Category: Article

Categories
Article

Rising Risk: The Escalating Menace Of Insider Threats In Small To Medium-Sized Businesses

Rising Risk: The Escalating Menace Of Insider Threats In Small To Medium-Sized Businesses

When considering insider threats, the familiar mental image often involves envisioning an undercover operative or a double agent with a singular objective: The covert extraction of sensitive information from large and technologically advanced corporations. The portrayal of such scenarios in James Bond films effectively establishes the backdrop for this perception.

However, insider threats are much more widespread than many people realise.

While we may think that large organisations are the perfect target for such scenarios, small to medium-sized businesses (SMEs) also suffer the consequences of a breach of trust.

In fact, insider threats pose a serious risk in any business environment, but they can be disastrous for SMEs.

Take the Example of the Largest Municipal Fraud in American History

What happened?

Rita Crundwell stole over $53 million of public funds across two decades in office as the City Comptroller and Treasurer for Dixon, Illinois, a town with a population of just 16,000.

She used the funds to build one of the nation’s leading quarter horse breeding empires and threw lavish parties for community leaders at her home, all while the town endured cuts to public staff, emergency services budgets, and work on maintaining public infrastructure.

In 2012, after a close colleague turned whistleblower finally uncovered her scheme and alerted the Mayor, the FBI arrested Crundwell as the largest municipal fraud perpetrator in American history.

Questions

  • How did Rita Crundwell steal over $37,000 daily from a town with an annual budget of around $6 million?
  • How could such embezzlement go undetected in annual audits by two independent accounting firms and in annual audit reviews by state regulators?
  • How did local residents not become suspicious of Crundwell’s extravagant wealth and frivolous spending?

Feature film

This story has turned into a feature film called “All the Queens Horses” and tells the story of Rita Crundwell, the perpetrator of the largest case of municipal fraud in American history.

When business owners focus towards safeguarding their enterprises, the primary emphasis is frequently placed on countering cybersecurity threats.

Cyberattacks like phishing, social engineering, malware and other direct cyber assaults aimed at compromising the integrity of business computer systems are a vital concern.

However, not all threats originate from outside your organisation. Insider threats are a real security risk, and there are many types that you should be aware of if you want to ensure your business is protected.

This article will examine why SMEs must proactively identify hidden dangers to their business.

What Are Insider Threats?

To start with, let’s define insider threats.

An insider is anyone who has or had authorised access to your business assets. This insider can be your employee, a contractor, a former employee, a trusted third party, a partner, a vendor, or even a former employee.

Insider threat can be defined as the potential for an individual who has or had authorised access to an organisation’s assets to use their access, either maliciously or unintentionally, to act in a way that could cause harm to the organisation’s assets.

Types Of Insider Threats

Insider threats can be broken into two groups: Malicious and non-Malicious.

What makes them different is the intention. There is a motive.

  • Malicious threats are those that intend to cause harm and negatively affect their organisations.
  • Non-malicious (accidental) are those people who, through their actions, unknowingly (without intention) cause harm.

Malicious Insider Threats

The principal goals of malicious insider threats include espionage, fraud, intellectual property theft, sabotage and misuse of information. They intentionally abuse their privileged access to steal information or degrade systems for financial, personal and/or malicious reasons.

What motivates people to intentionally cause harm to their organisation? The most simplistic explanation that the community tends to talk about is “MICE”, which can be explained as follows:

  1. M for Money: This refers to individuals motivated by financial gain. Insider threats driven by the desire for monetary rewards may involve theft, fraud, or the unauthorised sale of sensitive information.
  2. I for Ideology: Individuals motivated by ideology are guided by strong beliefs or convictions. Insider threats in this category may arise when employees align themselves with a particular ideology or cause that conflicts with the organisation’s interests.
  3. C for Coercion: Coercion involves using force, threats, or other pressure to compel individuals to act against their will. Insiders may become threats if they are coerced into compromising the organisation’s security.
  4. E for Ego: Ego-driven motivations involve individuals seeking recognition, status, or personal satisfaction. Insider threats with ego motivations may manifest as employees who attempt to prove their capabilities, challenge the system, or seek revenge for perceived slights.

Non-malicious Threats

Although “malicious insider threats” tend to be the subject of newsworthy media stories, most insider incidents are caused accidentally through carelessness, negligence, or ignorant actions.

  • Negligence refers to taking those who do not take reasonable care or fulfil a duty of care. Such people may disregard safety protocols or rush through their jobs without reasonable care, which can harm themselves or their organisation. For example, someone who clicks on a link or opens a malicious attachment.
  • Carelessness refers to a lack of attention that results in mistakes or accidents. For example, someone who may leave sensitive information lying around.
  • Ignorance refers to someone making poor decisions and failing to follow the rules or guidelines due to a lack of knowledge or awareness about a particular situation.

Common Examples of Unintentional Insider Threats:

  • Clicking on malicious phishing links
  • Opening up malicious attachments
  • Falling for social engineering attacks
  • Send confidential data to the wrong recipient
  • Ignoring security policies
  • Oversharing personal and confidential information on social media
  • Careless use of USB drives
  • Using easily guessable passwords

What Are The Most Significant Insider Threats Facing SMEs?

While I have outlined the different types of insider threats above, here are some of the more troubling threats that SMEs need to be aware of.

Workplace Embezzlement

Embezzlement is the misuse or theft of company funds or company property. Embezzlement occurs when funds or resources from a business are misused for personal gain.

There are a variety of ways that an employee or business owner can steal or misappropriate resources. Here are some of them:

  • Stealing money from cash registers – Employees may void the transaction and keep the money for themselves
  • Cashing customer checks – Employee sets up a bank account similar to the company, and they then cash customer money
  • Overbilling customers – Employee may charge customers more than the company’s rate and pocket the difference
  • Forging payments – Employees writing company checks to themselves
  • Faking vendor payments – Employee sets up a fake vendor account and sends that money to themselves
  • Stealing customer credit card details – Employee uses customer card to buy goods and services for themselves
  • Stealing cash – Taking small amounts of money and hoping no one notices.
  • Stealing office supplies – Stealing the company’s assets and tasking it home
  • Stealing tax funds / returns – Employees responsible for tax payments may keep that money.
  • Using company resources to start/run their business – Employee uses company time, equipment, or funds to start their own business without their knowledge
  • Creating ghost employees – Employees who control payroll may set up fake employees on the system but pay these false employees to accounts that this person owns.

Employee embezzlement can have significant and wide-ranging impacts on an organisation. Some of the critical consequences include:

  • Financial loss
  • Erosion of trust
  • Reputation damage
  • Operation disruptions
  • Legal significances
  • Loss of productivity
  • Employee morale
  • Increased security measures
  • Long-term effects

The following is a real story of how an IT manager defrauded the organisation for which he worked.

Example: IT Manager Defrauded $1.7 Million from a TAFE in Western Sydney

What happened?

Ronald Cordoba was acting manager of information and communications technology services at the TAFE NSW South Western Sydney Institute.

He admitted using his position as ICT manager at the TAFE to sign off on $1.7 million worth of invoices from a company he had set up called ITD Pty Ltd.

For example, he charged the TAFE $150,000 for two year’s worth of Dropbox enterprise licenses, which he had bought from Dropbox for a little over $70,000.

He conducted email exchanges between himself and a fake ITD account manager called ‘Alicia’ to copy in colleagues and maintain the semblance of a legitimate third-party provider.

He also admitted to buying dozens of products that the TAFE never received.

Workplace Theft

The above example clearly demonstrates the interconnectedness between the physical-cyber-human world. No amount of cybersecurity tools would have stopped this crime from taking place

Managing Risk And Uncertainty

At first glance, “employee theft” might evoke images of a staff member discreetly leaving with office supplies like pens or a stack of paper. However, upon closer inspection, it becomes clear that this issue extends beyond physical items. Employee theft manifests in diverse forms and complexities, from the misuse of company time for personal activities to more intricate forms of dishonesty.

  • Time theft – Using company time to conduct personal businesses or simply not working while on the clock
  • Data theft – Stealing company intellectual property and other company data, including sensitive or confidential information
  • Financial theft – Stealing company funds, including diversion of funds or payments before they get recorded by the company
  • Customer theft – Pocketing payments from customers without recording the transaction
  • Identity theft – Using a colleague’s personal information for identity theft or fraud
  • Software theft – Stealing organisation software and licenses for personal use or to sell
  • Hardware theft – Taking organisation hardware for personal use or to sell
  • Inventory theft – Taking the company’s equipment, tools or inventory for personal use or sale.
  • Services theft – When an employee uses a service for personal gain without permission from their company

Workplace theft can significantly impact an organisation’s financial health, reputation, and overall functioning, similar to workplace embezzlement.

Here are some statistics that you should know:

  • 34% of fraud cases in small businesses are internal/employee-related (Verizon Report – Very Small Business Cybercrime Protection Sheet)
  • 22% of small business owners have had employees steal from them (Business.org)
  • 88% of employee theft cases include attempts to hide the fraud (Association of Certified Fraud Examiners: Occupation Fraud 2022)
  • Small businesses are more likely to deal with check and payment tampering and skimming than other businesses (ACFE)

What Can You Do To Mitigate The Risk?

While large enterprises have taken considerable measures to combat insider threats through an insider threat program (through prevention, detection, deterrence and response measures), small and medium-sized businesses have been left vulnerable due to their lack of financial, IT resources and internal expertise.

While it’s essential to understand how devastating insider threats can be, there is a way to reduce the risk for your organisation.

Some Essential Points

  1. Insider threat is a business, not a technology problem. You are dealing with people’s beliefs, values, emotions, habits and needs that change dynamically over time.
  2. It is essential to realise that every organisation is unique, and the type of threats it faces will be different due to the type of assets it holds and the strategies it tries to execute.
  3. Protecting everything is a useless goal. While perhaps it’s not impossible, it is economically impractical and will likely impede important business initiatives.

Concept Of The Three-legged Chair

The three-legged principle works as follows: It takes only three principles working together to protect yourself, your family or your organisation from insider threats. If one of the three-legged stools is missing or broken, it will not support you

  1. You must accurately judge trust.
    • Begin with the hiring process – Companies should verify a candidate’s character capabilities and skill set with thorough background checks.
    • Establish clear security policies – Establish and enforce organisation cybersecurity policies. So much of the employee conduct will be guided by what the organisation considers safe and acceptable use.
    • Nurture cyber awareness within the organisation – Create a cyber and insider threat awareness culture. Staff should undergo regular training so that they have the confidence to identify both external cybersecurity threats and internal risks that could potentially harm the organisation. People cannot protect themselves or the business from risks they aren’t aware of
    • Have strict offboarding procedures – Since many malicious insider threats originate with former employees, it is critical to take fast action to terminate employee accounts and access them as soon as an individual leaves the company. This should significantly reduce any risk imposed by disgruntled or departed employees.
  2. You must accurately judge access
    • Know your critical assets – Inventorying your assets is crucial for implementing the required security controls and policy measures to protect them.
    • Limit strict access controls on what people can do – Organisations should use stringent password and account management policies and practices to prevent insiders from compromising user accounts.
    • Enforce separation of duties – Separation of duties requires dividing functions among multiple people to limit the possibility that one workforce member could steal information or commit fraud.
  3. You must be vigilant
    • Anticipate and manage risky behaviour – Ensure clear and consistent communication with your workforce about acceptable workplace behaviour to avoid any unexpected negative situations.
    • Pay attention to possible insider threat indicators – One of the most effective ways to reduce the risk of insider attacks is to monitor employee behaviour for known threat indicators. For example, if their behaviour has changed somewhat from their everyday activities.
    • Maintain good cybersecurity Hygiene – Practicing strong cyber hygiene goes a long way towards protecting your business from insider threats and deterring would-be bad actors in the first place.

Takeaway

Damage and the risk of damage from trusted insiders are not new for small to medium size businesses. There are plenty of stories, both malicious and unintentional, that have caused damage and sorrow.

A common misconception for SMEs is an idea of security through obscurity that your business is too small to be a target, but unfortunately, this is not the case.

SMEs hold valuable assets and are a much easier target given that they have less stringent technological defences, less awareness of threats and less time and resources to protect themselves effectively.

The impact of security breaches on SMEs is more substantial than for larger organisations. The costs to the business are proportionately higher. Lost customers. Lost brand confidence. Lost proprietary IP. Lost vendor relationships. Loss of reputation. And potentially loss of business.

Running a business is no small feat. It requires dedication, hard work and smart decision making.

When it comes to securing your business from insider threats, consider the three-legged analogy. Remember that no security measure is future-proof, so doing the little things well and continuously adapting to new changes within your business is the key to protecting your business.

GET YOUR FREE BOOK NOW!
Categories
Article

Risky Behaviour Of An Insider Threat — The Cheating Employee

Risky Behaviour Of An Insider Threat — The Cheating Employee

In 2015, Volkswagen admitted to creating a device that allowed the company’s vehicles to cheat emissions tests in the United States and had a $5.7 billion settlement.

The following year, Wells Fargo revealed that 5,300 employees had secretly opened millions of phony accounts in an attempt to hit sales targets and receive bonuses.

Close to home, a report from the Australian Securities and Investments Commission (ASIC) found that clients were being charged fees without providing advice by banks and major financial institutions.

What Is Cheating?

Cheating can be defined as behaving dishonestly or unfairly to gain an advantage or achieve a desired outcome.

In many cases, cheating involves breaking the rules, regulations, or social norms to obtain an unfair advantage or benefit.

Cheating in the workplace refers to the act of intentionally misrepresenting information, data, or behaviour for personal gain or advantage.

Employees may cheat by engaging in fraudulent or unethical behaviour, such as misrepresenting their qualifications or experience, falsifying records, or stealing company resources.

In the workplace, cheating can have severe consequences for the individual and the organisation.

When employees cheat, they can undermine the organisation’s trust and credibility and harm the company’s reputation.

In addition, cheating can lead to financial losses, legal consequences, and a loss of trust among customers and other stakeholders.

Example: Australia’s Biggest Insider Trading Heist

What happened?

It is alleged that an employee at the Australian Bureau of Statistics (ABS) who had access to unreleased jobs, retail and trade data could provide this information to his friend working at the Australian National Bank.

They used the yet-to-be-released government data to place bets in the foreign exchange market. The former National Australia Bank trader turned $10,000 of seed money into $7.8 million before both men were arrested in May 2014.

Fictitious Scenario:

John is a mid-level manager at a manufacturing company. He has been with the company for several years and is well-respected by his colleagues and superiors.

However, John has recently fallen on hard times financially and has started to feel pressure to maintain his lavish lifestyle.

To maintain his lifestyle, John manipulates the company’s inventory records. For example, he starts to record that certain high-value items have been sold when in reality, they are still in stock. He then takes the items and sells them on the black market for a significant profit.

John’s fraudulent behaviour goes undetected for several months, during which time the company starts to experience a significant loss in revenue.

As the company’s profits continue to decline, the CEO launches an investigation into the company’s finances.

Through the investigation, it is discovered that John has been manipulating inventory records and stealing high-value items for his own personal gain.

The company is forced to take legal action against John and terminates his employment.

The damage to the company is significant, not only in terms of the financial losses incurred but also in terms of the loss of trust and reputation in the marketplace.

What Causes Employees To Cheat At Work?

There are many reasons why individuals may engage in cheating in the workplace.

One reason is that they may face life pressure or must meet unrealistic targets or deadlines. This can create a sense of desperation and lead them to engage in unethical behaviour to meet their goals.

Another thought, employees may cheat in the workplace if they feel undervalued or under-compensated for their work. This can lead to a sense of entitlement and a belief that they are justified in cheating to make up for what they perceive as a lack of recognition or compensation.

Another reason, employees may perceive their behaviour as acceptable or even encouraged by their superiors. If management turns a blind eye to cheating or fails to punish those who engage in it, employees may believe that cheating is an acceptable means of achieving success in the workplace.

Additionally, some employees may cheat simply because they do not see it as wrong or unethical. This may be due to a lack of moral education or a belief that the ends justify the means.

Warning Indicators
  • Changes in behaviour or attitude include becoming defensive, evasive, or mysterious when questioned about their activities.
  • Unexplained or unusual financial transactions: Such as making large purchases or transfers of money.
  • Secrecy or avoidance: Such as refusing to provide information or cooperate with others in the workplace.
  • Unusual work patterns: Such as working uncommon hours or engaging in activities that are not part of their regular job responsibilities.
  • Unusual travel or expenses claims: Such as claiming expenses for trips they did not take or for purchases they did not make.
  • Poor performance results
  • Lack of transparency: Such as failing to provide records or documentation to explain their actions.
  • Unexplained absence
  • Manipulation of system or data
  • Disregard for rules or policies
  • Changes in lifestyle

Something To Think About

Overall, cheating is a negative behaviour that undermines fairness, trust, and integrity.

It can occur in many different contexts and seriously affect individuals and the organisation.

Questions For You

  1. What policies and procedures are in place to prevent and detect fraudulent behaviour in the workplace?
  2. How do you encourage employees to report suspicious behaviour or fraudulent activity?
  3. Do you monitor employee behaviour and detect potential red flags indicating fraudulent activity?
  4. How do you ensure that employees are aware of the consequences of engaging in fraudulent behaviour, both for themselves and the organisation?
GET YOUR FREE BOOK NOW!
Categories
Article

Behind Closed Doors — The Silent Peril Of Employee Burnout, Escalating Dangers Of Insider Threat

Behind Closed Doors — The Silent Peril Of Employee Burnout, Escalating Dangers Of Insider Threat

“If you can’t stand the heat, leave the kitchen.”

- Dr. Christina Maslach

Is This Happening To You?

Waking up in the morning can sometimes be challenging as everything seems too overwhelming — the brightness, noise, and pace of the world.

It seems like every noise is really bothering you, every bit of brightness is causing discomfort to your eyes, and every motion makes you feel uncomfortable.

Every night, you struggle to sleep, tossing and turning in search of rest.

Thinking about work makes you feel anxious. The routine you used to know now feels like a confusing maze of tasks.

Every email task seems incredibly hard. The motivation that used to burn brightly is now just a weak, flickering light.

As you head to work, your patience is stretched thin like a worn-out rope. Your colleagues’ voices irritate you, and your boss’s requests appear unreasonable, even absurd.

The most minor inconveniences trigger an explosive irritation within you. You wonder how you’ve become this person, unlike your former self.

Standing there, utterly exhausted and frustrated, you realize you’re on the verge of reaching a breaking point.

Are these your symptoms? If so, you may be experiencing a “burnout” state.

The term “burnout”, according to the World Health Organisation, is defined as a “syndrome resulting from a chronic workplace stress that has not been successfully managed”.

Burnout is caused by chronic workplace stress, which can be low-level and irritating for months, if not years before a person realizes or is confronted by the problem.

If you have ever felt “stressed at work,” and who hasn’t? Chances are it’s because you thought you didn’t have enough time to do what you wanted.

Stress often results from feeling “stuck” in a particular time frame.  You can feel this frustration and irritation because you are focusing exclusively on the demands of the moment — The requests, the challenges and the events. They are all piling up with no break.

Those who are stressed and burned out have little understanding of how “urgency” and “importance” control their decision-making about what to do with their time.

Let’s explore some scenarios…

To-do lists are pervasive tools that employees employ to manage their time. They work their tail off to complete every task on their to-do list.

Unfortunately, most to-do lists are filled with “urgent” tasks. They require your attention at the moment, but rarely are they essential — the things that make a difference in the long term.

Urgency seems to control our lives. The phone rings, and we have to pick it up. It now becomes urgent if the phone call is important. This alone breaks your concentration and effectiveness.

The worst interruptions are meetings. They are typically scheduled like TV shows. The agendas are vague, and no one understands the goal. They tend to drift off subject, wasting everyone’s time. It’s too bad if it only requires five minutes to accomplish the objective. Meetings tend to stretch to an hour…and then the next meeting is ready to go.

According to the Global Workplace Burnout Study, burnout is a growing industry problem.

There are three dimensions to burnout:

  1. Feelings of energy depletion or exhaustion
  2. Increase mental distance and feelings of negativity towards work
  3. Reduced professional effectiveness.

What Causes Burnout?

There are three conditions:

1. Personal

  • Predisposition behaviour refers to certain qualities that might have been connected to someone’s early childhood experiences. These qualities could include feeling anxious, fearful, intense phobias, or dealing with mental disorders. These factors can influence how they behave now. That’s why people react to the same situation differently. No two people are the same.
  • Perfectionism is when you want to do everything perfectly, but it can hurt you significantly. People who struggle with it have difficulty making choices and often delay getting things done.
  • Lifestyle mismatch refers to a situation where a person’s personal habits, preferences, and daily routines clash with the demands of their work environment. A disconnect between how someone naturally lives their life and the expectations of their job can lead to increased stress at work. For example, if a person who values work-life balance finds themselves in a job that demands long hours and constant availability, it can create a sense of imbalance and strain.
  • Time mismanagement occurs when individuals struggle to allocate their time wisely. Tasks and deadlines can pile up, leading to a sense of overwhelm. As stress mounts, concentration and productivity tend to decline, creating a vicious cycle.

2. Team*

  • Lack of manager support – Managers are on the frontline of burnout. They can be central to preventing burnout or driving the problem. An absent or disrespectful manager leaves employees feeling isolated, exploited, and stuck in survival mode.
  • Unreasonable time pressure – When deadlines are unreasonable, and pressure is excessive and/or unending, this creates a pressure cooker environment that fosters burnout.
  • Unmanageable workload – The number of hours people work each week does matter, with burnout risk increasing significantly when employees exceed an average of 50 hours per week. This escalates even more substantially at 60 hours per week.
  • Unclear and inconsistent communication from managers – When expectations and accountability are inconsistent or unclear, employees can become frustrated and exhausted simply by trying to figure out what their manager wants.
  • Unfair treatment – When people are treated fairly and respected, they are more resilient and form stronger, more collaborative and productive relationships. When the treatment is biased unfavourable, or they feel they are mistreated compared to others, trust breaks. This allows burnout to take over.

3. Organisation*

  • Poor senior leadership – Senior leaders have the most influence over how an organisation operates and the environment that it creates. When senior leadership don’t “walk their talk”, they provide an atmosphere of unhealthy work conduct or even toxic culture.
  • Lack of support structure and guidelines – When employees feel that their work environment is supported, their workload is manageable, and expectations are realistic, employees will feel supported. But the converse is true.
  • Under resourcing – Do more with less is a commonly used corporate mantra for efficiency, but it often seeds burnout within the organisation. For example, budget cuts can lead to greater long-term costs through under-resourcing.
  • Outdated modes of working – Outdated ways of working such as endless meetings, excessive administrative work, ‘the client is always right’, hierarchical approval processes and the normalisation of working weekends are the structures that burnout thrives.
  • Value mismatch – People are increasingly craving purpose, both in their lives and in their work. However, when the value of the employee does not match the organisation’s worth, it will cause significant angst.

* The 2021 Global Workplace Burnout Study by Infinite Potential

What are the impacts of an employee who is exhibiting burnout?

As stated earlier, “burnout” is caused by unmanaged chronic workplace stress.

Stress at work that is ongoing and low level causes the feeling of burnout.

People are the main drivers of organisational success, and the health of the organisation is a crucial determinant of productivity and quality of work.

There is a significant gap in the productivity and quality of work between those who are burnt out and those who are not. (Source: According to the State of Workplace Burnout 2023 by Infinite Potential)

However, productivity is not the only outcome of people being burned out.

Employee burnout is a threat to your organisation, and this could be the case for several reasons. If your employees do the bare minimum, they may find achieving “cyber hygiene” difficult.

For example, they may skip necessary security steps like creating smart passwords, updating their computer with critical security updates, clicking on URL links or opening attachments that they shouldn’t be opening.

They will simply be unable to care or pay attention to threats such as phishing and other social engineering attacks.

But it gets worse.

It can compromise an employee’s ability to focus and make sound decisions, which can be particularly problematic in safety-sensitive industries.

It can lead to a sense of detachment and disengagement from work.

Burnout can have significant negative impacts on an employee’s physical and mental health. It can increase stress, anxiety, depression, physical health problems and weakened immune systems.

Those who suffer can strain relationships with colleagues due to increased irritability, reduced communication, and diminished teamwork. This can negatively affect the overall work environment and team cohesion.

Strained relationships and difficulty focusing and working will most likely lead to increased absenteeism. Those who are burned out are more likely to seek new job opportunities.

Those who suffer and feel poorly cared for and supported by management may lash out against their colleagues or organisations, causing significant harm.

Examples Of Possible Scenario: Software Engineer Causes Software Outage

A software engineer at a large tech company felt burned out after working long hours and having unrealistic deadlines. He started making mistakes at work, such as submitting code with bugs and missing important meetings. He also became withdrawn and irritable, which made it difficult for him to collaborate with his team.

One day, the engineer made a critical mistake that caused a major outage in the company’s software. 

The outage cost the company millions of dollars in lost revenue and customer goodwill. The engineer was eventually fired, and the company implemented new policies to prevent employee burnout in the future.

Other Possible Examples:

  • The nurse’s error, which led to the patient’s death, was a direct consequence of burnout resulting from the long working hours in the hospital.
  • A police officer at a large city police department became so burned out that he started abusing alcohol and drugs. He was eventually fired from the department.
  • A teacher at a public school became so burned out that she started yelling at her students and making threats. She was eventually placed on leave and later resigned from her job.
  • A customer service representative at a large telecommunications company became so burned out that she started snapping at customers. This resulted in several customer complaints, and the representative was eventually demoted.
  • A flight attendant at a major airline became so burned out that she started making mistakes during flights. This resulted in many delays and cancellations, and the flight attendant was eventually fired.
  • A social worker at a non-profit organisation became so burned out that she started having difficulty sleeping and concentrating. This made it difficult for her to do her job, and she eventually took a leave of absence.

Are You A Workaholic?

Are you staying at work late into the night? Or perhaps you are bringing your work back home? Do you find it challenging to disengage from work?

The term “workaholism” was defined by psychologist Wayne Oates back in 1971 as a compulsion or an uncontrollable need to work incessantly.

Work “addiction” is a complex condition in which an individual develops a mental, emotional, and social dependence on work.

People with work addiction often work compulsively at the expense of other aspects of their lives. They may work long hours even when it is not needed, sacrifice sleep to get work done, and be paranoid about their work performance.

Can A Workaholic Drive Burnout More Readily?

Burnout and workaholism are both conditions that can have a negative impact on an individual’s physical and mental health.

The main difference between burnout and workaholism is that burnout is caused by excessive stress, while workaholism is driven by a compulsive need to work.

Burnout can happen to anyone, regardless of their work ethic. On the other hand, workaholism is often a sign of underlying psychological issues, such as anxiety or depression.

A workaholic is more likely to experience burnout than someone who does not work excessively.

Workaholics are at risk for burnout because they tend to:

  • Work long hours, often without taking breaks or vacations.
  • Put work before their personal lives.
  • Have difficulty saying no to new work assignments.
  • They are perfectionists and set unrealistic expectations for themselves.
  • They feel like they need to be constantly productive.

These behaviours can lead to chronic stress, eventually leading to burnout.

Final Words

According to “State Of the Global Workplace: 2023 Report” by Gallup it reveals frightening figures that 28% of workers say that they feel burned out at work either “very often” or “always and that only 24% of employees believe their organisation cares about their wellbeing.

Why Is This Important?

As we can see, a considerable group of employees are minimally productive, disengaged, and disconnected from their organisation.

And we have learned that stress is one of the critical anchors that drive employees to be burned out.

According to the same Gallup report, 44% of employees experienced a lot of stress.

The Gallup analysis continued that engagement has 3.8 times as much influence on employees’ stress. In other words, what people experience in their everyday work – their feelings of involvement and enthusiasm.

Low-engagement workers represent an uncertain situation for organisations, driving low morale, high turnover, and increasing costs to the business, potentially causing reputation damage due to poor performance and thereby losing their competitive advantage.

There Is, However, An Upside To This Situation.

As organisational leaders endeavour to navigate an uncertain economic outlook, addressing their employee wellbeing concerns and improving engagement should be top priorities.

Leadership and management directly influence workplace engagement, and there is much that organisations can do to help their employees thrive at work.

 

Resources:

2021 Global Workplace Burnout Study – https://img1.wsimg.com/blobby/go/6c37d4f0-7b8a-4dd3-afb8-0a1b504af624/2021%20Workplace%20Burnout%20Study-%20Final.pdf 

The State of Workplace Burnout 2023 – https://img1.wsimg.com/blobby/go/6c37d4f0-7b8a-4dd3-afb8-0a1b504af624/The%20State%20of%20Workplace%20Burnout%202023%20v7%20(1).pdf 

Categories
Article

How Insider Risk Management Programs Enhance And Strengthen Cybersecurity Posture

How Insider Risk Management Programs Enhance And Strengthen Cybersecurity Posture

“Amateurs hack systems, professionals hack people.”

- Bruce Schneier

Unfortunately, businesses, organisations, and institutions have often been “betrayed” by individuals of trust, also known as “insiders”.

The harm from such betrayal can be catastrophic. It can jeopardise sensitive data, compromise intellectual property, disrupt operations, and damage reputation. It can result in financial losses, legal ramifications, and loss of trust from customers and stakeholders.

For a long time, the insider threat has largely been ignored in favour of the external hacker.

Why?

The external hacker is easier to detect, easier to control, and is much more visible than the “enemy within”.

The reality is that insider threat activities have been occurring for a very long time and are still taking place today.

Since insider threat incidents occur within the organisation, they occur in “private”.

Private attacks by insiders are much easier to hide.

This brings me to the following point…Which poses the biggest threat to your business — cyber threats or insider threats?

In some ways, it is a loaded question.

For many years there has been much debate on who causes more damage — Insiders Vs. Outsiders.

While network intrusions and ransomware attacks can be very costly and damaging, so can the actions of employees sitting behind a firewall or remotely working from home.

Either way, cyber and insider threats pose significant risks to organisations. Still, it is challenging to determine which one is worse as their impact can vary depending on the specific circumstances and context.

Comparing the two threats is complex because they differ in nature and motivations.

While cyber threats can be launched from anywhere in the world, insider threats occur within the organisation’s own environment.

While cyber threats are often driven by financial gain, political motivations, or the desire to cause disruption, insider threats can stem from various factors, including personal grievances, financial pressures, negligence, or unintentional mistakes.

While detecting cyber threats can be challenging due to the external nature of the attacks and the evolving tactics used by cybercriminals. Insider threats can be relatively more difficult to detect as they originate from human behaviour and actions within the organisation’s trusted network.

While both cyber and insider threats can have severe consequences, the impact of a cyber threat can be immediate and widespread, affecting numerous organisations simultaneously. Insider threats, while potentially more localised, can be highly damaging due to their knowledge of internal systems and access to sensitive data.

While cyber threats are a technology challenge, insider threats are a people challenge.

Another problem is that Insider Threats live in the shadows of Cyber Threats and do not get the attention needed to fully comprehend the extent of the Insider Threat problem.

However, the focus of this article is not to determine which scenario is worse. Instead, it aims to show that by taking proactive measures to mitigate insider risk, you thereby strengthen your cybersecurity stance for your organisation.

The Risk Landscape

It’s common to come across news about organisations being compromised or intruded upon, affecting customers, employees, government, and other stakeholders.

These attacks can come from within or outside the organisation and have severe consequences.

Often, external infiltration occurs due to intentional or unintentional vulnerabilities created by the organisation.

We know the cybersecurity landscape constantly evolves, but some things never change.

The current threat landscape bears the typical theme of malicious actors taking advantage of crises with a view to capitalising on them. This was no different during the COVID-19 pandemic and, more recently, with the tensions between Russia and Ukraine that could have cybersecurity implications globally.

As technology continues to evolve and many daily interactions are conducted in virtual space, this evolution continues to place unrelenting threats and challenges. Look no further than the introduction of artificial intelligence tools into our business.

The assets organisations need to protect, ranging from proprietary information and intellectual property to critical processes, research and development, exist largely in virtual space.

As a result, risks to those assets have taken on new meaning. Information has become a high-risk asset that can be readily extracted and exploited.

Furthermore, as business operations have shifted beyond the physical confines, mitigating threats outside their boundaries has added additional complications and vulnerabilities.

“What was in is now out. And what was out in now in.” We are all interconnected.

  • Accessing and manipulating data is possible from almost anywhere and from any device.
  • The proliferation of web-based applications provides easy access.
  • Fast telecommunication gives employees off-site access.
  • Data is more mobile through emails, smartphones, tablets and notebooks.
  • Corporate policies are harder to administer and govern.
  • Physical copies are no longer needed.
  • Social media platforms are an easy way to share ideas and data.
  • Artificial intelligence tools revolutionise business operations using internal and external data.

Although the business medium has changed to more virtual, mitigating cyber and insider threats must still utilise a holistic approach.

Insider Threat As Part Of Your Enterprise Risk Management

Risk landscapes are frequently developed to inform decision-making, shape prioritisation of the assessment, and mitigate risks.

Landscapes should, whenever possible, incorporate aspects of physical, cyber, and human risk elements, as shown by the image below.

In the above diagram, we illustrate how insiders have access to the use of technology, which can exist both internally and externally.

Physical security is very much interconnected with information technology security and cybersecurity.

You cannot look at what an individual does in the virtual world and ignore what goes on in the world of bricks and mortar.

You can’t have cybersecurity without considering your insiders interacting in the day-to-day business operations using technology, applications, and data.

To successfully manage your cyber risk landscape, you need to focus on insiders.

Business is conducted by people. People with beliefs, values, thoughts, aspirations, needs, etc. They behave and act in the manner that best serves them, whether passive, aggressive, ignorant, or even aggrandised.

Example: A Tesla employee thwarts an alleged ransomware plot

What happened?
In 2020, a Russian agent tried to recruit an unnamed Tesla employee to plant the malware onto the Tesla network for $1 million. The goal was to steal data from the automaker and threaten to release it unless Tesla paid a ransom.

Luckily, the employee in question reportedly told Tesla about the Russian agent and the proposition. Tesla then contacted the FBI, who arrested the agent before returning to Russia.

The above example perfectly shows how cyber perimeter defences can be easily circumvented.

Cybersecurity defence is important, but the human-cyber-physical approach must be applied in tandem to reduce external threats.

Without a doubt, technology has become so integrated into the fabric of society that it can be difficult to see where the technology starts and ends.

In some cases, it makes it difficult to assess the risk of technology, especially if it is not clearly understood in the context of human behaviour.

Example: AT&T employees took bribes to install malware

What happened?
The bribery scheme lasted from April 2012 until September 2017.

Initially, two Pakistani men bribed AT&T employees to unlock expensive iPhones so they could be used outside AT&T’s network.

They recruited AT&T employees by approaching them privately via telephone or Facebook messages. Employees who agreed received lists of IMEI phone codes which they had to unlock for sums of money.

Employees would then receive bribes in their bank accounts, in shell companies they created, or as cash, from the two Pakistani men.

A year into the malpractice, the Pakistani men had bribed other AT&T employees to install malware on the AT&T network so that it would collect data, employee details/credentials and reveal how their systems worked.

The second malware that they created was designed to use AT&T employee credentials to perform automated actions on AT&T’s internal application to unlock phones at the fraudster’s behest without needing to interact with AT&T employees every time.

By 2014, they bribed AT&T employees to install rogue wireless access devices inside the AT&T call centre. These devices provide remote access to AT&T internal apps and networks and continue the rogue phone unlocking scheme.

Consequences?
In short, the two Pakistani men paid more than $1 million in bribes to AT&T employees and successfully unlocked over two million devices.

One AT&T employee received $428,000 in bribes over a period of five years.

In 2018, the Pakistani men were arrested in Hong Kong and extradited to the US.

AT&T estimated it lost revenue of more than $5 million/year from Fahd’s phone unlocking scheme.

The above example clearly demonstrates the interconnectedness between the physical-cyber-human world. No amount of cybersecurity tools would have stopped this crime from taking place

Managing Risk And Uncertainty

Protecting the organisation’s assets in the current environment is not an exercise in just mitigating or preventing adverse effects but rather in reducing the impact of what is not understood or cannot be foreseen — uncertainty.

And what we don’t understand nor foresee very well is how human behaviour can potentially impact the organisation’s objectives, outcomes, and security.

People are dynamic.

Human behaviour is the result of “frames” (inner executive) that drive human actions. These frames drive their actions. They govern their state of mind and emotions.

When they go to work, they run their frames, which may at that time be positive or negative.

Example:
If your door to your office is broken because it refuses to close, you can always change the lock mechanism or even change the door. However, if the person slams the door, you must handle their behaviour.

Cybersecurity programs will encounter difficulties if they do not understand the interconnection and interrelation between insiders and the physical and logical world.

Mitigating cyber risk will be measured by how much uncertainty you can eliminate and how much uncertainty you can tolerate and still advise on business directions.

It is interesting to note that as human beings, we all need certainty, safety, stability, and predictability in our lives.

We like to feel secure in our jobs, in our homes, and our relationships. We want to avoid pain and assurances that our basic needs are being met.

Some people pursue this need for certainty by striving to control all aspects of their lives, including the projects they run and those who work for them.

Interestingly, when we lack certainty, we tend to panic and get stressed.

Example:
During the period when we had COVID-19 lockdowns, we faced new uncertainty. Shoppers began stocking up on basic household items — especially toilet paper. This buying frenzy led to shortages, even though, in most cases, there would have been enough to go around if people only purchased what they needed.

Enterprise risk management should be positioned to address uncertainties by shifting away from attention to avoiding failure, which is inevitable to understand the balance between decreasing levels of uncertainties.

Insider Risk Management Program

As we noted earlier, robust and resilient cybersecurity programs stem from efforts to understand both internal and external happenings within the organisation. The two aspects go hand in hand.

The reality is that organisations cannot prevent all cyber incidents. The typical approach of spending more money and resources or buying the latest risk management technologies and tools rarely proves effective. One way to establish such capability is by implementing an insider risk management program.

An insider risk management program serves as the organisation’s designated and dedicated resource for mitigating and managing insider threats.

To effectively prevent, detect, deter, and respond to insider threats from insiders, the organisation must take appropriate risk management actions. The best time to develop a process for mitigating insider incidents is before they occur.

They should possess the following characteristics:

  • They are executive-led: Sponsorship from the top is essential. They must set the stage by defining cyber risk management priorities, risk appetite, and mechanisms of accountability.
  • It requires wide participation: An effective cyber risk program necessitates participation from all essential business areas of the organisation (e.g., security, human resources, legal, senior leadership, finance, etc.).
  • Agile programs: The programs need to be responsive, active, and adaptive to new changes and requirements.
  • Integrated and comprehensive: Comprehensive cyber programs are not a set of distinct silos but rather integrated. Improving one aspect of individuals, processes, and technologies will enhance the others.
  • Extended ecosystem: The program must include various other trusted business partners, suppliers, and vendors, as a cyber breach will impact them too.
  • Programmatic transformation: It requires strong governance that allows changes in roles, processes, accountability measures, performance metrics, and, importantly, a shift in mindset.
  • Integration with enterprise risk management: It must ensure that all aspects of the organisation's risk management include insider threat considerations, not just external attackers.
  • Insider threat training and awareness: The aim is to educate individuals within the organisation about the risks and indicators of insider threats to prevent unauthorised access, data breaches, and sabotage from within.
  • Positive culture incentives: Organisations should encourage desired workforce behaviour through positive behaviour-based practices.

While a well-designed and effectively implemented insider risk management program cannot eliminate all internal risks, it can help reduce the likelihood of compromise and mitigate damage from internal incidents and external attacks.

Given today’s elevated-threat environment, protecting all assets at the highest level is impossible. However, by implementing an insider risk management program and integrating it with existing security practices, organisations can more effectively prevent, detect, deter, and rapidly respond to internal risks. This capability is integral to an effective cybersecurity practice and posture.

Categories
Article

The Danger of Blind Trust: How Employee Loyalty Can Lead to Insider Threats

The Danger of Blind Trust: How Employee Loyalty Can Lead to Insider Threats

“Train people well enough so they can leave, treat them well enough so they don’t want to.”

- Richard Branson, Founder of Virgin Group

You have recently embarked on a new job, immersing yourself in an unfamiliar work environment. Whether it involved switching roles within the company or relocating to a different city, everything feels fresh and exciting.

As the first month passes, you gradually grasp the culture and values of your new team. With time, you begin forming bonds with some of your co-workers. Simultaneously, your understanding of the inner workings and dynamics of the business expands.

Slowly but surely, a sense of trust starts to develop.

Now, the question arises: which comes first, loyalty or trust?

Before we delve into that, let’s explore a common saying: “one of the organisation’s greatest assets is its employees, but it is also its most significant risk.”

Employing someone is a crucial decision for any organisation, and rightfully so. The quality of its employees can determine a business’s success or failure, regardless of the tasks they undertake. Yet, those very employees also pose a significant threat to the organisations that hire them.

No matter how meticulous the recruitment process or comprehensive the policies and procedures, there is always a potential for disputes or breaches to arise.

Interestingly, when an insider breach occurs, it is often referred to as a breach of trust rather than a breach of loyalty.

Employers typically strive to cultivate a culture of loyalty, as it can lead to a motivated workforce, increased productivity, and long-term commitment. However, organisations must recognise that unwavering employee loyalty can also pose risks in the form of insider threats.

This article aims to explore the dangers associated with unquestioning employee loyalty and shed light on how organisations can mitigate the risks to safeguard their interests.

What is employee loyalty?

Employees are arguably the organisation’s most valuable assets.

They are the people that work day in, day out to strive to meet organisations’ missions and objectives.

Loyal employees can do absolute wonders for the future of the organisation.

Typically, employee loyalty refers to an employee remaining with a company for an extended period because they feel valued, appreciated, and believe in the overall mission of the company.

However, what does loyalty mean to you?

Does it mean:

  • That the employee must always be faithful and always act in the organisation's best interest?
  • Should they refrain from speaking negatively about their employers or team members?
  • Is it expected that they would decline a new job offer even if it comes with a better compensation package?
  • Should they never divert a business opportunity that rightfully belongs to the employer?
  • Are they forbidden from stealing trade secrets or disclosing confidential information to outsiders?

Consider this an example of a “breach of loyalty.”

Example: Virgin Atlantis sacks 13 cabin crew over unsavoury remarks

What happened?
Virgin Atlantic has sacked 13 of its cabin staff after they criticised the airline and some of its passengers on social networking website Facebook.

It was found that all 13 staff participated in a discussion on the networking site Facebook where they described passengers as “chavs” and made jokes about faulty engines.

What were the consequences?
The staff were dismissed for their behaviour as it was totally “inappropriate” and had brought the company into disrepute, said Richard Branson.

Question – What would you think if you heard the following: “I don’t know whether this employee is loyal?”

Your mind will be racing to seek questions and answers… Determining someone’s loyalty can be challenging, relying on subjective judgments and personal experiences. It often involves observing their behaviour, building trust, and fostering open communication.

Increasingly, employees define loyalty based on the specific job they perform.

They strive to learn and excel in their assigned tasks. Once they have mastered their roles, they may seek new opportunities for greater responsibility or higher wages.

Their mindset becomes, “You pay me to do X, I do Y, and we are even.”

They consider themselves “loyal” as long as they fulfil their obligations, whether they work for a company for ten years or ten months.

More and more workers are taking the view that they are the sole drivers of their careers.

And this is evident by the recent report from the 2023 Gallup State of the Global Workforce, showing that 51% expressed some level of intent to leave their jobs.

Gallup went on to say that an analysis found that engaged employees require a 31% pay increase to consider taking a job with a different organisation. Not engaged and actively disengaged employees, on average, want a 22% pay increase to change jobs.

What is employee trust?

Trust is the underpinning of life, relationships, transactions and behaviours. Trust is about “confidence”.

The opposite is distrust. When you trust people, you have confidence in their integrity and capabilities.

When you have distrust, you are suspicious.

In today’s global economy, trust is king. It serves as the social framework for behaviour and reality, providing certainty and confidence in our day-to-day interactions. Without trust, our lives would be paralysed, leading to inaction and potential chaos.

Low trust creates friction, whether it stems from unethical behaviour or incompetence in ethical behaviour. It exacts the greatest cost on individuals and organisations, giving rise to hidden agendas, politics, conflicts, disagreements, and defensive/offensive behaviour.

When a new person joins an organisation, they are entrusted with significant trust and the belief that they will represent the organisation’s best interests. They enter a “temporary probation period” where both employee and employer assess each other’s suitability, determining the continuation of the employment relationship.

If the new employee successfully proves their worth during this probation, they earn full trust. From that point forward, their trust is not questioned unless they commit a wrongdoing.

Consider this example of a breach of trust:

Example: A former Google executive stole trade secrets to start his own autonomous trucking company

What happened?
It is alleged that the former Google executive had downloaded over 14,000 files containing proprietary information and trade secrets related to self-driving car technology, giving him an unfair advantage in his new venture – Otto. Uber later acquired Otto.

What were the consequences?
The case attracted significant media attention and resulted in a high-profile legal battle between Waymo (Google) and Uber. The former executive was later fired from Uber, and the company settled with Waymo, agreeing to provide financial compensation and ensure its autonomous vehicle technology did not utilize Waymo’s trade secrets.

This case of employee disloyalty and theft of trade secrets demonstrates the potential harm caused to an organisation when an employee breaches their duty of loyalty.

However, it can also be considered a breach of loyalty. Both trust and loyalty are interconnected, and determining which comes first is complex.

What is the difference between trust and loyalty?

Whoever said, “trust takes years to build, seconds to break and forever to repair”, was correct.

We understand that loyalty among employees is beneficial for both individuals and the organisation.

However, if not managed correctly, loyalty can also foster unethical behaviour.

Consider the following examples:

  • Enron's downfall, largely caused by financial fraud, was fuelled by employee loyalty. Blinded by their devotion to the company, employees overlooked what was actually happening.
  • Theranos, the former medical technology company that claimed to revolutionise the industry, used employee loyalty to create departmental silos, preventing collaboration necessary for developing safe and functional products. By keeping teams isolated, they could attract more investments while avoiding the reality of their failing technologies.

Trust is the foundation of any healthy relationship, whether personal or professional.

It involves having confidence and belief in the reliability, integrity, and honesty of someone or something.

Trust is built over time through consistent actions, open communication, and fulfilling promises.

When trust is established, it forms the basis for loyalty.

Loyalty, on the other hand, is a deeper emotional commitment or allegiance to someone or something.

It implies a sense of faithfulness, support, and dedication.

Loyalty often develops as a result of the trust that has been built. People tend to be loyal to those they trust because they believe in their character, competence, or the value they provide.

While trust is the foundation, loyalty can be seen as a subsequent outcome or expression of that trust.

However, it’s important to note that trust and loyalty are interconnected and can reinforce each other.

Building trust can lead to loyalty, and loyal behaviour can further strengthen trust.

Ultimately, the relationship between trust and loyalty is complex and can vary depending on the specific circumstances, individuals involved, and cultural or personal values.

Here are some examples where trust and loyalty are true.

  • In a loving relationship: Family members trust and rely on each other for support, understanding, and care. Loyalty is demonstrated through standing by each other's side during challenging times and supporting one another's well-being.
  • Friendships: Close friendships are built on trust and loyalty. Friends trust each other with personal information and confide in and support each other's goals and dreams. Loyalty is shown through being there for each other, offering a listening ear, and maintaining the friendship through thick and thin.
  • Mentoring: In a mentor-mentee relationship, trust and loyalty are crucial. The mentee trusts the mentor's guidance, advice, and expertise, while the mentor remains loyal by investing time, effort, and resources to help the mentee grow and succeed.
  • Community: Trust and loyalty are essential within communities. Members trust each other to promote safety, respect, and cooperation. Loyalty is shown through active participation, volunteering, and supporting community initiatives.

Here are some examples of where trust and loyalty differ:

  • Passengers trust the pilots to fly safely to their destination but do not need to be loyal to the airline brand.
  • Patients trust their doctors to provide health care but do not need to form close friendships or be loyal to that doctor.
  • Car drivers trust the driving rules and that other drivers will follow the same rules, but they do not need to be loyal to the Government that has laid out the rules.
  • Soldiers might surrender to the enemy trusting them not to shoot them, but they will not be loyal to their combatants.

Blind Trust

Whoever said, “trust takes years to build, seconds to break and forever to repair”, was correct.

We understand that loyalty among employees is beneficial for both individuals and the organisation.

However, if not managed correctly, loyalty can also foster unethical behaviour.

Consider the following examples:

  • Enron's downfall, largely caused by financial fraud, was fuelled by employee loyalty. Blinded by their devotion to the company, employees overlooked what was actually happening.
  • Theranos, the former medical technology company that claimed to revolutionise the industry, used employee loyalty to create departmental silos, preventing collaboration necessary for developing safe and functional products. By keeping teams isolated, they could attract more investments while avoiding the reality of their failing technologies.

Blind trust can arise from an excessive reliance on employee loyalty, leading to complacency.

When employers or managers place too much faith in their employees without maintaining appropriate vigilance, blind trust can result in negative consequences.

Blind trust occurs when employers become overly comfortable and neglect to exercise due diligence in monitoring their employees’ actions, performance, and adherence to company policies.

It can stem from a long history of loyal and dedicated employees, creating a sense of complacency within the organisation.

As a result, employers may overly depend on their employees’ loyalty, overlooking potential warning signs or misconduct.

This blind trust can lead to several detrimental outcomes:

  • Employees may take advantage of the situation by engaging in unethical behaviour, such as misusing company resources or participating in fraudulent activities.
  • Productivity may decline as employees perceive a lack of accountability.
  • Additionally, blind trust can stifle innovative ideas and constructive feedback, hindering organisational growth and progress.

Example: How One Woman Stole $53 Million

What happened?
Rita Crundwell, who was a city official in the little town of Dixon, Illinois, was also the town financial comptroller. For 22 years, Rita funneled around $53 Million to build her own personal horse breeding empire while slashing police budgets, neglecting infrastructural needs and cutting staff.

When she was done raiding the taxpayers’ coffer, her crime was the largest case of municipal fraud in American history.

Video trailer – https://vimeo.com/225296132

“Trust is like the air we breathe,” Warren Buffett once said. “When it is present, nobody really notices. But when it’s absent, everybody notices.”

When you think of trust, you feel confident or open with the person or organisation. And should that bond of trust ever be broken, you should be able to recognise it.

Unfortunately, with blind trust, the confidence and openness are still there…but if the bond is broken, you probably won’t recognise or see it. I guess that’s why they call it “blind faith”.

It’s okay to trust people in both your personal and professional life. My question would be, to whom should you give blind trust? And is blind trust appropriate in the workplace?

Categories
Article

A Case In Assessing Your Organisational Culture Risk

A Case In Assessing Your Organisational Culture Risk

81,396. 

That’s how much of our life most of us spend working.1 The only thing we spend more time on is sleeping.

If we spend so much of our life at work, how is it working?

According to the world’s workers, not well.

Gallup finds 60% of people are disengaged at work, and 19% are actively disengaged.

But is that a surprise or a statistical explanation of the obvious?

Work”, according to Oxford Languages, is “activity involving mental or physical effort done to achieve a purpose or result.”

Exerting mental or physical effort to achieve anything is rarely done without stress, worry or pain.

Stress, uncertainty, worry, and some uneasiness will always be a part of the day-to-day job, but the organisation’s bad culture can exacerbate those negative emotions.

So, what makes a job bad?

According to Gallup, one study on burnout revealed the following causes:

1. Unfair treatment at work
2. An unmanageable workload
3. Unclear communication from managers
4. Lack of manager support
5. Unreasonable time pressure

However, one can define “a bad job” as failing to meet an employee’s basic needs, leading to a significant decline in job satisfaction, motivation, and productivity.

Various factors, including poor pay, long working hours, lack of job security, insufficient benefits, limited opportunities for growth and development, high levels of stress, and unsatisfactory working conditions, can characterise a bad job.

These factors can have a detrimental effect on an employee’s overall well-being.

So, what makes a business culture bad?

We know that bad business culture can result in low employee satisfaction, poor job performance, and a negative impact on the company’s overall success.

Various factors can characterise it:

  • A lack of transparency can lead to a lack of trust among employees and create an environment where people feel left in the dark.
  • Poor communication or lack of effective communication can lead to misunderstandings, conflicts, and cohesion.
  • Toxic behaviours, such as bullying, harassment, or micromanagement, can create a hostile work environment and lead to high employee turnover rates.
  • Discriminatory practices can lead to unequal employee treatment based on gender, race, ethnicity, religion, or sexual orientation, leading to a negative organisational culture.
  • High turnover rates suggest that employees are unsatisfied with their job. It could be due to poor leadership, lack of employee engagement and recognition, limited opportunities for growth and development, inadequate compensation and benefits, unhealthy work environment or discriminatory practices, among other factors.
  • Resistance to change can create a stagnant work environment where employees feel unchallenged and unmotivated.

Interestingly, bad organisational culture can also create negative word-of-mouth and reputation, making it harder to attract and retain talent in the future.

Why is it essential for organisations to self-asses their organisation culture risk?

Organisational culture has far-reaching implications for maintaining your organisation’s security integrity, especially regarding Human Insider Threats.

Most organisations move through their business life with little understanding or visibility of how or whether their culture supports their mission and objectives.

Case Study: 

The company in question is a mid-sized financial service firm with approximately 800 employees.

The company has recently experienced a high turnover rate, particularly among younger employees.

Additionally, the company had received negative feedback from clients regarding the quality of service provided.

The leadership team recognised that the culture of the organisation could be contributing to these issues and decided to take action.

Their first step was to identify its existing culture.

This involved a review of the company’s mission statement, values, and strategic objectives. Additionally, the leadership team interviewed employees at all levels of the organisation to better understand the company’s culture.

Through this process, the leadership team identified several prevalent critical cultural characteristics in the organisation.

These included focusing on individual achievement rather than teamwork, a lack of transparency in decision-making, and a high degree of competition among employees.

In the above case study, the organisation took proactive steps to identify its culture before it critically started to impact performance, capability and morale.

In today’s fast-paced business environment, it is more important than ever to clearly understand an organisation’s culture.

Organisations with a healthy culture tend to report above-average results, while those with a toxic culture can significantly negatively impact your organisation’s bottom line.

Despite this, most organisations believe they conduct internal cultural health checks, but what are the pitfalls of doing so internally?

Organisational culture refers to the shared values, beliefs, behaviours, and customs that characterize an organisation and guide the actions of its members. In the context of this article, organisational culture is viewed as a critical factor in determining the overall success of an organisation and its ability to maintain security and integrity.

Obviously, a positive organisational culture can help to foster a sense of loyalty and commitment among employees, promote effective communication, and encourage ethical behaviour.

Conversely, a toxic organisational culture can create an environment conducive to human insider threats and data breaches, which can significantly impact an organisation.

Example: Toxic culture in Uber impacted its ability to innovate and compete

What happened?

In 2017, a former Uber engineer named Susan Fowler published a blog post describing a pervasive culture of sexism and harassment at the company.

Fowler described numerous incidents of sexual harassment and discrimination and a lack of action from the company’s human resources department to address these issues.

Fowler’s blog post quickly went viral and prompted an internal investigation at Uber.

The investigation revealed that the company had a deeply ingrained culture of toxic masculinity, where aggressive behaviour and sexist attitudes were commonplace. In addition, employees who spoke out about this behaviour were often ignored or retaliated against, creating a culture of fear and silence.

What were the consequences?

In addition to the negative press and damage to the brand, the company faced several legal challenges. Several high-profile executives were forced to resign, and the company paid millions of dollars in settlements to employees who had experienced discrimination and harassment. 

The case of Uber provides several important lessons.

One of the key takeaways is the importance of creating a culture of respect and inclusion. By creating a culture that values diversity and encourages respectful behaviour, organisations can reduce the risk of discrimination and harassment.

So, why is conducting an external cultural health check important?

Business culture is considered one of the most critical factors for predicting overall success and internal security.

An external cultural health check conducted by an expert in the field can provide a clear and unbiased understanding of the organisation’s culture.

This understanding is crucial for organisations to identify potential risks to their success and take the necessary steps to address them.

Ignore at your peril

Unfortunately, there are still gaps today where management dismisses the importance of their organisational culture.

Organisations without a clear and unbiased understanding of their culture risk falling behind in a competitive market.

Example: Toxic culture at Capital One caused a data breach that affected 100 million individuals

What happened?

The breach occurred due to a misconfigured firewall in the cloud infrastructure, which allowed the hacker to access sensitive data. However, the breach also exposed flaws in Capital One’s security practices, including inadequate security controls, poor incident response planning, and inadequate oversight of cloud-based systems.

The company’s toxic culture, which emphasised speed and efficiency over security and risk management, contributed to the inadequate security practices and lack of oversight that allowed the breach to occur.

What were the consequences?

The breach exposed the personal information of over 100 million customers, including names, addresses, credit scores, and social security numbers.

As a result, Capital One faced significant financial and reputational damage and had to pay a substantial fine to regulatory authorities.

The importance of understanding your organisational culture 

A positive and healthy corporate culture does enhance employee engagement, increases productivity, and promotes positive outcomes for the organisation.

On the other hand, a toxic organisational culture can lead to low morale, high turnover, and decreased productivity.

More than simply approaching it through Employee Engagement initiatives, a good understanding of the overall culture often amplifies the effectiveness of all other initiatives.

Through an unbiased external assessment, organisations can identify areas for improvement and implement changes to their culture, including things like improving security training and awareness programs.

By doing so, they can mitigate the risks associated with toxic cultures and help prevent breaches like the Capital One data breach from occurring.

A well-executed external organisational culture assessment can also help organisations understand what they currently do to nurture a positive environment and suggest ways of extending these good practices to greater benefit.

Why run an organisational culture assessment?

By introducing an externally run organisational culture assessment, organisations can receive the benefits of an assessment conducted by an independent expert that can provide valuable insights into the organisation’s strengths and weaknesses and help identify areas for improvement.

Running an organisation culture assessment with an external expert can provide numerous benefits.

  • A thorough understanding of your organisation's culture and its impact on its mission and objectives.
  • A detailed report on the strengths and weaknesses of your organisation's culture and specific recommendations for improvement.
  • Identifying blind spots that can help identify cultural blind spots that may not be apparent to internal stakeholders.
  • An independent and unbiased assessment provides a fresh perspective on your organisation's culture and helps identify improvement areas.
  • Creating a positive culture assessment can enhance your organisation's reputation and attractiveness to potential employees and customers.
  • Fostering transparency can demonstrate a commitment to transparency and openness. This can create a more positive work environment and help build stakeholder trust.
  • A benchmark of your organisation's culture against industry standards, allowing for meaningful comparisons and identifying areas for improvement.
  • A roadmap for cultural change and improvement, providing a clear direction for your organisation to follow to achieve its mission and objectives.

The process of assessing organisational culture

Assessing organisational culture is a process that helps organisations understand their culture’s current state and identify improvement areas.

In many instances, organisations believe an external culture assessment can provide an unbiased and objective perspective on the organisation’s culture and specific recommendations for improvement.

Methodologies for assessing organisational culture. 

Naked Insider uses several methodologies for assessing organisational culture, including surveys, focus groups, interviews, and observation.

An external culture assessment typically employs a combination of these methodologies to comprehensively understand the organisation’s culture.

The role of Naked Insider in assessing organisational culture

Naked Insider is a leading provider of organisational culture assessments. Our team of experts has extensive experience in assessing organisational culture and providing recommendations for improvement. Our assessments are designed to be thorough, objective, and independent, providing organisations with a clear understanding of their culture and a roadmap for improvement.

In summary, organisational culture plays a crucial role in the success of any organisation. Therefore, a thorough understanding of the culture within an organisation is essential to identify potential risks.

1. According to the Gallup World Poll, the average full-time worker spends 41.36 hours per week working. If you assume people work 48 weeks per year, it means people spend 1,985.28 hours per year working. Life expectancy is 73, and according to the OECD, people retire at about 63. If people begin working at 22, then the average person works 41 years. Forty-one years of work at 1,985.28 hours per year is 81,396 total hours.

Categories
Article

Snapshot of INSIDER THREATS Within The Healthcare Sector

Snapshot of INSIDER THREATS Within The Healthcare Sector

As we know, Insider Threat affects both the public and private organisations. Insider threats are one of the biggest security challenges that the Healthcare industry faces. In fact, in a recent Forbes article, it indicated that 58% of healthcare systems breach attempts involve inside actors, which makes this the leading industry for insider threats today.

One of the most compelling insights is how quickly healthcare is becoming a digitally driven business with strong growth potential. However, what’s holding its growth back, is how porous healthcare digital security is. Not to mention the sheer confidential, sensitive and highly valuable information that these organisations possess, makes it easy for a clumsy or a malicious insider to compromise security and potentially cause massive harm.

Forbes went on to say that around 66% of internal and external actors are abusing privileged access credentials to access databases and exfiltrate proprietary information.

Insider Threat Example

A former Dallas Hospital guard built a botnet, using the hospital network, to attack rival hacking groups. The individual was eventually caught after he filmed himself staging an “infiltration” of the hospital network and then posted it on YouTube for public viewing. The video clearly shows the individual using a specific key to “infiltrate” the hospital, which revealed his identity as Jesse McGraw, a night security guard of the building. The investigation revealed that McGraw had downloaded malware on dozens of machines, including nursing stations with patient records. Additionally, he installed a backdoor in the HVAC unit, which, if failed, would have caused damage to drugs and medicines and affected hospital patients during the hot Texas summer. McGraw pled guilty to computer tampering charges and is serving a 9-year sentence in addition to paying $31,000 in fines.

Overview of Insider Threats Within The Healthcare Sector

The CERT Insider Threat Centre (NITC) contains over 2,000 insider threat incidents which is used as a foundation for their empirical research and analysis in this article. In total, CERT identified 88 malicious insider incidents mapped to 91 healthcare organisations that were directly victimised in the attack. Of the victim organisations, Health Network make up the largest subsector. These are the networks of hospitals and medical centres that are dedicated in bringing healthcare to specific regions.

Interestingly, 20 victim organisations indirectly employed the insider in some sort of trusted business partner relationship or non-regular full-time employment (e.g. contractors).

As the chart below shows that Fraud is the most frequent insider threat incident type accounting for about 76% of all incidents. Within these fraud cases, we generally see individuals with access to patient payment records taking advantage of their access to customer/patient data to create fraudulent assets such as credit cards in order to make a profit.

Insider Fraud Incidents
  • Who?
    • 64.3% of the healthcare fraudsters began their malicious activities within their first five year of working for the organisation;
    • 72.8% misused their authorised access (e.g. Privilege account or PII data access);
  • What?
    • Around 52.7% of fraud incidents within the healthcare sector involved the theft of customer data;
    • Around 37.5% of incidents directly targeted financial assets;
    • Around 94.9% of personal identifiable information (PII) that was stolen, was customer data;
  • When?
    • For incidents where attack was known, around 70% involved insider activity during business hours. The other 30% of incidents took place both during work hours and outside work hours;
  • Where?
    • Around 72.7% of incidents took place on site when attack location was known;
    • Around 23.6% involved both onsite and remote activity;
  • How?
    • Most incidents used rudimentary techniques.
      • 25.8% of insider incidents either received and/or
      • 24.2 transferred funds and/or abused privileges;
    • Around 36.4% the insider tried to conceal their activity in some manner such as modifying the log files, using a compromised account or creating an alias;
  • Why?
    • Around 84.8% committed insider Fraud because their motivation was financial gain.

Suggested Mitigation Strategies

Healthcare information security should be the outmost importance for the organisation. Although identity theft is the most common misuse of patient data, patients can face severe, permanent consequences from medical record misuse, alteration, or destruction.

To better protect your healthcare organisations from insider threats incidents, here are some best practices that I suggest that you adopt:

  • Mitigation protection for fraud related crimes starts with better screening and identification of employees at hiring;
  • Some insiders accumulate excessive privileges that enable then to carry out their crime. It is therefore important that you carefully control and audit roles;
  • If possible, enforce separation of duties with all of your critical processes;
  • A monitoring strategy for fraud should include monitoring access and data modification. May also include frequent random auditing on critical information fields;
  • Utilise user activity monitoring solutions to identify online user activities that can be used to detect fraudulent activities;
  • Encourage employees to recognise and report on suspicious behaviour including outside facilitations;
  • Develop an employee assistance program that includes financial counselling.
Categories
Article

Is “Intention” Positive Or Negative Behaviour?

Is “Intention” Positive Or Negative Behaviour?

Gain Understanding Of How INTENTION Can Impact Your Organisation's Risk

“Organisations are no longer built on force, but on trust”

– Peter Drucker

What’s the difference between Intent vs Agenda?

  • “Agenda” can be thought of as a temporary organised plan for matters to be attended; and
  • “Intent” can be thought of as a course of action that a person intends to follow.

Intent matters! It is vital to trust! It’s critical to organisations!

While we tend to judge ourselves by our intent, we tend to judge others by their behaviour.

Intent, by and large, is drawn of the following process:

Intent in the purpose of why you are doing something.

Motive is the reason for doing something

Agenda grows out of motive. It’s what you intend to do or promote because of your motive.

Behaviour is the manifestation of motive and agenda.

Actions are the manifestation of your behaviour. It will symbolise the activities you follow based on your intention.

Outcome will be the result of your actions, whether positive or negative.

Let me ask you two questions.

  • What do you think is the most trusted institution in society? Government? Non-profits? The media? Large companies? According to a new global survey from public relations firm Edelman, the answer is business.
  • Now, what do you think is the most mistrusted institution in society? The answer is government. Are you surprised?

According to a global survey from public relations firm Edelman, 80% of people expect their employers to act on significant social issues like climate change, racism and vaccine hesitancy. In addition, the survey found that people think business outperforms government on a range of social issues: healthcare, inequality, jobs, climate change.  

There is a severe disillusionment with the government to solve significant problems.

The impact of intent issues on trust is dramatic.

A person with integrity, capability and results but with poor intent would be someone who is honest and performs well but whose motive is suspect. For example, perhaps this person wants to win at any cost. But generally, people will sense such behaviour and will not extend their complete trust.

On the other hand, a person with good intentions but without integrity, capability and results is a caring person who is dishonest or cowardly.

Leading with intention

“Intention” is often referred to as a mental state representing a commitment to carry out an action or actions in the future.

It provides the fuel required to act. It’s the “why” and the reason for committing to something.

If you operate with intention in the workplace, you will find people are helpful, understanding, engaged and most likely motivated in the actions you are looking to execute.

However, if you operate without intention, it will undoubtedly prevent you from getting the results for you and your team.

In leadership, the more intentional your behaviour, the more likely those around you will respect and follow your lead. Likewise, when they know the why behind your request, they are more willing to come along.

Negative intention

Douglas McGregor was a leadership expert who touted the value of “Theory Y” in which you assume good intentions and believe people want to do a good job.

This is certainly accurate for most leaders. While some leaders may not be extraordinarily effective, most of them don’t wake up in the morning seeking to be anything but their best.

However, things can go wrong, and a positive characteristic can become an unhappy reality for a leader’s employees.

Often that negativity can manifest in snap judgments, the blame game, and erroneous assumptions about co-workers, especially intense and stressful situations.

Let me ask you the following – Does your organisation have good intentions? Do you have a culture of caring for one another? For your work? For your clients? For your partners?

If you feel your organisation is deficient above, the following questions might provide an insight into the problem.

  • Are people manipulative?
  • Are people withholding information?
  • Are people seeking credit where credit is not due?
  • Are people spinning the truth?
  • Are ideas being suppressed?
  • Are mistakes being covered?
  • Are there lots of fingers pointing at others for blame?
  • Are there numerous meetings after meetings?
  • Are people overpromising and underdelivering?
  • Are people pretending that bad things are not happening?
  • Are people disagreeing or arguing for the sake of it?
  • Do management and executive have a different set of rules?

We know that good culture isn’t founded on ping-pong tables or free beers. Instead, it’s based on mutual respect and values.

Unfortunately, the behaviour of a single person’s behaviour can have a serious detrimental and negative effect on the entire business, especially if it comes from the CEO of the organisation.

Positive intention

But what if I told you that the underlying behaviour of someone with negative intention has a positive intention?

There is a reason why people do what they do. Their behaviour is not random.

Have you thought of the following – why do people steal? What do people commit fraud? Why do people commit crimes that cause such harm to their organisation that it may be forced to shut down?

For every negative behaviour, there is a positive intention behind that behaviour.

Whilst the behaviour itself may be negative or unresourceful, the intention is to meet one of their core emotional needs.

When emotional needs are empty, they need to be filled for us to feel good. So, some use chocolate chip cookies. Some gamble online. Some do drugs. All these offer a quick fix but can also have negative consequences on others and ourselves.

If you observe a colleague at work and this person is bullying and harassing other colleagues, they are unconsciously aiming to meet their own emotional needs.

Rather than thinking that this person is rude, aggressive or obnoxious, try asking yourself under what extreme circumstances you feel it necessary to behave in the same way? Once you look at it through this lens, you might begin to see things differently.

Malicious Insider vs accidental vs cyber attacker

What is the difference?

Intention!

  • Malicious insider – Intentionally exceeded or misused access that negatively harms the organisation’s critical assets.
  • Accidental insider – Through their action/inaction without malicious intent that causes on the organisation critical assets

Yet, many organisations feel they have to choose between protection from outsiders versus insiders.

Keep in mind that once an outsider (with intent) gets in, there is a good chance they will perform the same types of malicious acts as malicious insiders, for example:

  • Plant malicious code or logic bomb
  • Create backdoor account
  • Exfiltrate intellectual property or other proprietary information

Insider threat is a behaviour pattern

Sometimes managers overlook the red flags (negative intention behaviour) out of concern for the bottom line or fear that it may cause the team, themselves, or their organisation.

However, a vigilant workforce (with positive intention) is an excellent defence and can usually recognise and report red flag behaviours no matter how hard insides may try and cover their tracks.

Categories
Article

Tackling The Human Factor In Security

Tackling The Human Factor In Security

How Employees Behaviour Are Making Businesses Vulnerable From Within

 “I don’t know how to exist before 9 A.M., and without coffee, I’m not classified as a human. Actually, I could be regarded as a threat.”

– Katie Findlay

What is harder to control people or systems?

You can control systems as they are reasonably predictable, people – less so.

If there is a problem with the door not closing, you can either fix it or replace it. However, if someone continues to slam the door, you will have difficulty changing that person’s behaviour.

We are very aware that the biggest threat in any organisation comes from employees even when they are not behaving maliciously.

This means CEO’s and other executives can no longer hide in the shadows from such risks.

Part of the CEO role is to manage organisation risk, which means that ultimate responsibility for insider threats and cyber threats must lie with the CEO.

Unfortunately, the CEO cannot pass the responsibility onto someone else domain, like the chief information security officer (CISO), should they experience a data breach.

Today, it’s understood that a significant data breach will ruin the bottom line and pose enormous risks to a company’s brand, reputation, stock price, and how it’s perceived by customers, partners, and even its employees.

For many organisations, protecting their high-value assets has long been considered something of a “tick and flick”. But, unfortunately, that won’t do. Being compliant does not mean security. It does not mean that you are safe.

Compliancy is like having the license to drive cars, but it does not mean you are a good driver. Hence, we have road rules, speeding, and red-light cameras to remind us to drive safely.

This mindset concerns itself more with meeting a regulator’s approval than it does in determining what’s best for a company’s well-being and overall success. Yet many CEOs feel this is enough and rest easy over issues of cybersecurity simply for this reason.

If top executives don’t properly address the potential risk a data breach could have on their organisations, they could soon be shown the door.

Examples:

  • Target – The retail giant infamous data breach in 2013 led to the payment card information of 40 million consumers. CEO Gregg Steinhafel and several other executives resigned.
  • Sony Pictures – it was revealed in 2014 that hackers leaked upcoming film releases, employee information and personal emails from Sony Pictures. Co-Chairman Amy Pascal.
  • Equifax – 145 million people, had their personal information exposed, including names, birth dates, addresses, driver’s license numbers and social security numbers. It wasn’t a huge surprise then that CEO Richard Smith was forced to resign.

Cyber security and insider risk management is not IT problem. It’s a business performance issue.

Since we realise that people are the biggest threat to an organisation, let me ask you the following question…why do people do what they do rather than what they are supposed to do?

Clearly, human beings are not machines!

What makes a person with a “good background” behave appallingly towards their colleagues, while another employee with “little resource” is extremely helpful and accommodating?

One thing is clear, humans are not random creatures. All actions that people take, they take for a specific reason.

The Theory of Planned Behaviour predicts an individual’s intention to engage in a behaviour. It provides an understanding of why a person carries out any behaviour.

The performance of a behaviour is determined by the individual’s intention to engage in it (influenced by the value the individual places on the behaviour, the ease with which it can be performed and the views of significant others) and the perception that the behaviour is within their control.

Let’s take the example of locking your workstation screen policy when leaving your desk. We all know that we should do this, but some don’t. The question is, why?

According to the theory of planned behaviour, it could be several reasons:

  • Behavioural attitude – Some may feel that they don’t like locking their computer or it isn’t essential.
  • Subjective norms – Perhaps management or others don’t follow such policies, so they feel they don’t need to adhere to such rules.
  • Perceived behaviour control – Locking a workstation is a “pain” if it is perceived that entering the password is cumbersome.

Yet, there is a more simplistic model to explain why people do what they do. There is a single driving force behind all human behaviour. This force impacts every facet of our lives, from relationships and finances to our bodies and brains – Pain and Pleasure!

Everything you and I do, we do either out of a need to avoid pain or our desire to gain pleasure. This is, for certain, how humans are wired.

 “When a behaviour is easier to do, it is more likely people will do it.”
– Nir Eyal, author of Hooked

 After all, what is procrastination? It’s when you know you should do something, but you still don’t do it. Why not? The answer is simple: At some level, you believe that taking action at this moment would be more painful than just putting it off. Yet, there comes a time that putting something off for so long that suddenly you feel pressure just to do it. What happened? You changed your reference to what you linked to pain and pleasure. Suddenly not taking action became more painful than putting it off.

Let’s take password management. People know that password security is essential and is a good thing. Yet, why do users have poor password hygiene?

Pain:

  • They have to create complex and lengthy passwords for every application connection. It’s cumbersome and time consuming.
  • It’s difficult to remember a single complex password, let alone several of them.
  • Having to change passwords regularly is annoying.

How do users move away from pain?

  • They use simple, easily guessable passwords that are easy to remember, such as 123456, monkey, password, iloveyou, qwerty, abc123
  • They reuse the same passwords for multiple applications

Poor password hygiene persists primarily because we have made it a painful and challenging process. Until that changes, the problem will stay.

 “The human brain is immensely complex and powerful. Yet, though it’s capable of incredible feats, we don’t like to use it more than we have to. Given the choice, we opt for the least mental effort. So, when we can, we tend to go for not what’s most rewarding, but what’s easiest.”
– (Rethinking The Human Factor –  Bruce Hallas)

Let’s take another example… “corporate policies.”

According to research completed by CEB, more than 90% of employees violate policies designed to prevent data breaches.

The question is, why?

Organisations believe that corporate policies will help ensure that employees behave in a certain controllable way.

Policies answer questions about what is the expected behaviour from employees and how non-compliance is dealt with.

Unfortunately, the majority of organisations are unable to enforce corporate policies, and here are the reasons why (pain):

  • Corporate policies are often convoluted, complicated and not translated into a meaningful and useable language.
  • Corporate policies are rarely followed by management and executives.
  • Corporate policies are old, not relevant and haven’t been updated.
  • Corporate policies don’t include strategic relevance and context.
  • Corporate policies aren’t linked to the organisation values.
  • Corporate policies are not effectively and strategically communicated.
  • Those who break corporate policies are rarely reprimanded.

If you were to assume “force” was the only way to bring about the right policy and control behavioural change, then you are mistaken.

Of course, human behaviour is such that if you try to change another behaviour, they naturally resist (pain). That’s because they value their perceived freedom of choice and feel pressured and trapped when things are imposed.

Traditional guidance regarding how to defend against insider threats focuses primarily on negative incentives (pain), which constrain employee behaviour or detect and punish misbehaviour. However, when relied on excessively, it can result in unintended negative consequences that exacerbate the threat. They fail to prevent damage and alienate staff even further.

On the other hand, positive incentives (pleasure) can complement traditional practices by encouraging employees to act in the organisation’s interest by fostering a sense of commitment to the organisation, the work and co-workers.

Instead of solely focusing on making sure employees don’t misbehave, positive incentives create a work environment where employees are internally driven to contribute to the organisation only in positive ways.

Let me ask you a question… why don’t cyber awareness programs work?

Simple answer: There is a disconnect between awareness and behaviour.

For all of the discussions above, it is no longer enough to limit our thinking that our problems will be solved by technical means alone. In the past, we could invest in sophisticated security systems, which was enough to maintain an adequate level of security.

 “With only a hammer as part of the toolbox, we tend to treat every problem as a nail.”
– Bruce Hallas

 No technology can pinpoint with definite certainty that a person is a threat to an organisation. Think about it, no person walks into the office with a red jacket and a sign stuck to their forehead claiming that they are a threat to the organisation.

Organisations are a collection of people who share a common purpose. People within organisations unite to focus their various capabilities and skills toward achieving personal and business goals.

If people are both the problem and the solution, then it seems somewhat perverse that we should try and solve the problem using only technology.

In research conducted by Ponemon Institute, it asked CISO’s what was top of their threat list?

Not technology! Not hackers! Not malware!

But people!

For many CISOs, the “human element” is their overriding concern and yet, as an industry, they still tend to treat weakness in information security as a technology problem.

Categories
Article

The Consequences Of Global Decline In Organisational Trust

The Consequences Of Global Decline In Organisational Trust

The moment there is suspicion about a person’s motives, everything he does becomes tainted

– Mahatma Gandhi

Trust means confidence, certainty and expectation.

When you trust people, you have confidence in them, their integrity and their abilities. When your distrust people, you are suspicious of them. You are suspicious of their agenda, their abilities, their integrity and their capabilities.

In today’s global economy, TRUST is king. Trust is the social underpinning of social behaviour and social reality. Society needs trust providing us with the certainty and confidence of the day-to-day interaction. Without trust, our lives would lead to paralysis of inaction and possible chaos.

You will not step into a plane if you do not trust that specific airline or the pilot’s ability to fly the aircraft safely. You would not drive a car if you had no trust that other drivers did not follow the road rules. You would not invest in an asset if you believed that investment could be lost at any time or you had no control of it. You would not trust a government if you knew that it was acting corrupt and mischievous. You would not trust an organisation if the culture were of toxic nature.

Low trust causes friction, whether it is caused by unethical behaviour or by ethical incompetence behaviour. Low trust is the highest cost in life and the organisation. Low trust creates hidden agendas, politics, conflicts, disagreements and defensive/offensive behaviour. Low trust slows everything, every decision, every communication and every relationship.

Example: A government employee status changed to “deceased”

What happened?  

A government employee changed the status of another employee on a database so that she appeared as “deceased” as a result of an online chat confrontation that got him kicked out of the forum.

The incident was detected when she tried to open a bank account and was informed that she was listed as deceased in the government database.

The insider was convicted, sentenced to one year of probation and fined.

High trust produces stronger relationships, develops loyalty, enhances reputation and yields better results.

In business, trust is like the human blood system, which feeds the necessary body with the oxygen it needs requires. These are often called collaboration, cooperation, empowerment, alliance, partnerships, exchange, and commerce in business. These blood vessels sustain the day-to-day quality-of-life relationships.

As such, trust impacts us 24 x 7 x 365 days a year.

Trust is the critical denominator to all our lives. Should it be removed, it will destroy the most influential leader, the most powerful government, the most successful business, the most thriving economy and the deepest of love. On the other hand, if developed accordingly, it has the potential to create unparalleled success and prosperity in every dimension of life.

Yet, we take TRUST for granted. It is the least understood, most neglected and most underestimated.

It’s a matter of trust…

Every day, your organisation processes business transactions, collect sensitive data and collaborate with partners. To make all this work, the modern enterprise depends on TRUST – trusting employees to not divulge company secrets, trusting partners to not leak customer information and trusting suppliers to protect sensitive data.

When insiders need access to sensitive information and critical systems to do their jobs and service customers, the organisation needs to establish and enforce a level of “faith” associated with that access.

Trusting stakeholders to use their access privileges appropriately and verifying that they do so can be the most critical and complex challenge of dealing with insider threats.

  • Do you trust your colleagues?
  • Do you trust senior management?
  • Do you trust your business partners?

The global deterioration of trust

Over the years, “trust” has become increasingly difficult to attain, starting with events such as the Enron, News Corp, Wells Fargo scandals exacerbated by the global financial crises and failures.

Not surprisingly, employee trust in management is declining across the globe.

There are three significant areas that weaken trust:

  1. Ethics. Ethics is the foundation to trust, but by itself is insufficient. You can’t have trust without ethics, but you can have ethics without trust.
  2. Stress. Stress has become a serious concern for individuals and organisations. Today, the workplace stress level is at an all-time high, and these implications are alarming.
  3. Disposition. The personality characteristics can contribute positively or negatively to the organisation’s welfare and goals. For example, the following diagram depicts a potential employee with a negative disposition that may cause an insider incident.

If you are a frontline employee and don’t believe senior management will do the right thing for you, you probably have no choice but to look after yourself first. When you put your agenda ahead of the organisation, any chance of the business achieving its vision of winning go right down the drain.

The negative consequences of lack of trust are too numerous to list here in the business world. However, the most devastating are trusted insiders committing harm to their organisation high-value assets.

The consequences of an insider committing harm can be substantial, including financial losses, operational impacts, damage to reputation and harm to individuals.

The actions of a single insider have caused damage to organisations ranging from a few lost staff hours to negative publicity and financial damages so extensive that organisations have been forced to lay off employees and even close operations.

Insider incidents have repercussions beyond the victim organisation, disrupting operations or services critical to a specific sector or creating serious risk to public safety and national security

Something to Think About…

If you thought building trust within is challenging, consider the following scenarios:

  • Collusion with outsiders – Insiders can be recruited by or work for outsiders, including organised crime and foreign organisations or governments.
  • Culture difference – Another level of complexity is added by the rapidity of globalisation, which brings people from all corners of the world closer together with different sets of values and cultures. The allowance for other cultures and therefore trusts within the organisation is difficult.
  • Mergers and acquisitions – Insiders from two different organisations with different cultures are forced to unify into a single structure and most often fight for the same role.
  • Foreign allegiances – Organisations operating in foreign countries must consider that insiders will have loyalties to that country.

The Universal Law of cause-effect states for every effect, there is a definite cause. So likewise, for every cause, there is a definite effect also known as “Karma” – the spiritual principle of cause and effect.

A security breach is a breach of trust.

It is the effect that an insider manifests as a direct result of a cause of action (or none), whether it be malicious or unintentional.

Organisations seeking to improve their business trust will need to engender organisation trust.

One thing for sure, critical challenges in our human social behaviour are to re-think how technology’s rapid progress will impact trust. This is especially true as we continue advancing in the realm of remote work and virtual life.

We are the architects of Naked Insider, the gold standard for helping highly valuable organisations and regulated corporations develop strategies to mitigate insider risk.

MENU

FOLLOW US:

Linkedin Youtube

© 2023 Naked Insider, Level 1 Colbee Court, Phillip ACT, Australia Tel: +61 6282 5554