• United States




Insider threats: From McDonald’s Monopoly to today, how to address how little has changed

Dec 02, 201915 mins
Data and Information SecuritySecurity

What have we learned this year? Insider threats haven’t changed much. Companies and people still focus on the bright, shiny new technologies or expected windfalls from major projects. Many ignore the governance, controls and processes needed to successfully implement them. This creates disengagement and lowers the ability of the organization to fight inside and outside threats.

One of the first uses of the nascent internet in the 1990s was to bring people together via email. Before Facebook, WhatsApp or texting, epic email and USENET threads were the main ways of communication. AOL users were infamous for hitting the “Reply All” button, quoting entire messages, and saying “me too.” With some of the older email clients like Pine, this led to very uncomfortable scrolling as you had to scroll past numerous levels of one-line or one-word responses before you got to the actual message, which was buried in a series of “>” quote symbols.

With the email quotas of college email systems in the 1990s, this meant that you would often fill your quota quickly and sometimes your friends got the dreaded delivery failure message because your mailbox was full. This was especially true during March Madness, when tournament brackets would swamp email before Yahoo! Sports and started their online ones.

Nascent crowdsourcing over email for Monopoly pieces

McDonald’s had an annual Monopoly game every year, where there was one million-dollar prize, and numerous other smaller prizes that were achieved by assembling blocks of game pieces. Email became the weapon of choice amongst friends and acquaintances to organize and attempt to pool together pieces to win the larger prizes, instead of just getting the free Big Mac or Diet Coke.

When this game came around, it filled mailbox quotas quickly as numerous people submitted status reports of what pieces they had, and what they needed to get the various big prizes. This was all fueled by the dream of getting the $1 million piece, or winning a vacation, car, or large cash prize. McDonald’s made sure that pieces to get big prizes were hard to find, so collaborating meant a better chance of getting them. This was an early example of crowdsourcing via the Internet.

This was not meant to be. An insider threat, Jerome Jacobson, who was a former Hollywood, FL, police officer, was the ringleader of a scam that sold those winning game pieces that numerous people were clamoring for. He started off as a security auditor for Dittler Brothers in 1981, which was the printer for the game pieces ordered by the agency overseeing the promotion, Simon Marketing. He did so well at this that job that Simon hired him to oversee security for the $500 million McDonald’s account.

He appeared to be doing very well, and put security theater in place, such as checking the shoes of employees to make sure that they were not stealing game pieces. From all outward appearances, he appeared to be diligent, effective and focused on delivering a fair game to customers. However, from 1995 to 2000, this game was anything but fair. He was pocketing the winning game pieces, and selling them to the highest bidder, sometimes getting as much as $50,000. One of the $1 million winning pieces was anonymously sent to St. Jude’s Children’s Research Hospital in Memphis, TN.

An anonymous caller to the FBI tipped them off to “Uncle Jerry” in 2000. When they were done investigating, they found a network of 24 people that had profited illegally from his theft. More importantly, the credibility of McDonald’s, one of the most prevalent and valuable brands in the world, was seriously damaged. According to Forbes, their contract with Simon Marketing was immediately terminated. Philip Morris, who was one of their other large customers, also terminated their contract. This led to the eventual closing of Simon Marketing. McDonald’s still honored St. Jude’s winning piece, however.

Many people who did nothing wrong were collateral damage and lost their jobs. The livelihoods of hundreds of former Simon Marketing employees and their families were affected at the beginning of a large economic downturn, punctuated by the September 11th terrorist attacks. This made the trial and sentencing of Jerome and his co-conspirators a footnote in the papers that was quickly forgotten as it ended September 10th.

However, the effects on the people who lost jobs and livelihoods because of Jerome Jacobson’s greed were also sadly forgotten. Ben Affleck will be directing a movie about this scam. But like many Hollywood productions, it’s probably going to lionize the wrong people and ignore the effects of his actions. The families who lost houses or could not afford prescriptions or medical care don’t sell movie tickets.

In retrospect, Simon Marketing did not know much about security, and depended heavily upon Jerome Jacobson based on his performance at one of their vendors. This allowed him to get away with security theater and theft until the FBI got involved.

Many companies don’t understand security and depend on who and what they know that is familiar to protect themselves, even if the people providing it don’t understand what they are doing or are condescending and insulting. Basic questions about job rotation or auditing, which are part of many large organizations, were not asked because of that. There are questions about pride, undermining relationships, and questioning past decisions. There’s also the feeling of embarrassment from not knowing what to do and questioning decision-making processes. They also may have not wanted to cause any questions from their largest customer, or delay delivery of their most important promotion.

However, the hurt pride of a single person does not compare to what “Uncle Jerry” did. His actions seriously damaged the credibility of one of the most valuable brands in American history. A large promotions and marketing agency closed and left their employees out of work in a bad economy directly because of his actions. Numerous consumers who had worked hard to find game pieces realized that what they were attempting to win was fraudulent. The consequences of his hubris were extremely damaging.

If there are poster children for reasons why we need to trust and verify in this field, he would be a strong candidate…but still very far behind convicted Russian spy and former FBI agent Robert Hanssen. Both are proof that unfettered greed can lead to damaging consequences with long-term effects on people’s lives and significant collateral damage.

What can we do to improve security and address insider threats?

We must build trust with our customers, and welcome transparency and questions as part of that. We must set the expectations up front that we should be open to questions. We also need to ensure that we adhere to a control set that we can be measured and audited against. We need to prepare to have other people audit and review our work, and to rotate people through jobs. Even if not asked, we need to conduct risk assessments not just for the organization and have outside risk assessments for the program and team.

We need to make sure our customers know it’s safe to ask tough questions, and that it won’t reflect badly on their perception, rather improve it. We also want to spare our customers from Security Theater, which looks effective and is more harmful than no security at all because it gives people a false sense of it. Condescending people, gatekeepers, harassers, misogynists, or racists need not apply.

Insider threats happen when someone finds loopholes and knows they can get away with them because there is a lack of effective controls in place to address them, such as what happened to Simon Marketing. When there are higher-ranked people complicit in it, it’s even more difficult to address, and oftentimes the company executives find out from law enforcement like Simon Marketing did. I’ve also had several customers find out about these issues from law enforcement in my years of personal experience.

We must adhere to mission and values and introduce and promote controls and a culture of trust and safety based upon transparency as part of doing so. This must come from the top down, and there must be expectations set from top leadership that self-serving behavior, information hiding, or resistance to asking questions or auditing is not tolerable. You can’t do this without building engagement and trust. These are not just words parroted on stage. These are actions that require conscious thought and mindfulness. Leadership needs to lead, not talk, and set the example for their teams.

If people can’t trust you to be open and honest from the top, you will have others looking for ways to get one over on you and your company and break controls or take shortcuts to meet arbitrary goals and make themselves look good, rather than working toward the mission and its associated values and vision. You need to build trust enough that customers call you. If they don’t trust you, even well-meaning people won’t call to report a potential insider threat. If they don’t trust leadership, they won’t call, and they’ll likely leave. People will not report in potential insider threats if they feel that there will be retribution due to a lack of trust with Information Security and/or Senior Leadership. There can be no employee engagement without trust or with fear.

Information security is not a silo and doesn’t work without the connections and upward and downward messaging of top leadership. You’re not going to have good cyber security or insider threat protection without trust, transparency, and measurable controls along with demonstrated action. You also need to make sure the controls you have are not security theater and are tested and modified regularly for effectiveness. This starts and stops with the leaders in charge. You cannot buy technology to substitute for this.

False beliefs in technology

We have the falsely held belief that those who put these complex technology systems such as Facebook, Google, Twitter, or WhatsApp in place have ultimate control over them and can detect anything, especially insider threats, with just a little bit of code. The events over the past few years, especially with Facebook still being manipulated by agents of Russia and other foreign governments, prove that this is not the case.

No piece of software, no matter how good the vendor or their sales team claims it is, is going to stop them by itself or automate the work for you. Machine learning and intelligent systems, for all their promise, still have a long way to go, according to Princeton University associate professor Arvind Narayanan in his presentation “How to recognize AI Snake Oil.”

In this presentation, Prof. Narayanan discusses applications that attempt to automate judgement. Since this technology attempts to learn and emulate human judgement, which is subjective, it will never be perfect. We need to focus on making sure we have enough supporting governance and due process to address their usage effectively and also address exceptions fairly. When we rolled out one of these systems, it was with those supporting processes in place, which took significantly longer to implement than the technology stack. In the words of Chuck D and Flavor Flav from Public Enemy, “don’t believe the hype.”

Narayanan’s presentation posits that in some of these applications where judgement needs to be applied we are “imperfect but improving,” including hate speech detection and spam detection. This is being leveraged by skilled adversaries to take advantage of vulnerabilities in the algorithms used and compensating controls to detect manipulative and hateful content.

Facebook’s attempts to use humans to detect the threats and manipulation on their platform using low-paid contractors without a good supporting management structure have been considered too little, too late. People do not trust Facebook, and constantly discuss how they do not enforce against hate speech, cyberbullying, or harassment well. The rise of unvaccinated kids and spread of childhood diseases thought to be eliminated in North America can also be traced back to Facebook in part, including their lax enforcement of dubious medical advice.

Cryptocurrencies and bitcoin also show that the people behind technology systems put technology ahead of controls and processes. A multi-billion-dollar cryptocurrency market has been rolled out with nearly zero of the controls that have been prevalent and evolving in the financial system since the Renaissance. This has been done with the assumption that strong cryptography would be nearly enough to replace them.

The actual results, as shown by the people that have permanently lost millions to exchange hacks like Mt. Gox, or to people who paid off cell phone provider employees to swap SIM cards to receive their text messages and transfer cryptocurrency to other accounts with no recourse, show that is not the case. North Korea financing weapons development through targeted hacking, stealing cryptocurrencies, and using them to evade restrictions on the SWIFT network also shows this.

Technology blindness

Enterprise Resource Planning and Electronic Medical Records systems are much more evolved than cryptocurrencies, and very mature. However, they are very similar to Blockchain and other emerging technologies because they both can cause people to overlook organizational mission and values, governance processes, procedures, policies, and controls when implementing new features or upgrades. This is no fault of the technology itself – blockchain is quite solid and constantly improving.

We call this “technology blindness,” where people see the new features of a technology – such as the cloud, blockchain, artificial intelligence/machine learning/intelligent systems, or social media – and are so focused with being a first mover and/or the positive attention from implementing it quicker than anyone else that they ignore the obvious warning signs that there are issues.

This is true, especially with the current trend of slapping the words AI-powered or ML-powered on technology solutions and expecting them to automate everything. They also don’t fully align the initiatives to the mission and values of the organization, starting down the road to disengagement.

An example is implementing blockchain without considering the governance, contracting, network and security implications, or how to maintain the systems and consortia on an ongoing basis. Another is implementing an ERP or EMR system without fully taking into consideration the changes in security and organizational controls, planning, processes, policies and procedures needed to effectively implement the system and pushing forward to meet a date. The final great example is that of migrating to the cloud without taking security controls on cloud-based storage into consideration, which has happened to numerous companies, most recently Capital One and several information brokers that have collectively caused data breaches of billions of records.

Technology blindness has three measurable effects. The first is that of the opening up of the new system to new classes of insider and outside threats because you haven’t threat modeled or assessed your controls, plans, processes, procedures, policies, communication plans, technology stack, or their effects on the team, and did not align the initiative to the organization.

The second is that of employee disengagement caused by uncertainty on the management of the projects due to the focus on the technologies and not the team or the effects on them.

Finally, the third effect is that of the compromise caused when the organization realizes they are suffering from technology blindness, and makes drastic changes and last-minute attempts to address processes, policies, controls, and procedures to address the workforce disengagement caused by the previous attempt, and still attempts to come close to production dates with a drastically changed master plan and supporting communication plans.

How do we mitigate insider threats?

Strong leadership, two-way communication, strong and detailed planning involving all involved parties, and consideration for the involved team members are key to mitigating insider threats. You must assume that 90% of the work involved in implementing any new technology system is going to be with planning, communication, policies, procedures, processes, exception management, and developing audit and management plans for sustainment.

New technology systems represent organizational change. They also represent an opportunity for people to take advantage of executives and leadership who are enamored by new technologies and the glory that comes from being a first mover to leverage policy, process, procedure, planning, technology, audit, exception management, and implementation vulnerabilities to their benefit. You must always watch out for that. The technology doesn’t obviate human factors.

Insider threats are one of those cases where technology supports the leadership message and involved people. You can’t just implement it. If strong process-oriented leadership does not exist, then the rest of the system you need to combat them will not be in place. Due to Jacobson’s greed, and the lack of emphasizing the right culture from the top that adheres to good mission and values, numerous people lost their jobs and had black marks on their careers.

The fact that the story was buried by 9/11 does little to comfort the inadvertent victims of it and the negative impact of someone’s duplicity and greed. Governance, honesty, transparency, and giving a leadership-facilitated environment in which people can ask questions and report issues are critical to a successful insider threat and information security program. Like the use of email in the 1990s, we need to facilitate connecting. The victory isn’t in winning game pieces, but in better communication and a better overall program.


Mitchell Parker, CISSP, is the Executive Director, Information Security and Compliance, at Indiana University Health in Indianapolis. Mitch is currently working on redeveloping the Information Security program at IU Health, and regularly works with multiple non-technology stakeholders to improve it. He also speaks regularly at multiple conferences and workshops, including HIMSS, IEEE TechIgnite, and Internet of Medical Things.

Mitch has a Bachelor's degree in Computer Science from Bloomsburg University, a MS in Information Technology Leadership from LaSalle University, and his MBA from Temple University.

The opinions expressed in this blog are those of Mitchell Parker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.