You Can’t Control Your Insiders

People are the living, thinking, feeling beings who work in an organisation to achieve their own objectives. No matter how much you are invested in the business—as CEO, as a leadership team member, whatever it is—you have to remember that each and every person, including those on the same level, have aspirations, wants and needs that are absolutely independent to your own. Not only that, but work may not factor into any of them. To expect the same level of commitment and control is madness.

An additional aspect of the modern workforce is that it has become a rich melting pot of diversity. Employees bring a wide array of backgrounds, talents, beliefs, values and perspectives to their jobs. Corporate policies rarely reflect the diversity of the staff they are addressing, and that is reflected in the lack of influence the policies are able to exert.

All of these factors have been compounded by a steady decline in the work ethic and a rise in emphasis on leisure, self-expression, fulfillment and personal growth. All of which are designed to ensure balance and protect mental health. I believe these are all great for business when harnessed and used to help generate interest and motivation.

However, when a workplace takes a dim view of employee freedoms and tries to push back on balance, the risk of insider threats increases exponentially.

The net effect is that the automatic acceptance of authority by employees has significantly decreased. The world is too big a place with too many connections and influences for an employer to take the hard line. The desire for participation, autonomy and personal control have increased to the point where it’s now the organisation that must evolve in order to protect itself.  

Disengagement is the gateway to insider danger. When an employee does not care anymore, for whatever reason, then the rulebooks, policies, protocols and safeguards go out of the window. If they want to do harm, they will. Therefore, you must understand that the only protection is to prevent disengagement.

An employee will never turn up at work and tell the boss they are disengaged today—but they might tell a colleague. Would that colleague understand the risk and report it? If they don’t get told directly, would they spot the signs and report it? Do your staff know each other well enough to see the signs and do the mental arithmetic to know that it has now become a risk? Is there a process for them to follow should any of these events transpire?

Some of you may be reading this and thinking to yourself that the organisation recruitment policy should handle much of the heavy lifting here, and that by hiring the right people, you mitigate the risk.

While I commend how highly you regard your recruitment policy, I doubt that even a good look at a candidate’s social media accounts and some aptitude tests will stand the test of time. Most insider risk comes from those who have been in the business for some time. Not only has their life moved on significantly, but so has their responsibility, leading to a real chance that they have become disenchanted. More on this later.

As you can see, insider risk is a tricky subject, and we are just at the beginning of this discussion.

Example: Facebook Employee Allegedly Boasts He’s A Stalker

What happened?

A Facebook employee, a security engineer, took advantage of his position to access personal information, which he then used to stalk women online.

What were the consequences?

The employee in question was fired.

The incident comes as the #MeToo movement has swept through companies across America, forcing businesses to act swiftly in response to allegations of sexual harassment and assault.

The revelations, as well as the Cambridge Analytica data disclosure, led to Facebook CEO Mark Zuckerberg testifying before Congress and implementing tougher privacy measures and expanding user privacy controls.

Dealing With Insider Risk 

The traditional approach to defending against security risks focuses primarily on negative incentives, which constrains employee behaviour or punishes misbehaviour. These tactics attempt to force employees to act in the interest of the organisation. When relied upon too excessively, they can result in negative, unintended consequences that exacerbate the threat.

Consider using positive incentives that are designed to encourage employees to act in the interest of the organisation. This will foster a sense of commitment and partnership to the organisation, the work and co-workers. Feeling cared for generates a need to reciprocate.