Are You For Us or Against Us? (Part 3 of 3) Fire employees or provide help?

If you read my first two posts on this topic, you may be thinking that I’m describing the traditional “insider threat” that security professionals have faced for years. (The link is to the research at CERT on this topic.) But hold on a minute. It’s a bit more complicated than that.

Bruce Schneier has a blog from 2005 which describes several different types of profiles that McAfee had identified on employees who put enterprises at risk. While the groupings are interesting, I especially like the (often hostile) comments from the masses regarding this post. It’s definitely entertaining to read through what are generally very defensive responses from people who have, for the most part, placed themselves into one of the four insider threat groups. 

 The percentages listed here are huge. (Such as: 51% connect their own devices or gadgets to their work PCs.)  Based upon McAfee’s categories, I would likely be talking about: “The Squatter – those who use the company IT resources in ways they shouldn’t (i.e. by storing content or playing games).” The problem is – there are no neat little categories for this stuff. It’s all very messy, since employees don’t register themselves into those groupings and many people probably fit into multiple categories at various times in their careers. The security staff needs to figure out what’s what and who’s who. (That is: are you a hacker, saboteur, gadget geek, innocent victim, etc.) It would be nice to see new percentages from McAfee for 2006 as well. 

Now I feel a need to get philosophical. Why? Why do they behave this way? Why is this a growing trend? If you’ll allow me to broaden the question and enlarge the focus group, why do an increasing number of people send e-mails and go to sites that they know are inappropriate using company networks or equipment? They know that what they’re doing is wrong, violates policies, and is out of place by any standard, but they do it anyway. Some of these people are technical experts. Most are not. Nevertheless, there are plenty of easy to use websites telling them how to bypass filters.

We’ve all read stories about some of the new kids on the block. They’ve grown up as the tech savvy gamers that are now entering the work force with different values and expectations. They’re coming off of college campuses with networks resembling the wild, wild west, where almost anything goes. Perhaps, this cyber-smart crowd is just young and restless and looking for a few dates? They see nothing wrong with hiding certain behaviors that may happen to violate company policies – as long as their jobs are getting done, etc.  

So how do I know that they realize what they are doing is wrong? Like drivers slowing down when they see a cop car, this group knows enough to go out of their way to cover their tracks. By using TOR, encrypted tunnels, proxies, or whatever works, they surf around controls.

What about the lawsuits surrounding internet use? USA Today just ran a piece on an IBM case. Should employees be fired or placed into internet addiction classes if they’re surfing unacceptable chat rooms and worse? 

The easy answer is to issue more speeding tickets and hold “public hangings” (that is discipline the violators). I agree that some of that is needed, but there must be a balanced approach regarding education and trying to answer a new set of questions.

So what’s the root issue? I think we’re witnessing our society’s new cyber ethics – or lack thereof. It may sound simple and a bit like a cop-out, but we’re talking about internet behaviors, conduct and choices in 2006 where work and home are blurring. This trend will only accelerate.

As expressed in the responses to Schneier’s blog, people are now connected all the time with blackberries, web-enabled phones, and a 7x24x365 set of expectations.  There are also many other 21^st century lifestyle factors. Acceptable use policies, legal issues, office politics, and a whole host of other challenges have yet to catch up with the pace of this cultural change.

 There are many new social trends developing online, and I don’t pretend to understand them all. I do know that current approaches are severely lacking. When growing numbers start speeding on our cyber highways, giving out more tickets (alone) won’t solve the problem. Don’t misunderstand what I’m saying. We’ve disciplined (even dismissed) plenty of people in Michigan for inappropriate surfing. I’m no softee. In fact, I’ve been accused of being too harsh on employee conduct. (Note: HR actually makes the discipline decisions here. We’re just the cyber police.) Still, America needs to start rethinking policies, employee education and many related cyber education topics. We need to get at motivational and heart-level HR issues.

 Yes, this is way beyond the scope of CSOs alone, but we need to lead, or at least actively participate in, this new challenge. In early 2007, I plan on a series of posts regarding new perspectives on cyber ethics and possible solutions. You may agree or disagree with my viewpoint and labels, but you’d better not ignore the problem.