The Insider Threat
By Harry Chenevix-Trench. We have long moved past the world of our cave dwelling ancestors, yet the concept of the tribe is still one of the basic foundations of human group interaction. Tribes take many forms in the modern world, from groupings of like-minded individuals pursuing an interest, to large commercial organisations with many hundreds of members.
Human beings in a tribe often tend to feel that the threats to their tribe (and often their stability and happiness) come from outside. These can be business competitors, personal rivals, or simply people we don’t like or whose worldview is not understood. This is often true, but because we are programmed to look outside for threats, when they do occur they are expected and we take them more in our stride.
The greatest, hurtful and most damaging betrayals and mistakes, however, come from within. This is because our betrayers are people we know and trust either personally or commercially. Because we have an expectation that those we employ or work with share our values, we overlook or ignore potential warning signs that they could indicate a serious threat.
In 1992, Nick Leeson managed the Barings Bank’s seat on the Singapore Monetary Exchange (SIMEX). Bold brash and arrogant, Leeson made several unauthorised trades that netted him (and the bank) huge returns. Emboldened by both his own success and Barings own seeming lack of action he continued to make illegal trades.
Nick Leeson’s luck however soon ran out and he rapidly began using the banks own error accounts (used to solve trading errors) to cover his mistakes. But, perhaps because of his first successes, the bank appeared to ignore his increasingly risky behaviour and even allowed Leeson to make and settle his own trades (thus making it easier to cover up his losses).
Nick Leesons catastrophic and criminal behaviour cost the bank over £800 million in 1995 and destroyed the last global family owned bank in the world. It is tempting to say that Nick Leesons’ behaviour was enabled by poor bank governance coupled with an unwillingness belief that someone could be so reckless.
The above shows the truism that the greatest threats both in commerce and in life often tend not to be the threats that come at us from the outside, but the threats that come from within. Many businesses often count on the loyalty of their staff as a given and therefore are particularly vulnerable to an employee that decides (for any number of reasons) that they are going to inflict damage on their employer. The recent Panama tax leaks at Mossack Fonseca illustrate this point perfectly and all it took to damage multiple politicians, world leaders, monarchs, businessmen and companies was a single leak of information from one company.
Mossack Fonseca has stated that the cause of the leak was an external hack, made on one of their unsecured server but one wonders if insider information was used to gain access? After all, how were hackers able to find out that the servers were unsecured in the first place?
The Mossack Fonseca papers caused global shockwaves and the fallout from their discoveries brought down two world leaders and proved so dangerous that attempts at censorship have been inevitable. China for example has banned people from even mentioning the name of Mossack Fonseca online due to the links between Chinese Communist Party leadership and offshore Panama funds. The information uncovered will have likely given many global governments the excuse they have long wanted to go after offshore sources of wealth. Due to this single leak of information, it looks like the era of the offshore account could be coming to an end.
Back in October 2015, in Blackstone’s editorial on Criminal Heists, I discussed the critical nature of inside information to criminals. In the 23 major heists studied by American academics, 65% used an insider to get the job done, and it is doubtful they would have been able to succeed without. Equally it is difficult to see how Julian Assange would have been able to garner the information he did without whistle-blowers in government agencies that believed in his work and ideas. Even Nick Leeson would have been hard pushed to do the damage he did to Barings without a high level of knowledge of the banks internal structures.
The Center for the Protection of National Infrastructure (CPNI) with its access to UK court and criminal data provides a wealth of valuable statistics as to the nature of the threat from the insider. They found after studying numerous UK ‘insider crimes’ such as fraud as well as other lesser incidents, there were commonly repeating trends expressed throughout.
For example, crimes such a fraud, theft and data theft tend to be committed (statistically) by men aged between 31-45. Statistics show that management accounted for 45% of all fraudulent actions, whilst 48% of frauds were committed by administration staff. Frontline staff at a company by contrast, only accounted for 5% of fraud cases.
So what drove these people to commit fraud or to damage their company in some way? CPNI statistics showed that when asked why they had chosen to defraud or damage their employer, culprits almost always gave one of the five reasons below:
- Financial gain
- Ideology
- A desire for recognition
- Loyalty to friends and family
- Revenge
Faced with the above information, how should a company (or even a household) protect against the insider threat?
Do not neglect morale
Those who are happy and enjoy their work seldom turn on their employers; the 15th century politician and advisor Machiavelli was broadly correct when he said:
“To keep his servant honest the prince should be considerate to him, honour him, enrich him, doing him kindnesses, sharing with him the honours and responsibilities so he is obligated to the prince.”
When staff are happy and working in the same direction, they will not only work harder, they will also raise the security profile of wherever they are employed. This is because they will both not want to damage the company and will prevent other staff members from doing so. This is because everyone’s interests appear to align and a threat to the overall integrity of the business is a threat to everyone’s livelihood.
If people are unhappy, feel undervalued or unjustly treated by their bosses then they will stop caring, potentially turning a blind eye to insider incidents or even committing them. Dissatisfaction often leads to feelings of resentment, many fraudsters justify their actions with the excuse that they are simply taking what they are ‘owed’.
Create your Panopticon
The Panopticon was a fictional prison designed by social theorist Jeremy Benthan where all the cells opened inwards to face a central guard tower. This meant that although all the inmates could see the tower, none could see the guards. This (Bentham reasoned) promoted self re-enforcing good behaviour as though everyone knew the guards could not watch everyone, they could be watching anyone. This ‘feeling’ of constant oversight would help manage the population.
Although employees are certainly not inmates, modern access control technology (especially when it comes to IT systems) can effectively log the work and actions of any one employee throughout the day. Though there may be no need to go through the data, the feeling of ‘openness’ creates a strong deterrent against hostile or illegal action.
A robust access monitoring and control system therefore prevents individuals from trying to exploit company systems to their own advantage. For an insider to become a threat, they need to find an advantage of some type. Often, the reason why insider threats such as fraud, theft or sabotage go unnoticed for so long (or until it is too late) is that the responsibility for dealing with these threats is spread out across an entire organisation who may not communicate with each other.
Take an interest in your staff personally and professionally
Getting to know your staff can go a long way to mitigating potential threats as it helps both boost morale and can alert company leadership to behaviour that could become problematic. Someone known to be in debt or leading a lifestyle far in excess of their earnings will pose a much higher potential risk than an individual leading a stable life. Occasionally however, the above may not hold true and it is a point that a company needs to be able to turn to a robust and centralised system of communication and audit.
Have systems in place to move on
Sometimes, regardless of how stringent a businesses infrastructure or how professional it’s leadership, occasionally, things simply go wrong. Incidents that damage the company may not even be fraudulent or criminal, just simple (or serious) mistakes that have wide ranging implications. In the face of an incident, it is important to have some sort of infrastructure in place to recover. The details of what constitutes a suitable Standard Operating Procedure (SOP) in the face of an insider incident would likely require many pages, but broadly speaking there are four areas that need to be considered in order to make a healthy recovery.
- React immediately
Should an incident of any kind occur, the reaction should be swift, this could mean suspending or isolating systems that have become a problem or communicating with clients and customers. A company needs to get ahead of a story in order to manage and control it. Clients may (in some extreme cases) been informed of the problem over social media and it is critical that the companies own version of events be the dominant one.
- Create systems to prevent the same problem occurring in future
Regardless of whether the incident was malicious or a simple accident, the company should not only investigate how it happened but why. For example, an individual leaves a briefcase containing confidential data on a train. Examining why it happened as well as how can be key to preventing the problem occurring again.
- Communicate with those affected
If clients and customers have been affected by the Incident, they need to be spoken to as quickly as possible and notified how the incident will likely affect them. Once again it is critical for a company to stay ahead of both the media and industry gossip.
- Present a unified statement
Finally, release a unified statement to the world at large (if required) that admits to the problem and provides a viable solution to solving it. If a company is able to demonstrate immediately that they have a solution, it can go a long way to rebuilding trust and minimising damage.
Conclusions
Defending against the insider threat is perhaps one of the most difficult tasks faced by a modern company. Laxity could be punished by a damaging incident, but paranoia and fear creates a climate that few want to work in and burdens a business with unnecessary bureaucracy. Broadly speaking though, if companies have a sound knowledge of internal security matters and internal systems to monitor employees as well a leadership respected by the workforce then they should have a low risk of insider threat.
But, given that insider threats are hard to predict, perhaps the most important point to remember is to have a contingency plan of how to recover. A serious problem, if handled correctly can quickly become a past memory. But a simple issue, especially if caused by an insider threat when handled poorly can threaten even the largest company with collapse.