Insider by chance — how to detect
The most terrible breaches are spurred by malicious insiders. But accidental violations cause businesses a lot of problems due to being seemingly unpreventable: they lead to unpremeditated data leaks, problems with law and reputation. It is necessary to find the root of a threat to put the mess in order. Risk group identification is great to begin with.
Gamblers, debtors, employees dealing with addictions and extremists
These are the likely victims of blackmail. If someone pressurises, they will commit a crime to keep their secrets private. There was a situation when an employee would blackmail an accountant as soon as the colleague had learnt about her personal relationship with a manager. Fearing exposure she would provide the blackmailer with the copies of financial reports.
One of the risk group categories consists of employees with extremist views. Political or religious affiliation is not a crime. But executives seek to secure their businesses, because there’s a fine line, and if accomplices of terrorists are identified it will damage a company’s reputation.
Overly sociable
Chatty people can let secrets out to a former colleague who had been dismissed, occasionally share information with a journalist, gossip in a staff chat via a messenger.
A client of a company developing information security products was surprised to discover one of the most loyal employees to be an insider. The leading specialist working with customers, who was going to become a top manager, was a funster. Joviality and communicability were his professional instruments at work, but together with his assailable self-esteem it would stir up some misconduct. In Facebook he had a conversation during which his interlocutor denounced his awareness of the company’s confidential details supposing that he wasn’t that knowledgeable as a co-owner. It took the top manager less than 5 minutes to disclose a bunch of trade secrets.
Disloyal employees
Disloyal employees are included into a risk group automatically — they aren’t concerned about a company’s reputation, mind no internal regulations, they’ll turn a deaf ear to any security risk warnings just because corporate values are nothing to them. A determined disloyal employee will tread out the path to a company’s secrets in social networks without a second thought.
For example, an employee of a manufacturing enterprise was exasperated with the new motivation system. He didn’t approach the management to tackle the issue in a civilised manner, he went to employer review websites and shared his indignant commentary. He complained not only about salary, but about his communication with management and colleagues. The review appeared to be impulsive combining facts and speculations. And the critical moment was when he revealed confidential details in anger.
Employees with debts
There’s nothing to comment on — in certain circumstances people are ready to disregard the law out of need. The range of such violations is wide. The most common case is theft, although there can be incidents where employees don’t rob an employer of profit but affect a company’s reputation or draw the attention of compliance or law enforcement officers.
The recent news broadly covered by the media has told about a man who was looking for the way to earn money to get treatment for his daughter and began to distribute drugs. In court he admitted that the solution he found wasn’t right.
One of the employees turned to a client with a specific request to lend her a few thousand dollars to repair her damaged car, after which she wouldn’t contact the client to return money. The client addressed the management of the company asking them to find the reckless staff member. As a result, the company’s representatives appeared to be in a bad light.
How to detect employees who should be put into risk groups
One of the tasks new DLP systems should perform is to identify perilous behavior patterns. The program detects those who sabotage their work, are inclined to destructive conduct, addicted to substances, disloyal to the company and management, or share their extremist views. The program reacts to “vague” conversations, employees who search on specific websites, captures transfer of peculiar data.
First of all, the very fact that employees with radical views tell their colleagues what is right and what is wrong persuading them to listen to extremist opinions during work hours concerns an employer. And then there’s a risk that an employee is a potential violator.
But the system doesn’t always alert to the core of the threat automatically. Sometimes an employee from a risk group can be identified by circumstantial evidence. Security policies notified the risk management specialists of a password-protected archive transfer. The incident happened in a governmental institution. When the investigation process got unfolded it was revealed that the archive included instructions on how to cultivate cannabis at home. The functionary was reading the information, and no proof of him following the directions was observed. But if the document had been found in a more dubious situation, the institution would have had to face law enforcement and narrate the whole case to the media.
Putting employees to risk groups doesn’t imply blacklisting them and preparing to dismissal. Management often doesn’t impose any particular measures. But the awareness of existing risks allows specialists to be ready to insure the company against an insider by chance.
