Two New Insider Threats to Consider

Just when many security professionals thought company “insider threats” might be under control – along comes the Edward Snowden story as well as new technologies that don’t fit traditional insider threat paradigms.

Over the past several years, numerous groups, such as the FBI, CERT.org and securelist.com, have attempted to categorize and describe how to combat various insider threats that we face every day.

Recent headlines have highlighted what I believe are two new threats that have traditionally received minimal attention. These new insider threats include a new employee profile to consider and a series of disruptive technologies. Specifically:

1. The conscientious objector
2. Wearable technology

After Snowden: Should we add ‘conscientious objector’ as a new insider threat category?

Even while the case of Edward Snowden continues to develop before our eyes and grab global headlines, most of us can agree that the NSA contractor thought of himself as a ‘conscientious objector’ of sorts. He revealed the NSA PRISM program because he didn’t like where he thought it was leading American society. There is a huge debate about his true motives and intentions, but those topics are for a different article.

Some people may include Bradley Manning, the Wikileaks informer, in this ‘conscientious objector’ category as well. However, that assertion is not as clear in my view. Time will tell how society ultimately views these two men.

As I have written in a Government Technology blog, I believe Snowden is no Bonhoeffer. He revealed classified documents to the press, and he needs to be brought back to the USA to face the consequences. I am attempting to bridge the gap between those who call Snowden a ‘whistleblower’ or even a hero in contrast with those who view him as a traditional spy who revealed US secrets or even call him a ‘traitor.’

Nevertheless, along with my mother-in-law and other Snowden supporters, I don’t think he fits easily into any of the securelist.com insider threat profiles. If you believe his video comments, Snowden’s actions were motivated by growing convictions against the government’s PRISM program policy and/or implementation of NSA’s overall surveillance program.

Note: The Securelist insider threat categories include: the careless insider, the naïve insider, the saboteur, the disloyal insider, the moonlighter and the mole.

Regardless of whether you are a supporter of Snowden’s actions or you seriously question what he did, I hope you can agree with me that there are many ways that someone can be a conscientious objector in situations that go beyond military matters.

For example, this Forbes article discusses nurses who struggle with conscientious objections in offering healthcare treatment to certain patients or performing certain procedures.

How could a conscientious objector be an insider threat?

First, I want to emphasize what I am NOT saying. I am not referring to traditional whistleblowers who go through formal company processes or hotlines to reveal fraud, waste or abuse. To be sure, these whistleblowers are to be commended and praised. Nor am I talking about staff going to the police when crimes are committed – assuming appropriate company policies and procedures are followed.

Second, I am talking about employees going outside the normal process to “reveal” information that makes them uncomfortable – such as sharing data with groups or people that the company or government could reasonably argue were improperly given the information. This could include going straight to the press or posting material on social networking sites.  

I think more computer programmers or engineers, who disagree with their company’s ethics, policies or procedures, will take unauthorized actions in the future. Or, employees will go public with management’s enforcement (or lack thereof) regarding security or privacy policies, rather than work through company prescribed guidelines. For example, an employee from a computer company could be unhappy with the tracking of the online habits of customers and release damaging data to the press or to competitors.  

Third, this discussion walks a fine line between inappropriate management action(s) on the one side and employees becoming an insider threat because they disagree with a company policy or procedure on the other. Like Snowden, some employees will see themselves as a whistleblower while management will likely see them as violating policies and/or procedures. I am not making a value judgment regarding the merits of who is right or wrong – only saying that this will be an issue that security pros will be pulled into going forward – just as we are involved in employees being terminated today. 

Fourth, one question becomes what happens if/when an employee decides to go public with information that harms the reputation of a company or government.  Actions could affect stock price, harm customer relations, and inhibit capabilities or cause lawsuits. 

Topic #2 – Is there a camera in those glasses? Or, will we need data loss prevention (DLP) for clothes?

Another hot topic in the press right now is wearable technology from glasses to watches to gloves. While this new technology is getting a mixed greeting from privacy advocates, most experts see wearable technology as inevitable. But are enterprises ready? Will wearable technology become another aspect of bring your own device (BYOD) to work anytime soon?

True, we have had smartphones with cameras for years. However, others can see when someone is taking pictures with a smartphone. New wearable technology could be recording conversations or copying intellectual property without being detected. Currently, the most talked about privacy concern in this category comes from Google glass, but other companies are not far behind.

Could security protocols be violated? Will we need new data loss prevention (DLP) for these wearable devices or clothes? Where is this heading? It appears that we will be seeing more and more wearable technology in 2014 and beyond, so get ready now.

Solutions Anyone?

In conclusion, dealing with insider threats has been hard for years. No one is exempt from dealing with our changing technological landscape or our own role in helping secure the enterprise. I wrote this blog over three years ago which asks: Are you an insider threat?

I don’t have any simple answers for these new insider threat scenarios. Still, one key mitigation step is to adopt more transparency regarding company policies and the corresponding back-office behaviors of employees regarding security and privacy. New technology involving the use of “big data” makes this topic especially important as we move into 2014.

Second, start a conversation with your employees. Work through issues the old fashioned way – do lunch (or coffee). Take advantage of the innovative ideas and even concerns of your team members.

Finally, take another look at how you are addressing risk in both internal and external threats today. Training staff and constant vigilance are both necessary. (This insider threat information from Dartmouth can help.)

An attitude of “that can’t happen to us” will likely be problematic. Remember that we have seen new insider threats before – from social networks to smartphones to USB drives. One person’s cool new Christmas present is often the security department’s new insider threat. Seek balance – and try to enable appropriate controls.

What are your thoughts on new insider threats?