The role of organisational factors in insider cyber activity

Cyber insider is someone who (knowingly or unknowingly) misuses legitimate access to commit a malicious act or damage their employer.
It is widely recognised that the threat to enterprises from insider activities is increasing and that significant costs are being incurred.
Insider act takes place where is often an exploitable weakness with the employer’s own protective security or management practices which enables the insider to act.
The following organisational practices were identified as key enablers to an insider act:

• Poor management practices

A general lack of management supervision or oversight of employees meant that many of the behaviours,
problems and activities of the insider were noticed but went unaddressed.
Management failure to address individual issues within the workplace (such as poor relationships with
colleagues, absenteeism or anti-social behaviours) often appears to have resulted in the behaviours
becoming more frequent or extreme.
Management failure to manage and resolve workplace issues (such as boredom or lack of work, overwork,
lack of resources or specific grievances) appears to have contributed to the level of employee disaffection.

• Poor usage of auditing functions

Some organisations had not made regular and systematic use of their own IT or financial auditing functions to be in a position to quickly spot irregularities or unusual behaviours.
This enabled insiders to act in the first place and for some to continue acting without detection for longer than necessary.

• Lack of protective security controls

Some organisations had not implemented simple systems for controlling how employees could introduce or remove organisational data electronically, and manipulate organisational information remotely even after their employment had been terminated.
Basic ‘need to know’ principles were not rigorously applied, allowing some insiders to acquire knowledge they did not actually need for their job and then use it to commit an insider act.
Lack of segregation of duties was particularly in evidence in process corruption cases, where one individual would be in a position to manipulate systems or data without needing approval or endorsement from a second employee.

• Poor security culture

The case studies often revealed that a poor security culture existed in areas where insider acts took place, with a general lack of adherence to security policies and practices by employees, and with management being either unaware of these malpractices or failing to deal with them effectively.
Examples of the most common occurrences were the sharing of security passwords amongst employees, not locking computer terminals and allowing others to use logged-on terminals, sensitive materials being left on desks, security containers being left unlocked and pass access to secure areas not being enforced.

• Lack of adequate role-based personnel security risk assessment prior to employment

In some insider cases organisations had placed individuals in positions without considering their suitability for the role and potential complications that might arise. For example, there were cases where employees had been placed in roles likely to make them more vulnerable to compromise due to their nationality,family connections or ideological sympathies.
There were also cases where the insider simply did not have the skills, experience or aptitude for the role,and without careful management, the employee was easily manipulated by a malicious third party or simply unwittingly committed an insider act.

• Poor pre-employment screening

In a small number of process corruption cases it was evident that the appropriate level of preemployment screening had not been undertaken; most notably failures to identify that the individual had a history of fraudulent behaviour (such as credit card or benefit fraud) prior to recruitment.

• Poor communication between business areas

The study has shown that if an organisation does not communicate and share information about threats and risks, but keeps the information in organisational silos, then its ability to mitigate and manage insider activity is severely reduced.
The study found cases where counter-productive workplace behaviour was known in one part of the organisation but had not been shared with others, resulting in delays to the organisation taking mitigating action to reduce the risk.
To fully understand the level of risk an employee poses, an organisation should be able to access information held by Human Resources concerning performance and welfare issues, information held by IT about access to electronic data, and Security for physical breaches of security policies. If information is retained by just one area of the business the organisation may misjudge the risk that it is carrying.

• Lack of awareness of people risk at a senior level and inadequate governance

A lack of awareness of people risk at a senior level can lead to organisations missing the attention and resources necessary to address the insider threat. There needs to be a single, senior, accountable owner of people risk to whom all managers with a responsibility for people risk report.
Inadequate corporate governance and unclear policies in managing people risk and strengthening compliance can also make it more difficult to prevent and detect insider activity.