanaged chronic workplace stress.

Stress at work that is ongoing and low level causes the feeling of burnout.

People are the main drivers of organisational success, and the health of the organisation is a crucial determinant of productivity and quality of work.

There is a significant gap in the productivity and quality of work between those who are burnt out and those who are not. (Source: According to the State of Workplace Burnout 2023 by Infinite Potential)

However, productivity is not the only outcome of people being burned out.

Employee burnout is a threat to your organisation, and this could be the case for several reasons. If your employees do the bare minimum, they may find achieving “cyber hygiene” difficult.

For example, they may skip necessary security steps like creating smart passwords, updating their computer with critical security updates, clicking on URL links or opening attachments that they shouldn’t be opening.

They will simply be unable to care or pay attention to threats such as phishing and other social engineering attacks.

But it gets worse.

It can compromise an employee’s ability to focus and make sound decisions, which can be particularly problematic in safety-sensitive industries.

It can lead to a sense of detachment and disengagement from work.

Burnout can have significant negative impacts on an employee’s physical and mental health. It can increase stress, anxiety, depression, physical health problems and weakened immune systems.

Those who suffer can strain relationships with colleagues due to increased irritability, reduced communication, and diminished teamwork. This can negatively affect the overall work environment and team cohesion.

Strained relationships and difficulty focusing and working will most likely lead to increased absenteeism. Those who are burned out are more likely to seek new job opportunities.

Those who suffer and feel poorly cared for and supported by management may lash out against their colleagues or organisations, causing significant harm.

Examples Of Possible Scenario: Software Engineer Causes Software Outage

A software engineer at a large tech company felt burned out after working long hours and having unrealistic deadlines. He started making mistakes at work, such as submitting code with bugs and missing important meetings. He also became withdrawn and irritable, which made it difficult for him to collaborate with his team.

One day, the engineer made a critical mistake that caused a major outage in the company’s software. 

The outage cost the company millions of dollars in lost revenue and customer goodwill. The engineer was eventually fired, and the company implemented new policies to prevent employee burnout in the future.

Other Possible Examples:

  • The nurse’s error, which led to the patient’s death, was a direct consequence of burnout resulting from the long working hours in the hospital.
  • A police officer at a large city police department became so burned out that he started abusing alcohol and drugs. He was eventually fired from the department.
  • A teacher at a public school became so burned out that she started yelling at her students and making threats. She was eventually placed on leave and later resigned from her job.
  • A customer service representative at a large telecommunications company became so burned out that she started snapping at customers. This resulted in several customer complaints, and the representative was eventually demoted.
  • A flight attendant at a major airline became so burned out that she started making mistakes during flights. This resulted in many delays and cancellations, and the flight attendant was eventually fired.
  • A social worker at a non-profit organisation became so burned out that she started having difficulty sleeping and concentrating. This made it difficult for her to do her job, and she eventually took a leave of absence.

Are You A Workaholic?

Are you staying at work late into the night? Or perhaps you are bringing your work back home? Do you find it challenging to disengage from work?

The term “workaholism” was defined by psychologist Wayne Oates back in 1971 as a compulsion or an uncontrollable need to work incessantly.

Work “addiction” is a complex condition in which an individual develops a mental, emotional, and social dependence on work.

People with work addiction often work compulsively at the expense of other aspects of their lives. They may work long hours even when it is not needed, sacrifice sleep to get work done, and be paranoid about their work performance.

Can A Workaholic Drive Burnout More Readily?

Burnout and workaholism are both conditions that can have a negative impact on an individual’s physical and mental health.

The main difference between burnout and workaholism is that burnout is caused by excessive stress, while workaholism is driven by a compulsive need to work.

Burnout can happen to anyone, regardless of their work ethic. On the other hand, workaholism is often a sign of underlying psychological issues, such as anxiety or depression.

A workaholic is more likely to experience burnout than someone who does not work excessively.

Workaholics are at risk for burnout because they tend to:

  • Work long hours, often without taking breaks or vacations.
  • Put work before their personal lives.
  • Have difficulty saying no to new work assignments.
  • They are perfectionists and set unrealistic expectations for themselves.
  • They feel like they need to be constantly productive.

These behaviours can lead to chronic stress, eventually leading to burnout.

Final Words

According to “State Of the Global Workplace: 2023 Report” by Gallup it reveals frightening figures that 28% of workers say that they feel burned out at work either “very often” or “always and that only 24% of employees believe their organisation cares about their wellbeing.

Why Is This Important?

As we can see, a considerable group of employees are minimally productive, disengaged, and disconnected from their organisation.

And we have learned that stress is one of the critical anchors that drive employees to be burned out.

According to the same Gallup report, 44% of employees experienced a lot of stress.

The Gallup analysis continued that engagement has 3.8 times as much influence on employees’ stress. In other words, what people experience in their everyday work – their feelings of involvement and enthusiasm.

Low-engagement workers represent an uncertain situation for organisations, driving low morale, high turnover, and increasing costs to the business, potentially causing reputation damage due to poor performance and thereby losing their competitive advantage.

There Is, However, An Upside To This Situation.

As organisational leaders endeavour to navigate an uncertain economic outlook, addressing their employee wellbeing concerns and improving engagement should be top priorities.

Leadership and management directly influence workplace engagement, and there is much that organisations can do to help their employees thrive at work.

 

Resources:

2021 Global Workplace Burnout Study – https://img1.wsimg.com/blobby/go/6c37d4f0-7b8a-4dd3-afb8-0a1b504af624/2021%20Workplace%20Burnout%20Study-%20Final.pdf 

The State of Workplace Burnout 2023 – https://img1.wsimg.com/blobby/go/6c37d4f0-7b8a-4dd3-afb8-0a1b504af624/The%20State%20of%20Workplace%20Burnout%202023%20v7%20(1).pdf 

Categories
Article

How Insider Risk Management Programs Enhance And Strengthen Cybersecurity Posture

How Insider Risk Management Programs Enhance And Strengthen Cybersecurity Posture

“Amateurs hack systems, professionals hack people.”

Unfortunately, businesses, organisations, and institutions have often been “betrayed” by individuals of trust, also known as “insiders”.

The harm from such betrayal can be catastrophic. It can jeopardise sensitive data, compromise intellectual property, disrupt operations, and damage reputation. It can result in financial losses, legal ramifications, and loss of trust from customers and stakeholders.

For a long time, the insider threat has largely been ignored in favour of the external hacker.

Why?

The external hacker is easier to detect, easier to control, and is much more visible than the “enemy within”.

The reality is that insider threat activities have been occurring for a very long time and are still taking place today.

Since insider threat incidents occur within the organisation, they occur in “private”.

Private attacks by insiders are much easier to hide.

This brings me to the following point…Which poses the biggest threat to your business — cyber threats or insider threats?

In some ways, it is a loaded question.

For many years there has been much debate on who causes more damage — Insiders Vs. Outsiders.

While network intrusions and ransomware attacks can be very costly and damaging, so can the actions of employees sitting behind a firewall or remotely working from home.

Either way, cyber and insider threats pose significant risks to organisations. Still, it is challenging to determine which one is worse as their impact can vary depending on the specific circumstances and context.

Comparing the two threats is complex because they differ in nature and motivations.

While cyber threats can be launched from anywhere in the world, insider threats occur within the organisation’s own environment.

While cyber threats are often driven by financial gain, political motivations, or the desire to cause disruption, insider threats can stem from various factors, including personal grievances, financial pressures, negligence, or unintentional mistakes.

While detecting cyber threats can be challenging due to the external nature of the attacks and the evolving tactics used by cybercriminals. Insider threats can be relatively more difficult to detect as they originate from human behaviour and actions within the organisation’s trusted network.

While both cyber and insider threats can have severe consequences, the impact of a cyber threat can be immediate and widespread, affecting numerous organisations simultaneously. Insider threats, while potentially more localised, can be highly damaging due to their knowledge of internal systems and access to sensitive data.

While cyber threats are a technology challenge, insider threats are a people challenge.

Another problem is that Insider Threats live in the shadows of Cyber Threats and do not get the attention needed to fully comprehend the extent of the Insider Threat problem.

However, the focus of this article is not to determine which scenario is worse. Instead, it aims to show that by taking proactive measures to mitigate insider risk, you thereby strengthen your cybersecurity stance for your organisation.

The Risk Landscape

It’s common to come across news about organisations being compromised or intruded upon, affecting customers, employees, government, and other stakeholders.

These attacks can come from within or outside the organisation and have severe consequences.

Often, external infiltration occurs due to intentional or unintentional vulnerabilities created by the organisation.

We know the cybersecurity landscape constantly evolves, but some things never change.

The current threat landscape bears the typical theme of malicious actors taking advantage of crises with a view to capitalising on them. This was no different during the COVID-19 pandemic and, more recently, with the tensions between Russia and Ukraine that could have cybersecurity implications globally.

As technology continues to evolve and many daily interactions are conducted in virtual space, this evolution continues to place unrelenting threats and challenges. Look no further than the introduction of artificial intelligence tools into our business.

The assets organisations need to protect, ranging from proprietary information and intellectual property to critical processes, research and development, exist largely in virtual space.

As a result, risks to those assets have taken on new meaning. Information has become a high-risk asset that can be readily extracted and exploited.

Furthermore, as business operations have shifted beyond the physical confines, mitigating threats outside their boundaries has added additional complications and vulnerabilities.

“What was in is now out. And what was out in now in.” We are all interconnected.

Although the business medium has changed to more virtual, mitigating cyber and insider threats must still utilise a holistic approach.

Insider Threat As Part Of Your Enterprise Risk Management

Risk landscapes are frequently developed to inform decision-making, shape prioritisation of the assessment, and mitigate risks.

Landscapes should, whenever possible, incorporate aspects of physical, cyber, and human risk elements, as shown by the image below.

In the above diagram, we illustrate how insiders have access to the use of technology, which can exist both internally and externally.

Physical security is very much interconnected with information technology security and cybersecurity.

You cannot look at what an individual does in the virtual world and ignore what goes on in the world of bricks and mortar.

You can’t have cybersecurity without considering your insiders interacting in the day-to-day business operations using technology, applications, and data.

To successfully manage your cyber risk landscape, you need to focus on insiders.

Business is conducted by people. People with beliefs, values, thoughts, aspirations, needs, etc. They behave and act in the manner that best serves them, whether passive, aggressive, ignorant, or even aggrandised.

Example: A Tesla employee thwarts an alleged ransomware plot

What happened?
In 2020, a Russian agent tried to recruit an unnamed Tesla employee to plant the malware onto the Tesla network for $1 million. The goal was to steal data from the automaker and threaten to release it unless Tesla paid a ransom.

Luckily, the employee in question reportedly told Tesla about the Russian agent and the proposition. Tesla then contacted the FBI, who arrested the agent before returning to Russia.

The above example perfectly shows how cyber perimeter defences can be easily circumvented.

Cybersecurity defence is important, but the human-cyber-physical approach must be applied in tandem to reduce external threats.

Without a doubt, technology has become so integrated into the fabric of society that it can be difficult to see where the technology starts and ends.

In some cases, it makes it difficult to assess the risk of technology, especially if it is not clearly understood in the context of human behaviour.

Example: AT&T employees took bribes to install malware

What happened?
The bribery scheme lasted from April 2012 until September 2017.

Initially, two Pakistani men bribed AT&T employees to unlock expensive iPhones so they could be used outside AT&T’s network.

They recruited AT&T employees by approaching them privately via telephone or Facebook messages. Employees who agreed received lists of IMEI phone codes which they had to unlock for sums of money.

Employees would then receive bribes in their bank accounts, in shell companies they created, or as cash, from the two Pakistani men.

A year into the malpractice, the Pakistani men had bribed other AT&T employees to install malware on the AT&T network so that it would collect data, employee details/credentials and reveal how their systems worked.

The second malware that they created was designed to use AT&T employee credentials to perform automated actions on AT&T’s internal application to unlock phones at the fraudster’s behest without needing to interact with AT&T employees every time.

By 2014, they bribed AT&T employees to install rogue wireless access devices inside the AT&T call centre. These devices provide remote access to AT&T internal apps and networks and continue the rogue phone unlocking scheme.

Consequences?
In short, the two Pakistani men paid more than $1 million in bribes to AT&T employees and successfully unlocked over two million devices.

One AT&T employee received $428,000 in bribes over a period of five years.

In 2018, the Pakistani men were arrested in Hong Kong and extradited to the US.

AT&T estimated it lost revenue of more than $5 million/year from Fahd’s phone unlocking scheme.

The above example clearly demonstrates the interconnectedness between the physical-cyber-human world. No amount of cybersecurity tools would have stopped this crime from taking place

Managing Risk And Uncertainty

Protecting the organisation’s assets in the current environment is not an exercise in just mitigating or preventing adverse effects but rather in reducing the impact of what is not understood or cannot be foreseen — uncertainty.

And what we don’t understand nor foresee very well is how human behaviour can potentially impact the organisation’s objectives, outcomes, and security.

People are dynamic.

Human behaviour is the result of “frames” (inner executive) that drive human actions. These frames drive their actions. They govern their state of mind and emotions.

When they go to work, they run their frames, which may at that time be positive or negative.

Example:
If your door to your office is broken because it refuses to close, you can always change the lock mechanism or even change the door. However, if the person slams the door, you must handle their behaviour.

Cybersecurity programs will encounter difficulties if they do not understand the interconnection and interrelation between insiders and the physical and logical world.

Mitigating cyber risk will be measured by how much uncertainty you can eliminate and how much uncertainty you can tolerate and still advise on business directions.

It is interesting to note that as human beings, we all need certainty, safety, stability, and predictability in our lives.

We like to feel secure in our jobs, in our homes, and our relationships. We want to avoid pain and assurances that our basic needs are being met.

Some people pursue this need for certainty by striving to control all aspects of their lives, including the projects they run and those who work for them.

Interestingly, when we lack certainty, we tend to panic and get stressed.

Example:
During the period when we had COVID-19 lockdowns, we faced new uncertainty. Shoppers began stocking up on basic household items — especially toilet paper. This buying frenzy led to shortages, even though, in most cases, there would have been enough to go around if people only purchased what they needed.

Enterprise risk management should be positioned to address uncertainties by shifting away from attention to avoiding failure, which is inevitable to understand the balance between decreasing levels of uncertainties.

Insider Risk Management Program

As we noted earlier, robust and resilient cybersecurity programs stem from efforts to understand both internal and external happenings within the organisation. The two aspects go hand in hand.

The reality is that organisations cannot prevent all cyber incidents. The typical approach of spending more money and resources or buying the latest risk management technologies and tools rarely proves effective. One way to establish such capability is by implementing an insider risk management program.

An insider risk management program serves as the organisation’s designated and dedicated resource for mitigating and managing insider threats.

To effectively prevent, detect, deter, and respond to insider threats from insiders, the organisation must take appropriate risk management actions. The best time to develop a process for mitigating insider incidents is before they occur.

They should possess the following characteristics:

While a well-designed and effectively implemented insider risk management program cannot eliminate all internal risks, it can help reduce the likelihood of compromise and mitigate damage from internal incidents and external attacks.

Given today’s elevated-threat environment, protecting all assets at the highest level is impossible. However, by implementing an insider risk management program and integrating it with existing security practices, organisations can more effectively prevent, detect, deter, and rapidly respond to internal risks. This capability is integral to an effective cybersecurity practice and posture.

Categories
Toxic Behaviour

Do You Have A Toxic Passive-Aggressive In The Workplace?

Do You Have A Toxic Passive-Aggressive In The Workplace?

Dealing with co-worker conflicts can make the workplace uncomfortable, no matter the situation. But, it can be a little more frustrating when a co-worker exhibits insidious behaviour.

In this video, we delve into the Passive-Aggressive type of personality and subtle tactics employed by these individuals, causing harm and breeding negativity.

This video sheds light on the detrimental effects of passive-aggressive behaviour on team dynamics, communication, and overall productivity.

We provide valuable insights and understating of what drives these people to behave the way they do and what’s in it for them.

Join us on this crucial journey as we empower you to confront the toxic passive-aggressive and cultivate a transparency and respectful workplace culture.

This is your opportunity to gain FREE access to the insights and guidance of a veteran in cyber defence

Categories
Toxic Behaviour

Do You Have A Toxic Bulldozer In Your Workplace?

Do You Have A Toxic Bulldozer In Your Workplace?

It’s my way or the highway! I’m sure you have heard the saying.

This formidable force can disrupt teams, hinder progress, and leave a trail of broken morale in its wake.

In this video, we dive deep into the destructive nature of the bulldozer and its impact on productivity and employee well-being.

We shed light on this phenomenon with a serious and focused tone and offer some insights into why people behave this way.

Join us on this empowering journey as we take on the toxic bulldozer, championing collaboration, respect, and success.

This is your opportunity to gain FREE access to the insights and guidance of a veteran in cyber defence

Categories
Toxic Behaviour

Do You Have A Toxic Bullying In Your Workplace

Do You Have A Toxic Bullying In Your Workplace

Sometimes, people get confused about what is and isn’t bullying.

People can think that someone saying something they don’t like is bullying, but it’s not.

In this video, we will address the issue of toxic bullying and why it is serious, detrimental and highly impactful to an organisation.

We will unpack and discover the root cause of such behaviour and understand the different types of bullying behaviours, the risk factors and their drivers.

Join us on this crucial journey as we tackle toxic bullying head-on, providing you with meaningful insights and comprehension of why people do what they do.

This is your opportunity to gain FREE access to the insights and guidance of a veteran in cyber defence

Categories
Toxic Behaviour

Do You Have A Toxic Gossiper In Your Workplace?

Do You Have A Toxic Gossiper In Your Workplace?

Workplace gossip is part of working in any organisation. It is an almost unavoidable result of colleagues meeting and interacting regularly.

Gossip gets a bad reputation, after all, no one likes to be the one talked about.

This video delves into the intriguing topic of toxic gossipers lurking in your professional realm.

Brace yourself as we uncover the hidden dangers, unveil their destructive influence, and equip you with invaluable insights to combat this menace.

Join us on this eye-opening journey as we expose the truth about toxic gossipers and empower you to take control.

This is your opportunity to gain FREE access to the insights and guidance of a veteran in cyber defence

Categories
Article

The Danger of Blind Trust: How Employee Loyalty Can Lead to Insider Threats

The Danger of Blind Trust: How Employee Loyalty Can Lead to Insider Threats

“Train people well enough so they can leave, treat them well enough so they don’t want to.”

You have recently embarked on a new job, immersing yourself in an unfamiliar work environment. Whether it involved switching roles within the company or relocating to a different city, everything feels fresh and exciting.

As the first month passes, you gradually grasp the culture and values of your new team. With time, you begin forming bonds with some of your co-workers. Simultaneously, your understanding of the inner workings and dynamics of the business expands.

Slowly but surely, a sense of trust starts to develop.

Now, the question arises: which comes first, loyalty or trust?

Before we delve into that, let’s explore a common saying: “one of the organisation’s greatest assets is its employees, but it is also its most significant risk.”

Employing someone is a crucial decision for any organisation, and rightfully so. The quality of its employees can determine a business’s success or failure, regardless of the tasks they undertake. Yet, those very employees also pose a significant threat to the organisations that hire them.

No matter how meticulous the recruitment process or comprehensive the policies and procedures, there is always a potential for disputes or breaches to arise.

Interestingly, when an insider breach occurs, it is often referred to as a breach of trust rather than a breach of loyalty.

Employers typically strive to cultivate a culture of loyalty, as it can lead to a motivated workforce, increased productivity, and long-term commitment. However, organisations must recognise that unwavering employee loyalty can also pose risks in the form of insider threats.

This article aims to explore the dangers associated with unquestioning employee loyalty and shed light on how organisations can mitigate the risks to safeguard their interests.

What is employee loyalty?

Employees are arguably the organisation’s most valuable assets.

They are the people that work day in, day out to strive to meet organisations’ missions and objectives.

Loyal employees can do absolute wonders for the future of the organisation.

Typically, employee loyalty refers to an employee remaining with a company for an extended period because they feel valued, appreciated, and believe in the overall mission of the company.

However, what does loyalty mean to you?

Does it mean:

Consider this an example of a “breach of loyalty.”

Example: Virgin Atlantis sacks 13 cabin crew over unsavoury remarks

What happened?
Virgin Atlantic has sacked 13 of its cabin staff after they criticised the airline and some of its passengers on social networking website Facebook.

It was found that all 13 staff participated in a discussion on the networking site Facebook where they described passengers as “chavs” and made jokes about faulty engines.

What were the consequences?
The staff were dismissed for their behaviour as it was totally “inappropriate” and had brought the company into disrepute, said Richard Branson.

Question – What would you think if you heard the following: “I don’t know whether this employee is loyal?”

Your mind will be racing to seek questions and answers… Determining someone’s loyalty can be challenging, relying on subjective judgments and personal experiences. It often involves observing their behaviour, building trust, and fostering open communication.

Increasingly, employees define loyalty based on the specific job they perform.

They strive to learn and excel in their assigned tasks. Once they have mastered their roles, they may seek new opportunities for greater responsibility or higher wages.

Their mindset becomes, “You pay me to do X, I do Y, and we are even.”

They consider themselves “loyal” as long as they fulfil their obligations, whether they work for a company for ten years or ten months.

More and more workers are taking the view that they are the sole drivers of their careers.

And this is evident by the recent report from the 2023 Gallup State of the Global Workforce, showing that 51% expressed some level of intent to leave their jobs.

Gallup went on to say that an analysis found that engaged employees require a 31% pay increase to consider taking a job with a different organisation. Not engaged and actively disengaged employees, on average, want a 22% pay increase to change jobs.

What is employee trust?

Trust is the underpinning of life, relationships, transactions and behaviours. Trust is about “confidence”.

The opposite is distrust. When you trust people, you have confidence in their integrity and capabilities.

When you have distrust, you are suspicious.

In today’s global economy, trust is king. It serves as the social framework for behaviour and reality, providing certainty and confidence in our day-to-day interactions. Without trust, our lives would be paralysed, leading to inaction and potential chaos.

Low trust creates friction, whether it stems from unethical behaviour or incompetence in ethical behaviour. It exacts the greatest cost on individuals and organisations, giving rise to hidden agendas, politics, conflicts, disagreements, and defensive/offensive behaviour.

When a new person joins an organisation, they are entrusted with significant trust and the belief that they will represent the organisation’s best interests. They enter a “temporary probation period” where both employee and employer assess each other’s suitability, determining the continuation of the employment relationship.

If the new employee successfully proves their worth during this probation, they earn full trust. From that point forward, their trust is not questioned unless they commit a wrongdoing.

Consider this example of a breach of trust:

Example: A former Google executive stole trade secrets to start his own autonomous trucking company

What happened?
It is alleged that the former Google executive had downloaded over 14,000 files containing proprietary information and trade secrets related to self-driving car technology, giving him an unfair advantage in his new venture – Otto. Uber later acquired Otto.

What were the consequences?
The case attracted significant media attention and resulted in a high-profile legal battle between Waymo (Google) and Uber. The former executive was later fired from Uber, and the company settled with Waymo, agreeing to provide financial compensation and ensure its autonomous vehicle technology did not utilize Waymo’s trade secrets.

This case of employee disloyalty and theft of trade secrets demonstrates the potential harm caused to an organisation when an employee breaches their duty of loyalty.

However, it can also be considered a breach of loyalty. Both trust and loyalty are interconnected, and determining which comes first is complex.

What is the difference between trust and loyalty?

Whoever said, “trust takes years to build, seconds to break and forever to repair”, was correct.

We understand that loyalty among employees is beneficial for both individuals and the organisation.

However, if not managed correctly, loyalty can also foster unethical behaviour.

Consider the following examples:

Trust is the foundation of any healthy relationship, whether personal or professional.

It involves having confidence and belief in the reliability, integrity, and honesty of someone or something.

Trust is built over time through consistent actions, open communication, and fulfilling promises.

When trust is established, it forms the basis for loyalty.

Loyalty, on the other hand, is a deeper emotional commitment or allegiance to someone or something.

It implies a sense of faithfulness, support, and dedication.

Loyalty often develops as a result of the trust that has been built. People tend to be loyal to those they trust because they believe in their character, competence, or the value they provide.

While trust is the foundation, loyalty can be seen as a subsequent outcome or expression of that trust.

However, it’s important to note that trust and loyalty are interconnected and can reinforce each other.

Building trust can lead to loyalty, and loyal behaviour can further strengthen trust.

Ultimately, the relationship between trust and loyalty is complex and can vary depending on the specific circumstances, individuals involved, and cultural or personal values.

Here are some examples where trust and loyalty are true.

Here are some examples of where trust and loyalty differ:

Blind Trust

Whoever said, “trust takes years to build, seconds to break and forever to repair”, was correct.

We understand that loyalty among employees is beneficial for both individuals and the organisation.

However, if not managed correctly, loyalty can also foster unethical behaviour.

Consider the following examples:

Blind trust can arise from an excessive reliance on employee loyalty, leading to complacency.

When employers or managers place too much faith in their employees without maintaining appropriate vigilance, blind trust can result in negative consequences.

Blind trust occurs when employers become overly comfortable and neglect to exercise due diligence in monitoring their employees’ actions, performance, and adherence to company policies.

It can stem from a long history of loyal and dedicated employees, creating a sense of complacency within the organisation.

As a result, employers may overly depend on their employees’ loyalty, overlooking potential warning signs or misconduct.

This blind trust can lead to several detrimental outcomes:

Example: How One Woman Stole $53 Million

What happened?
Rita Crundwell, who was a city official in the little town of Dixon, Illinois, was also the town financial comptroller. For 22 years, Rita funneled around $53 Million to build her own personal horse breeding empire while slashing police budgets, neglecting infrastructural needs and cutting staff.

When she was done raiding the taxpayers’ coffer, her crime was the largest case of municipal fraud in American history.

Video trailer – https://vimeo.com/225296132

“Trust is like the air we breathe,” Warren Buffett once said. “When it is present, nobody really notices. But when it’s absent, everybody notices.”

When you think of trust, you feel confident or open with the person or organisation. And should that bond of trust ever be broken, you should be able to recognise it.

Unfortunately, with blind trust, the confidence and openness are still there…but if the bond is broken, you probably won’t recognise or see it. I guess that’s why they call it “blind faith”.

It’s okay to trust people in both your personal and professional life. My question would be, to whom should you give blind trust? And is blind trust appropriate in the workplace?

Categories
Article

A Case In Assessing Your Organisational Culture Risk

A Case In Assessing Your Organisational Culture Risk

81,396. 

That’s how much of our life most of us spend working.1 The only thing we spend more time on is sleeping.

If we spend so much of our life at work, how is it working?

According to the world’s workers, not well.

Gallup finds 60% of people are disengaged at work, and 19% are actively disengaged.

But is that a surprise or a statistical explanation of the obvious?

Work”, according to Oxford Languages, is “activity involving mental or physical effort done to achieve a purpose or result.”

Exerting mental or physical effort to achieve anything is rarely done without stress, worry or pain.

Stress, uncertainty, worry, and some uneasiness will always be a part of the day-to-day job, but the organisation’s bad culture can exacerbate those negative emotions.

So, what makes a job bad?

According to Gallup, one study on burnout revealed the following causes:

1. Unfair treatment at work
2. An unmanageable workload
3. Unclear communication from managers
4. Lack of manager support
5. Unreasonable time pressure

However, one can define “a bad job” as failing to meet an employee’s basic needs, leading to a significant decline in job satisfaction, motivation, and productivity.

Various factors, including poor pay, long working hours, lack of job security, insufficient benefits, limited opportunities for growth and development, high levels of stress, and unsatisfactory working conditions, can characterise a bad job.

These factors can have a detrimental effect on an employee’s overall well-being.

So, what makes a business culture bad?

We know that bad business culture can result in low employee satisfaction, poor job performance, and a negative impact on the company’s overall success.

Various factors can characterise it:

Interestingly, bad organisational culture can also create negative word-of-mouth and reputation, making it harder to attract and retain talent in the future.

Why is it essential for organisations to self-asses their organisation culture risk?

Organisational culture has far-reaching implications for maintaining your organisation’s security integrity, especially regarding Human Insider Threats.

Most organisations move through their business life with little understanding or visibility of how or whether their culture supports their mission and objectives.

Case Study: 

The company in question is a mid-sized financial service firm with approximately 800 employees.

The company has recently experienced a high turnover rate, particularly among younger employees.

Additionally, the company had received negative feedback from clients regarding the quality of service provided.

The leadership team recognised that the culture of the organisation could be contributing to these issues and decided to take action.

Their first step was to identify its existing culture.

This involved a review of the company’s mission statement, values, and strategic objectives. Additionally, the leadership team interviewed employees at all levels of the organisation to better understand the company’s culture.

Through this process, the leadership team identified several prevalent critical cultural characteristics in the organisation.

These included focusing on individual achievement rather than teamwork, a lack of transparency in decision-making, and a high degree of competition among employees.

In the above case study, the organisation took proactive steps to identify its culture before it critically started to impact performance, capability and morale.

In today’s fast-paced business environment, it is more important than ever to clearly understand an organisation’s culture.

Organisations with a healthy culture tend to report above-average results, while those with a toxic culture can significantly negatively impact your organisation’s bottom line.

Despite this, most organisations believe they conduct internal cultural health checks, but what are the pitfalls of doing so internally?

Organisational culture refers to the shared values, beliefs, behaviours, and customs that characterize an organisation and guide the actions of its members. In the context of this article, organisational culture is viewed as a critical factor in determining the overall success of an organisation and its ability to maintain security and integrity.

Obviously, a positive organisational culture can help to foster a sense of loyalty and commitment among employees, promote effective communication, and encourage ethical behaviour.

Conversely, a toxic organisational culture can create an environment conducive to human insider threats and data breaches, which can significantly impact an organisation.

Example: Toxic culture in Uber impacted its ability to innovate and compete

What happened?

In 2017, a former Uber engineer named Susan Fowler published a blog post describing a pervasive culture of sexism and harassment at the company.

Fowler described numerous incidents of sexual harassment and discrimination and a lack of action from the company’s human resources department to address these issues.

Fowler’s blog post quickly went viral and prompted an internal investigation at Uber.

The investigation revealed that the company had a deeply ingrained culture of toxic masculinity, where aggressive behaviour and sexist attitudes were commonplace. In addition, employees who spoke out about this behaviour were often ignored or retaliated against, creating a culture of fear and silence.

What were the consequences?

In addition to the negative press and damage to the brand, the company faced several legal challenges. Several high-profile executives were forced to resign, and the company paid millions of dollars in settlements to employees who had experienced discrimination and harassment. 

The case of Uber provides several important lessons.

One of the key takeaways is the importance of creating a culture of respect and inclusion. By creating a culture that values diversity and encourages respectful behaviour, organisations can reduce the risk of discrimination and harassment.

So, why is conducting an external cultural health check important?

Business culture is considered one of the most critical factors for predicting overall success and internal security.

An external cultural health check conducted by an expert in the field can provide a clear and unbiased understanding of the organisation’s culture.

This understanding is crucial for organisations to identify potential risks to their success and take the necessary steps to address them.

Ignore at your peril

Unfortunately, there are still gaps today where management dismisses the importance of their organisational culture.

Organisations without a clear and unbiased understanding of their culture risk falling behind in a competitive market.

Example: Toxic culture at Capital One caused a data breach that affected 100 million individuals

What happened?

The breach occurred due to a misconfigured firewall in the cloud infrastructure, which allowed the hacker to access sensitive data. However, the breach also exposed flaws in Capital One’s security practices, including inadequate security controls, poor incident response planning, and inadequate oversight of cloud-based systems.

The company’s toxic culture, which emphasised speed and efficiency over security and risk management, contributed to the inadequate security practices and lack of oversight that allowed the breach to occur.

What were the consequences?

The breach exposed the personal information of over 100 million customers, including names, addresses, credit scores, and social security numbers.

As a result, Capital One faced significant financial and reputational damage and had to pay a substantial fine to regulatory authorities.

The importance of understanding your organisational culture 

A positive and healthy corporate culture does enhance employee engagement, increases productivity, and promotes positive outcomes for the organisation.

On the other hand, a toxic organisational culture can lead to low morale, high turnover, and decreased productivity.

More than simply approaching it through Employee Engagement initiatives, a good understanding of the overall culture often amplifies the effectiveness of all other initiatives.

Through an unbiased external assessment, organisations can identify areas for improvement and implement changes to their culture, including things like improving security training and awareness programs.

By doing so, they can mitigate the risks associated with toxic cultures and help prevent breaches like the Capital One data breach from occurring.

A well-executed external organisational culture assessment can also help organisations understand what they currently do to nurture a positive environment and suggest ways of extending these good practices to greater benefit.

Why run an organisational culture assessment?

By introducing an externally run organisational culture assessment, organisations can receive the benefits of an assessment conducted by an independent expert that can provide valuable insights into the organisation’s strengths and weaknesses and help identify areas for improvement.

Running an organisation culture assessment with an external expert can provide numerous benefits.

The process of assessing organisational culture

Assessing organisational culture is a process that helps organisations understand their culture’s current state and identify improvement areas.

In many instances, organisations believe an external culture assessment can provide an unbiased and objective perspective on the organisation’s culture and specific recommendations for improvement.

Methodologies for assessing organisational culture. 

Naked Insider uses several methodologies for assessing organisational culture, including surveys, focus groups, interviews, and observation.

An external culture assessment typically employs a combination of these methodologies to comprehensively understand the organisation’s culture.

The role of Naked Insider in assessing organisational culture

Naked Insider is a leading provider of organisational culture assessments. Our team of experts has extensive experience in assessing organisational culture and providing recommendations for improvement. Our assessments are designed to be thorough, objective, and independent, providing organisations with a clear understanding of their culture and a roadmap for improvement.

In summary, organisational culture plays a crucial role in the success of any organisation. Therefore, a thorough understanding of the culture within an organisation is essential to identify potential risks.

1. According to the Gallup World Poll, the average full-time worker spends 41.36 hours per week working. If you assume people work 48 weeks per year, it means people spend 1,985.28 hours per year working. Life expectancy is 73, and according to the OECD, people retire at about 63. If people begin working at 22, then the average person works 41 years. Forty-one years of work at 1,985.28 hours per year is 81,396 total hours.