A CISO's View: How to Handle an Insider ThreatSecurity Director Ian Keller on Enabling Responsible Disclosure Within Your Company
How does an employee get blackmailed into breaching company systems? It can be as simple as someone threatening their family and then saying, "Just stick this thumb drive into computer X located in this building and you won't hear from us again."
See Also: Threat Horizons Report
This really happened at my company.
The IT professional was awakened in the early-morning hours by a couple of large and unsavory individuals who asked very specific questions containing very specific details about the employee's loved ones - including their locations. Then the individuals very politely asked the employee to perform certain actions.
Security Is Everyone's Responsibility
Luckily, my company had well-known and robust reporting processes in place covering most potential scenarios - even confidential informing. I made it a habit to talk to the staff at every "all hands" meeting, which meant everyone knew who I was and what I did. So, the employee reported the matter directly to us and we were able to not only provide protection and assistance to that person and their family but also to get law enforcement involved. This ultimately led to the unraveling of a cybercrime syndicate.
If your company does not have mechanisms in place to report potential personal compromise or potential compromise of another person, then you have a massive problem.
How do you reduce the risk associated with insider threat? Create awareness.
The steps are simple and straightforward. Create a culture in which security is everyone's responsibility and make it known that the various lines of management are there to support and help staff. I spend a lot of time talking to and teaching all the staff, from janitors through to executives, about what they should and should not do. I give them the information they need to be security assets, and I also include information for their families.
There is no magic formula or technology that can make your risks go away, and each company is different and should be treated as such. But here are a few basics that worked well for me:
- Be fully inclusive: Reporting an insider threat is for everyone, from the cleaner and the security guard all the way to the chairman of the board. Even your customers and visitors should be enabled to report matters.
- Keep the details of an investigation into insider threat secret: Only the investigation team needs the details of the case, and this information must be protected at all costs, to allow for building trust.
- Build trust: This gives people the freedom to tell you things, knowing that they won't get fired or victimized for doing so. The CEO must be the voice enabling this, and the CEO must live it - not just say it.
- Create an anonymous reporting platform or service: Make sure there is a mechanism for your staff to report matters. It must be 100% anonymous to give them the assurance that you are doing what you say you are doing.
- Follow through: Deal with every case that is reported. Even if a case seems trivial to you, the issue is a major concern to the person who reported it.
- Give feedback: In your town hall or "all hands" meeting, let the people know what you have been doing for them and how many issues you have dealt with.
We need to do a better job of listening to our employees. We hired them because they are the best people we could find for their positions and for how well they fit into the company family. Treat your staff like family, which means sometimes you need to be strict, but you never stop caring for them.
Everyone needs to have someone they know they can rely on. Be that someone.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force's Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.