Categories
Article

The Five Biggest Fallacies About Theft of Intellectual Property

The Five Biggest Fallacies About Theft of Intellectual Property

 “If a man keeps an idea to himself, and that idea is taken by stealth or trickery, I say it is stealing. But once a man has revealed his idea to others, it is no longer his alone. It belongs to the world.”

Anonymous

I want to start with a story of how China stole an entire aeroplane…In October 2018, ZDNet ran a story on how China’s efforts into establishing a foothold in the aviation industry by building its home-grown plane left a trail of hacks across the aviation industry.

Through a coordinated approach, “contractors”  (such as hackers, cybercriminals) are hired and assigned the theft of particular interest. If they cannot gather intelligence, Chinese intelligence will recruit company insiders, or even coercing Chinese employees to aide their hacking efforts using blackmail or threats against families living at home.

According to the security firm Crowdstrike, the end goal was to acquire the needed intellectual property to manufacture all of the C919’s components inside China.

An accusation filed in California on October 25, 2018, charged 10 Chinese individuals with conspiring to steal aerospace trade secrets from 13 western companies, most of the U.S. based. The indictment also revealed that French aerospace manufacturer Safran was infiltrated when employees in its Suzhou, China office inserted malware into the Safran computer network. This malware gave Chinese agents access to Safran’s confidential files. 

According to U.S. Trade Representative Robert Lighthizer, China’s IP theft costs the US between $225 billion and $600 billion each year.

What is Intellectual Property?

Intellectual property is the production of new ideas you create and own by your organisation that is critical in achieving its missions.

The type of intellectual property are varied:

  • Proprietary software / source code
  • Business plans, proposal, strategic plans
  • Customer information
  • Product information (designs, formulas, schematics)

Some example:

  • KFC – It’s their recipe
  • Coke Cola – It’s their recipe
  • Tesla – It’s their software
  • Google – It’s their search engine

What is insider theft of intellectual property?

It is defined when an insider steals proprietary information from the organisation.

Some known examples:

  • In January 2019, Apple accused one of its employee for stealing over two thousand files containing confidential and proprietary Apple material, including manuals, schematics, photographs and diagrams relating to its company’s self-driving car.
  • In July 2019, Tesla accuses a former engineer of theft of files containing Autopilot source code to his personal iCloud account in late 2018 while still working for the company.
  • In January 2020, a former SoftBank Corp. employee was arrested for allegedly passing proprietary information from the major phone carrier to officials at Russia’s trade representative office in Tokyo.
  • In March 2020, a former Google employee was charged with stealing trade secrets from its self-driving car program.

What is the impact of insider theft of IP?

The impacts of insider theft of IP can be devastating. Trade secrets worth billions of dollars have been lost to foreign countries, competing products have been brought to market by former employees and contractors, and invaluable proprietary and confidential information have been given to competitors.

The following list the five fallacies that business thinks about Intellectual Property Theft.

IP Theft Fallacy #1

Very few insiders ever steal intellectual property to sell it. Instead, they steal it for a business advantage either to take with them to a new job, to start their own competing business, or take it to a foreign government or organisation.

Here is an example: A Chinese EV startup Xpeng, have stolen some of Tesla intellectual property, but it’s not stopping the company from straight-up copying its website design too.

 IP Theft Fallacy #2

There is a misconception that the IT administrators are the biggest threat.

Many people believe that because they hold the “keys to the kingdom”, that they would be the prime suspect for theft of IP. According to Insider Threat Division of CERT, there is no observable case in their database which shows IT administrators stole intellectual property.

Those that steal intellectual property are usually current employees who already have authorised access to that IP (around 75%  according to the insider Threat division of CERT). Such as engineers, programmers, or salespeople.

IP Theft Fallacy #3

There is a misconception that organisation high-level security technologies such as SIEMS will be able to identify and prevent IP theft.

Technology is not able to recognise human behaviour from logs and system events. You cannot infer logs to reveal peoples intention and motivation.

Did you know, that “dissatisfaction” played a significant role in many of the IP thefts? Dissatisfaction notably resulted from the denial of an insider request, which in turn decreases the person’s desire to contribute and diminish loyalty.

Yet, machines are not able to recognise “negative emotions” as a risk and businesses regularly miss these “red flag” behaviour warnings.

Importantly, you cannot detect theft of IP until the information is in the act of being stolen. In other words, the window of opportunity can be quite small.

That’s why it is essential to pay close attention when you see potential physical behaviour indicators of heightened risk.

IP Theft Fallacy #4

The misconception that IP theft took place after hours and required sophisticated hacking.

Not so! Most of the IP was stolen during business hours and within one month of resignation using a variety of methods.

Most of these crimes tend to be quick thefts around resignation. But some of them stole slowly over time, committing their final theft right before departure.

“All of us have the right to change jobs, but none of us has the right to fill our pockets on the way out the door. “

US Attorney David L. Anderson

IP Theft Fallacy #5

There is a misconception that IP theft is only conducted by a single person.

IP theft can be initiated by a person that may not have access to the IP. Insiders can be recruited or coerced into providing the IP.

According to the Insider Threat Division of CERT, around 33% of IP theft were the benefit of a foreign government or organisation.

What Can You Do to Mitigate Theft of Intellectual Property?

To prevent your intellectual property from walking out the door, consider the

following set of recommendations.

Review employee contract

  • Employees do bring information with them and possibly competitive and stolen IP from their previous employer. Be aware that your organisation may be liable for the theft. As part of your IP agreement that you make new employees sign, include a statement attesting to the fact that they have not brought in any IP from any previous employer.
  • It is inevitable that many of your employees will move to other businesses at some point in time. As soon as a person turns their resignation, you need to be prepared to act. Identify what information they are accessing. Identify movement of that information 30 days prior to resignation and 30 days post-resignation.
  • Establish consistent exit procedures which should include – Access termination procedures; Ask departing employees to sign a new IP agreement reminding them of the contents of the IP agreement while they are walking out of the door; Review your termination policies and processes.

Periodically review and adjust your access controls.

  • Many insiders at the time of stealing information, had access above and beyond what their job description required.

Monitor user anomaly activity.

  • Monitor online and social media actions. These sites allow employees to easily share information about themselves as well as organisation details. Establish a social media policy that defines the acceptable use of social media and information that should not be discussed or shared online.
  • Monitoring of data movement such as unusual activities – large attachments; printing sizeable documents; copying or downloading certain information.
  • Tracking of all documents copied to removable media.
  • Preventing or detecting emails to competitors.
  • Targeted monitoring of users when they give notice of resignation.

Pay attention to physical behaviour

  • Dissatisfaction, disgruntlement, or a negative argument over their entitlement may lead them down the path of IP theft.

How Can We Help you?

Are you concerned about the insider risk to your business?

Do you have critical intellectual property that you need protecting?

Have you been impacted by insider theft?

Do you need to comply with regulations showing that you have the right insider risk protection methods in place?

If so, reach out to Naked Insider – www.nakedinsider.com

Categories
Article

Don’t trust And Verify

Don’t trust And Verify

Don’t Trust And Verify

For those of you who remember US President Ronald Reagan, “trust and verify” was one of his favourite themes while negotiating the IMF Treaty that concluded with the Soviet Union in 1987. 

Trust is the underpinning of life, relationships, transactions and behaviours. Trust is about “confidence”.

The opposite is distrust. When you trust people, you have confidence in their integrity and capabilities. When you have distrust, you are suspicious.

In today’s global economy, trust is king. Trust is the social underpinning of social behaviour and social reality.

Society needs trust, providing us with the certainty and confidence of the day-to-day interaction. Without trust, our lives would lead to paralysis of inaction and possible chaos.

Low trust causes friction, whether it is caused by unethical behaviour or by incompetent ethical behaviour.

Low trust is the greatest cost in life and the organisation. Low trust creates hidden agendas, politics, conflicts, disagreements and defensive/offensive behaviour. Low trust slows everything, every decision, every communication and every relationship.

So, let me pose you this thought…if a worker turned in their expense form to the accounting department, should the accounting team then verify the submission of the form?

This leads me to the following question: Can you trust every worker that works for you? Of course, you can! But should you?

Should we, therefore, proceed with the following model “don’t trust, and verify” rather than “trust and verify”?

Let’s look closely at the following practice

When a new candidate successfully lands a role within an organisation, that new employee is granted with significant trust and belief that this person will represent the organisation in the best way.

The new employee is placed in a “temporary probation period” which an employee and an employer can consider each other’s suitability for the role and determine whether the employment relationship should continue. 

After which, if the new employee successfully proves their worth over the probation period, that employee has then bestowed a full level of trust.

And from that day onwards, this person trust will never be judged unless that person has committed some wrong.

Interestingly, in the business profession, we develop trust by demonstrating our expertise and capabilities. We build credibility based on our frequency and quality of our results. To build trust, we keep showing up. Over and over again.

Yet, it is not as simple as it looks. We tend to think that human behaviour is pretty simple. Even in the most controlled circumstances, identifying how someone will behave in the future is impossible.

Someone who may appear trustworthy may encounter unforeseen life circumstances that may overwhelmingly increase the level of risk. And more importantly, we cannot expect that every person will respond in the same way. After all, we are not robots!

Which brings me to a very important issue: Security Clearances.

Individuals who hold security clearances have the great privilege of serving in positions of enormous trust and responsibility. They also have an essential legal and civic duty to adhere to strict rules on protecting classified material.

Slightly over 1% of U.S. citizens hold security clearances and an even smaller number hold the highest clearances.

Interestingly, those having U.S. security clearances are among the most trusted and most scrutinised individuals in the world.

Security clearance holders must have a demonstrated history of honesty, discretion, reliability, sound judgment, the strength of character, trustworthiness, and loyalty.

However, in recent years, the U.S. intelligence community has experienced some of the worst compromises of classified information.

People like Edward Snowden, Harold Martin III & Chelsea Manning show that unauthorised disclosures of classified information may come from any security clearance holder with access to classified information.

Unfortunately, we cannot expect compromises from very trusted individuals to end any time soon. 

Let’s look at this metaphor… In various countries, getting ones driving license can start from the age of 14 upwards. In Australia it is 17, the US is 16, the Provence in Alberta in Canada is 14.

Once you pass your driving test, society will trust you, yet expect and demand you to abide by the driving rules set in that country.

Governments in their wisdom place various road signs and tools to aid our driving capabilities, such as speed limits signs; stop signs; give way signs; school zones signs; one-way signs; road work signs; no entry signs; speed monitoring cameras, police cars, red-light cameras; etc.

Interestingly, Governments that issue the drivers license never demand that drivers test their driving proficiency on an annual basis. Why is that?

Driving is a dangerous profession!

Yet, airline pilots must undertake and pass an annual set of examinations or lose their flying license. Doctors must invest in educational/training every year or lose their license to practice.

Whether to trust or not to trust, verification is essential.

In 2010, the industry was introduced to the concept of “Zero Trust”.

Zero Trust is a security concept centred on the belief that organisations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.

That’s a great philosophy that is firmly centred on technology and systems, yet the most significant risk coming from people is rarely taken into account.

What Can Organisations Do?

Organisations must accurately “judge trust” on an ongoing basis.

This may sound simple, but it really is not.

We conduct background checks on potential employees before we hire them and decide if we have trust in them. However, research has shown that insider threat fraud often does not start until after an employee has worked for the company for at least five years.

You must have processes in place to continually re-evaluate that initial judgement of trust.

How Can We Help you?

Are you interested in validating the candidate employability?

Naked Insider measures integrity and counterproductive work behaviours among job applicants. Validated and accurate, highly effective, the test is unique in the world. It will save you thousands of wasted dollars on hiring the wrong person and potentially placing your organisation at harm.

Contact us by filling out the form of the Naked Insider website:

https://www.nakedinsider.com/contact-us  

Free Insider Threat Book

“How To Protect Your Business from Insider Threat in 7 effective Steps” by Boaz Fischer . You can download your FREE copy HERE

Categories
Article

When The Lines Between Victim, Defender And Attacker Gets Blurred. What You Need To Know?

When The Lines Between Victim, Defender And Attacker Gets Blurred. What You Need To Know?

Let me start this discussion by asking you a simple question. What is the commonality between the Victim and the Defender? Both have trusted access.

As we know, trusted insiders are given access to highly sensitive information without necessary oversight. And those that intend to attack us know that.

For example, some insider incidents involve outsiders, sometimes from organised crime, who can approach employees of the organisation and offer topay them in exchange for some service or coerce them threateningly to comply.

Example 1: A teller employee at a large US bank handled customer information on a daily basis and processed checks for customers. Heavily in debt, the employee was approached by individuals who offered to pay him to steal the bank’s client’s personable identifiable information records (PII). Over the course of several years, the employee sold PII to the organised crime group, who used it to create fraudulent checks, open unauthorised credit cards, and commit identity theft. The theft was eventually disrupted when the bank became suspicious of the exceptionally high rate of fraud occurring in one of its local branches.

In this case, the employee was recruited by an outsider, which is very difficult for organisations to detect, particularly if it occurs outside the workplace. And, here is another well know example when an insider recruits another insider.

Example 2: Edward Snowden, a contractor within the US National Security Agency (NSA), was able to persuade a colleague to lend him his credentials for accessing highly sensitive classified information, which he eventually leaked it to the world.

Question – Is there a situation where the victim and the defender corporate with the attacker either for personal gain or to prevent further adverse either for themselves or their organisation?

Even the idea that the victim and the defender could be in cahoots with the attacker is inconceivable and ludicrous.

Yet, one way to approach the idea is really to understand the intent, risks and consequences of each party to gain a better picture.

The victim: These are individuals that have some level of responsibility of protecting themselves either from cyberattacks, or coerced in doing something that they shouldn’t have done, and were therefore successfully breached.

What is the risk associated with the victim? Victims are at risk of having their personal data being stolen, used for fraud, or as a platform to conduct other attacks on other people and systems.

Why would the victim collude with the attacker? Cooperation with the attacker either for personal gain (monetary) or their perceived risk of getting caught. As the fraud crime grows, the insider perceived risk of getting caught increases which result in a real escalation of fraud activities, as can be seen in the following diagram (source: The CERT Guide To insider Threats)

They are also some victims who are unaware that they have been manipulated, used, and their trust violated, as shown in example 2.

The Defender: Are those individuals that are tasked in protecting the organisation assets from cyber and insider attacks.

What is the risk for the defender? The defenders are at risk of seen and identified as negligent, incompetent and incapable in protecting the organisation assets, reputation, loss of customers, the loss in the value of the organisation and shareholders displeasure.

What is the risk for the attacker? The attacker is taking the risk of being caught and punished.
Now, it goes against all thoughts that the defenders and the attackers would somehow collude.
Why would the defender collude with the attacker? If the value of the attack greatly exceeds the sought-after remediation, there is a greater incentive to give in to the attacker. For example,


• Sometimes the cooperation might be considered to be beneficial for the organisation as in the case of paying the ransom in the event of a ransomware attack.
• Sometimes the defender will purposely try to sweep or hide the problem from the organisation fearing that their role within the organisation is at risk and will, therefore, collude with the attacker.

Suggested Recommendations

Consider raising awareness to employees to this potential recruitment. Understand the types of crimes that could be committed with the information and make them understand how you monitor for such activities as a form of deterrence.

Secondly, encourage your employees to recognise and report suspicious contact in which an insider or an outside approach them to join in a fraud scheme. Importantly. Develop the ability to allow employees to report suspicious events without fear of repercussions.

Develop an internal user activity monitoring strategy for insider threats activities which may include monitoring access and data modifications on critical assets as well as anomaly behaviour.

Finally, regularly audit critical business transactions to help detect unauthorised access and modifications.

How Can We Help You?

Are you interested in identifying risky behaviour by your employees or other trust partners?

Are you interested in implementing a deterrence measure to shape people behaviours so that they act in the best interest of the organisation?

If you have answered either of the above questions, then we can help you implement strategies to effectively mitigate insider risks. Contact us by filling out the form of the Naked Insider website: https://www.nakedinsider.com/contact-us

Categories
Article

The Rise Of The Fake Candidate

The Rise Of The Fake Candidate

Job seekers have been fudging their accomplishments forever.

This is nothing new!

However, it would be a disaster if you allowed an unqualified surgeon to operate on you. It would be dangerous to allow the untrained pilot to fly a passenger airline.

Frank Abagnale, the infamous and notorious individual, assumed no fewer than eight identities, including an airline pilot, a physician, a US Bureau of Prisons agent, teaching assistant, and a lawyer. You may remember the inspired Academy Award-nominated feature film, Catch Me If You Can (2002), starring Leonardo DiCaprio as Abagnale and Tom Hanks as the FBI agent pursuing him.

In 2016, the largest telecommunication provider in Australia, Telstra CTO Vish Nandlall left the organisation allegedly falsifying his CV.

However,  this is not the first time Telstra has been left red-faced after hiring employees with falsified qualifications. In 1993, Bruno Sorrentino joined the telco as head of IT and director of research but was promptly fired when it was revealed that his non-existent PhD was about as real as his chances of future employment.

What about Ken Lonchar, the ex-CFO of Veritas Software? Ken Lonchar’s five-year term as Veritas Software’s CFO came to a halt in 2002 when it was discovered that the MBA degree he claimed to have received from Stanford was fictional. Lonchar had been on a high with CFO magazine hailing him in 2001 as “accessible” and praising his ability.

How ironic?

But in these desperate times and as unemployment rises as a result of the Coronavirus epidemic, candidates will take drastic measures to be selected for roles that they probably have no skills nor experience.

Yet, some of the blame cannot be entirely attributed to the candidate, can it?

According to Ben Zhao, a University of Chicago professor who studied online marketplace revealed that recruiters have a clear financial incentive to push candidates into jobs. “they are the middleman who can make significant profit by misrepresenting clients”. They might hire professional interviewers to do phone interviews or feed answers to inexperienced candidates in real-time or fake the resume to make them look better to hire.

In today’s climate of the “virtual world”, where information is labelled often in the media and online as “fake”, it isn’t surprising that fake job candidates are surging.

 

So, how can your organisations safeguard themselves from fake candidates?

Here are the tips that you can adopt to weed out fraudulent candidates.

  • Request references for all of their past jobs.
  • Ensure that all candidates go through a background investigation.
  • Verify the candidate credentials.
  • Contact hiring managers from previous employers.
  • Ask granular questions about the skills and previous jobs.
  • Give everyone a skills test.
  • Consider running a “character integrity test”. A character integrity test allows you to evaluate your candidates’ risk of occupational offences by assessing their attitudes, opinions, and past behaviours. A low score may lead to the person committing professional crimes, theft of property, money or information, bribery and rule-breaking.

 

“ In looking for people to hire, you look for three qualities – integrity, intelligence and energy. And if they don’t have the first, the other two will kill you!”
Warren Buffet

 How Can We Help you?

Are you interested in validating the candidate employability?

Naked Insider measures integrity and counterproductive work behaviours among job applicants. Validated and accurate, highly effective, the test is unique in the world. It will save you thousands of wasted dollars on hiring the wrong person and potentially placing your organisation at harm.

Contact us by filling out the form of the Naked Insider website: https://www.nakedinsider.com/contact-us

Categories
Article

Trust Or Not To Trust, What Choice Do You Have?

Trust Or Not To Trust, What Choice Do You Have?

“Trust But Verify”

– Ronald Reagan, US President

Article Produced By: Sean Ofir and Boaz Fischer

Have you ever wondered whether “trust” is a given by choice or provided by default?

I’m sure you have often heard the saying “trust me, I’m the Doctor”. But, are you blindly trusting that person because he has a medical degree?

From the first moment we are born, we start to build trust.

It starts with the newborn who holds the overwhelmed mom’s finger and gets its first drop of milk. The baby trust unconsciously, and some can call it a surviving instinct.

 

When we grow, we build trust with parents, family members, develop friendships and trust our teachers, mentors and authorities that they are on our side.

 

Some of the trusts that we give out are by default

  • We send our kids to school with a school bus – Hoping they will get safe and stay at school all day. We also trust the teachers to care and watch after the kids.
  • When we buy coffee from the coffee stand or shop, we trust the coffee is made of fresh ingredients and is not septic.
  • When we go to the supermarket, we trust the food that we buy is not contaminated with bacteria or poisonous.
  • When we see a doctor, we trust their opinion, judgment and the treatment they offer.
  • When we board a plane, we fully trust that the pilots can get us safely to our destination.

Why do we blindly place our trust in the above examples? Do we really have any choice, or can we verify that trust?

Think about this. How do we verify a professional aeroplane pilot capability and credibility?

  • Should we just trust the person because they are wearing a pilots uniform?
  • Should we trust the pilot because they have passed many exams to be certified as a pilot?
  • Should we trust the pilot because they are gainfully employed by a well recognize airline carrier?

How does the industry instil confidence and trust?

It’s called regulation and compliance. No matter the industry or size of the organisation, all businesses must adhere to specific laws and regulations as part of the operation. This provides the necessary confidence to the public that the organisation can deliver goods and services to a minimum level of standard.

For example, some standards outlined for the food industry focus on the entire supply chain to ensure product safety.

Simply put, regulatory compliance is when a business follows state, federal and international laws and regulations relevant to its operations.

Confidence = Trust

And the more confidence we have with an organisation, a person or a system, the more likely interactions, transactions, communications and exchange will take place.

 

Some of the trusts that we give out are by choice

What is trust by choice? Trust by choice is the ability for us to decide whether we want to place that trust. For example:

  • When we shop, we trust the cashier but have the ability to check the bill to verify for accidental mistakes.
  • When we rent a house, we can inspect the building for faults or defects to report.
  • When we date someone, we have the ability to check online profiles, pictures and social media.
  • When we buy software, we check and verify that the software can do what it claims to do. Software vendors also enhance trust by allowing us to try the software for a limited period. We also seek social proof – what others have said.
  • When we decide to buy a car, we first do a test drive to see how well it drives. Buyers have also got the capability of searching online for social proof.

 

Importantly, effective trust-building requires knowing when and why to use it.

When the outcome is essential and matters more than the relationship, use “trust, but verify.” When the relationship matters more than any single outcome, don’t use it.

The phrase itself was made famous by President Reagan in the l980’s during the Cold War. It referred to information reliability and increased transparency related to nuclear arsenals.

So, what is the difference between the Trust of Choice and Trust by Default?

The answer is simple. Trust by Choice is allowed when we have some level of control and change capabilities. Trust by default doesn’t allow us to control the situation, and we have to accept it as final.

Let’s looks at the hiring process. Many organisations have a rigorous process for hiring new employees and executives. It starts with finding suitable candidates, interviews, clearance, background checks, social media activity monitoring etc.

These candidates will do everything to leave a great impression and guarantee that they are the best fit for the role and fo the organisation.

 Then, when finally chosen, the candidate is hired and join the organisation.

Once trust is given, and the employee is onboarded, the ongoing trust is by default and can last many years ahead. Their behaviour can and will change by the years and can turn them into more dedicated, negligent or even rogue.

At this point, they are trusted by default which put the organisation in a risk. 

Example: The Chief Technology Officer of Telstra (the largest Australian telecommunication provider) was sacked in 2016  after serving Telstar for 21 months, where he falsely claimed to have an MBA from Harvard, and plagiarised presentation content.

So, if you had to choose between Trust By Choice or Trust By Default, what would be your preference?

 

How Can We Help you?

Are you interested in identifying risky trust behaviour by your employee and trusted business partners?

Interested in identifying how your organisation can increase its effectiveness to prevent, detect, mitigate insider harm?

We can accurately implement a User Activity Monitoring Program to provide you with the visibility of whether your employees, contractors or any other insiders are misbehaving or placing your organisation at risk.  This is called Trust By Choice.

Contact us by filling out the form of the Naked Insider website: https://www.nakedinsider.com/contact-us

What is User Activity Monitoring?

User activity monitoring is the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing organisation systems and applications. It has the ability to identify which user is presenting some level of risk and why.

 

Categories
Article

Financial Distress, A Key Motivation And Likelihood To Commit Insider HARM

Financial Distress, A Key Motivation And Likelihood To Commit Insider HARM

Everyone has a plan until they get punched in the face.”

-Mike Tyson

 With Coronavirus, we all just got punched in the face. Plans you previously made now may not apply.

There is no denying, these are overwhelming times for all of us. Stress, burnout, and anxiety are at a global high, locking many of us out of the flow.

The Coronavirus outbreak, it’s what every news outlet and people are talking about.  The outbreak is moving quickly, and businesses are having to react and adapt in real-time, having had no ability to plan for the depth of the economic slowdown or even shutdown.

Those in the retail, hospitality and leisure sectors are facing “catastrophic disruption” and “high levels of financial stress”.

Example: Qantas, the largest Australian airline, has stood down 20,000 workers without pay in order to survive the most significant crisis aviation has ever been through.

But, let’s not kid ourselves, other industries are severely affected too.

When consumers stay home, businesses lose revenue and lay off workers, and unemployment levels rise sharply.

Business investment contracts and corporate bankruptcies rise, putting significant pressure on the banking and financial system and then the Government.

It is a daunting time for organisations around the world, assessing the impacts on their businesses.

It will become increasingly difficult if not impossible, to pay creditors or employees on time for if the country decides to lock itself down for a period of two months or more as what happened in China.

In these extremely challenging times, businesses and employees will know that “cash is king”.

In times of severe stress, human beings will revert to the most fundamental instincts – “survival”, and consequently logic thoughts will be thrown out of the window.

If people are fighting over toilet paper in the isles of supermarkets, what would they do in times of financial distress?

In this pandemic times, some individuals might lash out at the organisation, the project, at other individuals, as a result of being severely distraught.

If it is becoming increasingly difficult for an employee to pay their creditors, the employee may resort in findings ways to relieve this pressure.

Like a drug addict that requires to pursue their next hit, an employee that is being faced with severe money problems, mortgage forclosure may seek to theft and threats upon their current business.

What can organisations do?

Usually, I would say  – “Organisations should carefully watch for employee financial red flags if noticeable – changes in language, communication patterns, behaviour and performance to indicate personal stress.”

Unfortunately, these are not normal times. The risks of employee misbehaviour and potentially causing harm in times of financial stress increases significantly.  Yet, the ability for the organisation to detect employee behaviour is made that much more difficult given the employee is either working from home or suspended.

Chances of preventing insider incidents successfully from taking place diminish as the threat of Coronavirus spreads. Chances of stopping insider harm significantly diminish as employees look for ways to survive.

 

What Can You Do Moving Forwards?

Effective measures against insider risks as a result of increasing global uncertainty:

  • Enable user activity monitoring so that you understand what actions users might place your organisation at risk.
  • Employ positive deterrence messages. In these trying times, engender positive employee engagement. Help them to act in the best interest of the organisation.
  • Most importantly, increase your communication to all of your staff with positive messages, support and encouragement. Employees need to feel that they are safe and cared for.

 

How Can We Help you?

Interested in identifying risky behaviour by your employee and how your organisation can increase its effectiveness to prevent, detect, and respond to insider threats in these trying times, then get in touch with Naked Insider. We can specifically implement a User Activity Monitoring Program to provide you with the visibility of whether your employees, contractors or any other insiders are misbehaving or placing your organisation at risk.  

Contact us by filling out the form of the Naked Insider website: https://www.nakedinsider.com/contact-us

What is User Activity Monitoring?

User activity monitoring is the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing organisation systems and applications. It has the ability to identify which user is presenting some level of risk and why.

Categories
Article

Why The Coronavirus Outbreak Will Promote Insider Threats And What You Can Do About It?

Why The Coronavirus Outbreak Will Promote Insider Threats And What You Can Do About It?

These are overwhelming times for all of us.

Stress, burnout, and anxiety are at a global high, locking many of us out of the flow.

Coronavirus: it’s what every news outlet and people are talking about.  With the devastating ongoing pandemic, public venues are being asked to close, while more companies are requesting their employees to avoid attending their office and work from home.

Although businesses have moved more and more towards work flexibility over the years, the idea of having your entire organisation working from home is altogether a different scenario.

Given that people all over the world are in a state of anxiety, apprehension and high alert, the perception and awareness of doing business-as-normal runs out of the door.

Emotions are running high. Stress is swelling. Fear is in everyone mind. What state of mind will employees be moving forward?

Unfortunately and invariably, employees will be more careless and negligent given the stressful situation. Accidental and unintentional of data loss and data leaks will more likely to happen.

In times of severe stress, human beings will revert to the most basic instincts – “survival”, and consequently logic thoughts will be thrown out of the window.

Our primary concern is for oneself – our physical health. If you ever come across Maslow’s Hierarchy of Needs, you will see that the first three needs deal with your physiology, safety and belonging.

Yet, in these trying times, employees may be more brazen and seek to take data out for their advantage if their well being and livelihood are threatened.

In a previous article, I wrote in November 2019, I explicitly defined the difference between Data Loss – Data Leak – Data Exfiltration. You can find the item here.

  • Data Loss – Is the result of data that has been unintentionally or accidentally misplaced so that it is no longer accessible. Simply put, it is lost
  • Data Leak – Is the result of the unauthorised and unintentional transmission of data within an organisation to an outside party.
  • Data Exfiltration – Is the result of unauthorised but intentionally copying, transferring or retrieval of data from within the organisation and taking it out. It is often referred to as “data theft”.

As the saying goes “data by itself” doesn’t leave the organisation. It is essential that your organisation understand its information assets, who has access to it, where is it moving to and most importantly, do you have visibility of people actions on the data?

Answering these questions will help your organisation to inventory your data and importantly develop the appropriate mitigation strategy, whether it be data-loss, data-leakage or data-exfiltration.

However, a more frightening scenario can occur if an employee livelihood is threatened. People behaviours are no longer the norm.

If people are fighting over toilet paper in the isles of supermarkets, how would they react if they found out that they were fired?

If on social media, people are being informed of a mass lay-off, how would they react to such news?

In this pandemic times, it is highly possible that some individuals might lash out at the organisation, the project, at other individuals, as a result of being aggrieved, and unfairly dealt with.

Question: Would the traditional information security approach of an organisation prevail against a determined employee that wishes to steal corporation information or even sabotage the business as a result of being fired? Very unlikely.

Risks of employee behaviour in times of uncertainty is made much more difficult for everyone. Not only are employees highly stressed and anxious, but those that are in charge of protecting the organisation assets are in the same situation. Their chances of preventing insider incidents successfully from taking place diminish as the threat of Coronavirus spreads.

What Can You Do Moving Forwards?

Effective measures against insider risks as a result of increasing global uncertainty:

  • Enable user activity monitoring so that you understand what actions users might place your organisation at risk.
  • Automatically adjusts access rights and actions that can be taken with your data, based on the real-time risk profile of the user (e.g. are they on the corporate network or in a public location?) to enable users to work anywhere without risking your sensitive data. Technology such as com
  • Employ positive deterrence messages. In these trying times, engender positive employee engagement. Help them to act in the best interest of the organisation.
  • Most importantly, increase your communication to all of your staff with positive messages, support and encouragement. Employees need to feel that they are safe and cared for.

Contact Us

For more information, you can also send them an email at:  sales@nakedinsider.com or give us a call at: +61 26282-5554.

Categories
Article

How To Combat The Workplace Bullying?

How To Combat The Workplace Bullying?

Everyone has the right NOT to be bullied or harassed at work.

In today’s business landscape, organisations are defined as a collection of people that share common goals and vision. So, what happens when one of your employees is on the receiving end of being bullied?

Example

I was placed with this woman on the night shift. The next time I saw her, she yelled across the hospital ‘howdy, F**KER.’ I assume she thought this was amusing because it sounds similar to my last name. It didn’t just stop there. For months and months, she only referred to me as f*cker. On one of my shifts, she told me a story about a colleague of mine who she thought was “retarded”. She made fun of her large glasses, the clothing that she wore and foreign accent.  I left my job shortly after as I felt too uncomfortable and embarrassed to go into work with this woman.

What is workplace bullying?

Workplace bullying is verbal, physical, social or psychological abuse by your employer (or manager), another person or group of people at work. 

Workplace bullying can happen in any type of workplace, from offices to shops, cafes, restaurants, workshops, community groups and government organisations. 

Workplace bullying can happen to volunteers, work experience students, interns, apprentices, casual and permanent employees.

 

What is the potential impact to your business?

The impacts of a person that exhibiting negative workplace issues can be devastating.  

Impacts on the business resulting from their bullying behaviour can lead to low business morale; low level of trust; difficult doing business; conflict with colleagues; less confidence at work; physical signs of stress; all the way to the bully committing malicious acts on the organisation if he or she feels aggrieved and unfairly treated. Such as committing business disruptions,  leaking sensitive details or posting it online; deletion of high-value data and physical violence.

 

What can you do about it if you are the manager or executive?

One set of rules! – All employees need to adhere to one set of rules. Otherwise, you are creating a culture of accountability with two sets of rules, which undermines your role as a manager. 

One set of values! – While it may be uncomfortable to open a difficult discussion on inappropriate or destructive behaviour with your employee, you must provide clear, constructive behavioural feedback in a timely manner. Anything less will be perceived as implicit approval of these behaviours by all parties.

Don’t excuse it! – It’s often that we make excuses for “bullies” who have a temperament that negatively impacts those around. Understand what is driving their behaviour, but if it doesn’t improve, remove the employee.

Consider the source! Every human is being driven by two forces. Pain and pleasure. Identify the reason why this person is behaving this way. Is the person seeking attention and importance (pleasure) or is the person hiding a personal problem (pain)? These insights will provide you with an understanding of ways that you can deal with this person. Either way, work out how the behaviour must change, but if it doesn’t improve, remove the employee.

Offer support! Have a performance related conversation. There must be a clear understanding and communication between the problem, behaviour and expectation.  It’s not enough to tell them to fix the issue. They might need your support or the assistance of an employee program. Let them know that you are behind them.

Document Everything! – If you conclude that you need to fire the person, you must first document their offences and any response you’ve offered so far. You want to establish a pattern of behaviour, the steps you took to address it, the information, warnings or resources provided to the employee, and the failure of the employee to change.  Include any supporting material – formal complaints, relevant information from performance evaluations, such as 360-degree or peer reviews. The idea is to protect yourself and the company and to show your employee exactly why they are being let go.

Separate The Person! If for some reason, you are unable to get rid of the “bad apple”, isolate the person from the rest of the group. Those with toxic behaviours,  like to feed on others and their reactions. When such feedback is less coming, their behaviour starts to subsides.

 

How can we help you?

If you fear that you may have such a difficult person to deal with and that you are not sure how to proceed, then let us help you.

At Naked Insider, we have qualified and certified Neuro-Linguistic Programmers that can directly or indirectly intervene. We can also help you set up an “employee assistance program”. And we can certainly provide a customised training program for supervisors and managers, helping them positively handle and manage negative workplaces issues from employees.

 

You can reach us

 

Contact us

For more information, you can also send them an email at:  sales@nakedinsider.com Or give us a call at: +61 26282-5554.

Categories
Article

How To Combat The Toxic High-Performer Employee?

How To Combat The Toxic High-Performer Employee?

When your best employee has the worst attitude, what do you do?

The top-performers in their fields such as  LeBron James to Oprah Winfrey to Bill Gates, seem to have it all. Through a combination of talent, drive, and hard work, they lead their organisations to the next level.

In today’s business landscape, organisations are defined as a collection of people. So, what happens when one of your top-performing staffers has a problematic disposition?

According to Dylan Minor from the Kellog School of Management, “There is a difference between toxic and a rude employee. I call them toxic because not only do they cause harm but they also spread their behaviour to others. There is a pattern of de-energizing, frustrating or putting down teammates.”

Example

Ellen Smith was repeatedly laughed at and called the “B” word by one of her co-worker who claimed that he was the “ants pants salesperson for the business”.  When she brought it up to the attention of her two managers, they did nothing. They didn’t even acknowledge the email that she sent them. Nothing was said to her co-worker, who was sitting around gossiping and continuing with his sexual harassment. Two months later, she was fired for not being a team player. She was eight months away from having served 30 years with the company.

So-called “toxic employees”, are one of the most common corporate culture downfalls. Good culture isn’t founded on ping- pong tables or free beers. It’s founded on mutual respect and values. Toxic employees undermine corporate culture initiatives and degrade the best kinds of HR programs.

But what happens if they are the top-performer toxic employee? Do you just ignore it? Do you try and sweep it under the carpet? Or do you terminate this brilliant-toxic employee?

On one hand, they are wickedly smart subject matter experts or functional specialists, but on the other hand, their brilliance comes with a measure of toxicity that is detrimental to the workplace culture and surrounding colleagues. 

So, who are they? There is an infinite number of variations of what a toxic employee looks like, but in general, it’s someone who is negative, blames others for their mistakes, and struggles to hold themselves accountable.

Some employees take it to the next level –  “narcissistic personality”. Such people have a grandiose sense of importance, are preoccupied with fantasies and unlimited success, brilliance and that they are special, unique and can only be understood by other “special high-status people”.

 

What is the potential impact to your business?

The impacts of a person that exhibiting negative workplace issues can be devastating.  Impacts on the business resulting from their negative behaviour by employees can lead to low business morale; low level of trust; difficult doing business; conflict with colleagues; all the way to insider sabotage such as hacking; business and network disruptions; organisation leaking sensitive details or posting it online; deletion of high-value data.

What can you do about it?

One set of rules! – Brilliant or not, you cannot dismiss the concerns and complaints from employees about toxic or disruptive behaviours from another employee. By rationalising one employee’s behaviour, you are creating a culture of accountability with two sets of rules, which undermines your role as a manager. 

One set of values! – While it may be uncomfortable to open a difficult discussion on inappropriate or destructive behaviour with your resident genius employee, you must provide clear, constructive behavioural feedback in a timely manner. Anything less will be perceived as implicit approval of these behaviours by all parties.

Don’t excuse it! – It’s often that we make excuses for “top-performers” who have a temperament that negatively impacts those around. Understand what is driving their behaviour, but if it doesn’t improve, remove the employee.

Consider the source! Every human is being driven by two forces. Pain and pleasure. Identify the reason why this person is behaving this way. Is the person seeking attention and importance (pleasure) or is the person hiding a personal problem (pain)? These insights will provide you with an understanding of ways that you can deal with this person. Either way, work out how the behaviour must change, but if it doesn’t improve, remove the employee.

Offer support! Have a performance related conversation. There must be a clear understanding and communication between the problem, behaviour and expectation.  It’s not enough to tell them to fix the issue. They might need your support or the assistance of an employee program. Let them know that you are behind them.

Document Everything! – If you conclude that you need to fire the person, you must first document their offences and any response you’ve offered so far. You want to establish a pattern of behaviour, the steps you took to address it, the information, warnings or resources provided to the employee, and the failure of the employee to change.  Include any supporting material – formal complaints, relevant information from performance evaluations, such as 360-degree or peer reviews. The idea is to protect yourself and the company and to show your employee exactly why they are being let go.

Separate The Person! If for some reason, you are unable to get rid of the “bad apple”, isolate the person from the rest of the group. Those with toxic behaviours,  like to feed on others and their reactions. When such feedback is less coming, their behaviour starts to subsides.

How can we help you?

If you fear that you may have such a difficult person to deal with and that you are not sure how to proceed, then let us help you.

At CommsNet Group, we have qualified and certified Neuro-Linguistic Programmers that can directly or indirectly intervene. We can also help you set up an “employee assistance program”. And we can certainly provide a customised training program for supervisors and managers, helping them positively handle and manage negative workplaces issues from employees.

You can reach us

Contact us

For more information, you can also send them an email at:  sales@nakedinsider.com or give us a call at: +61 2 6282-5554.

Categories
Article

Combating The Insider Threat Supply Chain Trust

Combating The Insider Threat Supply Chain Trust

In today’s business landscape, organisations often rely on suppliers such as technology vendors, businesses partner resources, suppliers of raw materials, shared public infrastructure, and other public services. These “outside” entities are all examples of the supply chain, which is a type of trusted business partner (TBP). However, these outside entities can pose significant security risks.

Example – Target

The infamous Target hack back in November 2013 was traced back to network credentials that were stolen from a third-party vendor. The vendor in question was a refrigeration, heating and air conditioning subcontractor that has worked at several locations at Target and other top retailers.

It wasn’t clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network.

The result was the data leakage of personally identifiable information of over 100 million individuals.

 

So, what is a supply chain attack?

A supply chain attack also called a “value-chain” or “third-party attack” occurs when someone infiltrates an organisation system through an outside partner or provider with access to the victim systems and data.

The risks associated with a supply chain attack have never been higher, due to increased cooperation and partnership between organisations.

The use of trusted business partners is common today. Organisations outsource primarily to cut costs. But today, it is not only about cutting cost but also about reaping the benefits of strategic outsourcing such as accessing skilled expertise, reducing overhead, flexible staffing, and increasing efficiency, reducing turnaround time and eventually generating more profit.

Meanwhile, attackers have more resources and tools at their disposal than ever before, targeting the smaller, less abled security-abled organisation that leads access to the bigger prize.

As the saying goes: “why try to break the front door when you can come around the back

According to a survey conducted in late 2018 by the Ponemon Institute, found that 56% of organisations have had a breach that was caused by one of their trusted business partners.

The Ponemon Institute went on to say that misuse or unauthorised sharing of confidential data by third parties was the second-biggest security worry for 2019 among IT professionals.

Here are two questions for you:

  1. How many of you consider the risks when the supplier relationship is terminated? And
  2. Do you include adequate details for managing the tricky process of vendor termination?

Other risks to consider

  • Risks in hardware and software supply chain – Almost every company uses outside software and hardware. Each purchased device, each downloaded application needs to be vetted and monitored for potential security risks, and all patches have to be up to date.
  • Risks in using cloud providers – Your business applications and data are housed in a trusted cloud provider site that you have no control, let alone know who has access to it.
  • Risks from professional services – Just because services are provided by trusted business partners, it doesn’t mean they are not immune to the same problems that you may be experiencing. They too could be impacted by an insider incident.

 

Highly recommended practices to adopt

The list below outlines several best practices that are available to assist you with mitigating insider threat risk within the supply chain.

  • Acknowledge that supply chain trust risks exist. Identify each supplier’s scope of activities and where they fit into your organisation’s supply chain.
  • Define and document the rules of engagement. Define the terms and conditions, ensuring that these rules are integrated into the contract between the supplier and your business.
  • Deploy a monitoring strategy. Never assume that the trusted business partners are doing the right thing by you. Trust and verify. Monitor their actions and identify anomalies and deviations.
  • Form effective partnerships by having clear communications that are supported at all levels of your organisation.
  • Background screening. Don’t rely on the trusted business partner to screen their people. Do your own investigation to mitigate insider threat risks adequately.
  • Develop a formal onboarding process to help your business set up a coherent, trustworthy and communicative relationship. That includes inducting the TBP into the organisation policies and procedures.
  • Develop an intellectual property (IP) ownership policy. Define your organisation ownership rights over IP created.
  • Ensure an acceptable use policy that informs the TBP the use of organisations assets
  • Reporting of a policy violation by the TBP. Any violation by the TBP must be reported through a defined process.

 

How can we help you?

If you fear that some of your trusted business partners may be taking advantage of your business or maybe placing your organisation at risk by performing unwarranted actions, then we can uncover the risks and security blind spots in how your trusted business partners interact with your organisation through an insider risk assessment.

The insider risk assessment is your first step in gaining control and certainty about the potential risks from trusted business partners.

Within 30 days, we will be able to provide you with a report on your organization risks and elevate your highest risk users for inspection.

  • Simple deployment collector on endpoints of your choosing
  • 30 days we will monitor your endpoints, collect user activity data and analyse
  • Threat report – We will review the findings and alerts and compile an executive summary & detailed report that highlights the biggest risks on your organisation

How to get started? Get A Threat Assessment HERE or contact us

sales@nakedinsider.com

 

Contact Us

For more information, you can also send them an email at:  sales@nakedinsider.com or give us a call at: +61 26282-5554.