Of all the security vendors exhibiting at InfoSecurity in London recently, none claim they can detect a major threat to enterprises: unhappiness.
Security software doesn’t do a very good job of detecting employees who may have a grudge against their company. And often, those unhappy individuals are motivated by deep-seated human emotions: jealously, greed or power, said Bob Ayers, associated fellow at the Chatham House Information Security Programme think tank.
Take, for example, the case of a loathed senior executive of a major European bank. In preparation for a new post, his computer was sent to the IT department, where a security officer said it contained child pornography, Ayers says.
The executive denied the accusation vehemently. Further investigation showed that the pornographic images were placed on the machine by the security officer, an act of revenge against the executive for firing the security officer’s father years ago.
“We tend to view insider threats as something with the objective of gaining money or something that can be sold for money,” says Ayers, who worked in computer security and intelligence for the US Department of Defense for more than 30 years. “You need to consider other motives than simply financial.”
Unfortunately, it’s very hard to detect employees who may be inclined to act maliciously within a company, says Stephen Bonner, head of information risk management for banking group Barclays.
Ironically, the warning signs of bad employees can also be indicators of good ones: a willingness to work late, a desire to take on more responsibility and close interest in other colleagues’ work, he says.
Bonner divides employees into three categories: those who will always do good, those who are mostly good but do bad things, and those who simply prefer bad behaviour. Enterprises can help mitigate their risk by performing background checks and asking employees to take a pledge to act ethically.
Once on the job, managers can also take note of employees’ actions. Those who act up — after not receiving a satisfactory bonus, for example — may be more inclined to seek retribution against their employer, Bonner says.
On the technical side, it’s good to let employees know their activities will be monitored. But there’s a catch. If employees perceive they are being overly monitored they may act differently, so the monitoring policy should be in line with the organisation’s work culture, he says.
The last recommendation seems like common sense: if companies treat people well, their employees tend to behave better. And addressing human resources problems directly can help to avoid what could translate into IT problems later.