Insider threats: From McDonald’s Monopoly to today, how to address how little has changed

What have we learned this year? Insider threats haven’t changed much. Companies and people still focus on the bright, shiny new technologies or expected windfalls from major projects. Many ignore the governance, controls and processes needed to successfully implement them. This creates disengagement and lowers the ability of the organization to fight inside and outside threats.

1 2 Page 2
Page 2 of 2

We call this “technology blindness,” where people see the new features of a technology – such as the cloud, blockchain, artificial intelligence/machine learning/intelligent systems, or social media – and are so focused with being a first mover and/or the positive attention from implementing it quicker than anyone else that they ignore the obvious warning signs that there are issues.

This is true, especially with the current trend of slapping the words AI-powered or ML-powered on technology solutions and expecting them to automate everything. They also don’t fully align the initiatives to the mission and values of the organization, starting down the road to disengagement.

An example is implementing blockchain without considering the governance, contracting, network and security implications, or how to maintain the systems and consortia on an ongoing basis. Another is implementing an ERP or EMR system without fully taking into consideration the changes in security and organizational controls, planning, processes, policies and procedures needed to effectively implement the system and pushing forward to meet a date. The final great example is that of migrating to the cloud without taking security controls on cloud-based storage into consideration, which has happened to numerous companies, most recently Capital One and several information brokers that have collectively caused data breaches of billions of records.

Technology blindness has three measurable effects. The first is that of the opening up of the new system to new classes of insider and outside threats because you haven’t threat modeled or assessed your controls, plans, processes, procedures, policies, communication plans, technology stack, or their effects on the team, and did not align the initiative to the organization.

The second is that of employee disengagement caused by uncertainty on the management of the projects due to the focus on the technologies and not the team or the effects on them.

Finally, the third effect is that of the compromise caused when the organization realizes they are suffering from technology blindness, and makes drastic changes and last-minute attempts to address processes, policies, controls, and procedures to address the workforce disengagement caused by the previous attempt, and still attempts to come close to production dates with a drastically changed master plan and supporting communication plans.

How do we mitigate insider threats?

Strong leadership, two-way communication, strong and detailed planning involving all involved parties, and consideration for the involved team members are key to mitigating insider threats. You must assume that 90% of the work involved in implementing any new technology system is going to be with planning, communication, policies, procedures, processes, exception management, and developing audit and management plans for sustainment.

New technology systems represent organizational change. They also represent an opportunity for people to take advantage of executives and leadership who are enamored by new technologies and the glory that comes from being a first mover to leverage policy, process, procedure, planning, technology, audit, exception management, and implementation vulnerabilities to their benefit. You must always watch out for that. The technology doesn’t obviate human factors.

Insider threats are one of those cases where technology supports the leadership message and involved people. You can’t just implement it. If strong process-oriented leadership does not exist, then the rest of the system you need to combat them will not be in place. Due to Jacobson’s greed, and the lack of emphasizing the right culture from the top that adheres to good mission and values, numerous people lost their jobs and had black marks on their careers.

The fact that the story was buried by 9/11 does little to comfort the inadvertent victims of it and the negative impact of someone’s duplicity and greed. Governance, honesty, transparency, and giving a leadership-facilitated environment in which people can ask questions and report issues are critical to a successful insider threat and information security program. Like the use of email in the 1990s, we need to facilitate connecting. The victory isn’t in winning game pieces, but in better communication and a better overall program.

Copyright © 2019 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies