fbpx
Insider threats – Hiding in Plain Sight
Insider threats – Hiding in Plain Sight

For a few years, I have quietly been watching incidents where insider threats have been the primary cause of severe and often expensive problems that have affected over 100 million people. To make sure we’re on the same page,

“Insider threats can be defined as risks posed by rogue employees who deliberately cause harm, or by those who may be negligent in the workplace.”

For a while, I’ve argued that psychology and human resources (HR) have been underutilized as tools to protect valuable information and intellectual property. Some of my previous thinking and work is captured in magazine articles that I wrote in 2016 (Is Cyber Security Alone Ever Enough; no longer online via Frontline Security) and 2017 (Corporate Security Hinges on its People; no longer online via Frontline Secutity) and also addressed in a couple of blog posts on my website. Lately, these insider threat stories seem to be growing more common and more consequential.

Insider Threats – National Safety and Security

Michael Flynn was an insider threatIf you’ve been following any of the news stories related to Special Counsel Robert Mueller’s ongoing Russia investigation, then you may have heard of Michael Flynn. In summary, Flynn served as President Trump’s National Security Advisor for less than one month. He resigned after information became public that he had lied to the FBI and Vice President Mike Pence about his communications with a Russian Ambassador to the U.S.  The salient issue was that Flynn may have been compromised by Russian intelligence agents. In other words, Flynn was apparently under the control of Russian spies. As someone advising the President on issues of national security, it is extremely dangerous for him to be making recommendations that may serve the interests of Russia instead of the US.

On December 1, 2017, Flynn appeared in federal court to formalize a deal with Special Counsel Robert Mueller to plead guilty to “willfully and knowingly” making “false, fictitious and fraudulent statements” to the FBI. Flynn is now cooperating with Mueller’s Russia investigation. This means he is providing information about the Trump Campaign and possibly individuals associated with President Trump who may have unpatriotic ties to a foreign country (or countries).

Why does this matter?

  • The National Security Advisor to the President of the United States should be providing advice that prioritizes American interests, not the interests of a known adversary.
  • When someone in Michael Flynn’s position of power and influence is motivated to prioritize an adversary’s interests over the US’ interests, it puts the US, its citizens, and potentially its allies at risk.
  • Historically, Americans have been concerned about outsiders spying, eavesdropping, or hacking etc. to gain access to American information and undermine its security and autonomy. This means they needed to protect themselves from ‘external threats.’
  • In the Flynn situation, the Russian government did not need to hack or break into anything. Instead, they had someone on the inside who could undermine US national security and work against American interests. This is an extreme form of insider threat and Michael Flynn’s guilty plea confirms it.
  • This is also an example of what happens when appropriate vetting is not completed as part of the hiring process before appointing someone to a position where they will have access to sensitive information.
  • Equally important, no IT or cybersecurity hardware or software could thwart this particular threat. This problem is more closely linked to HR policies and human psychology.

Insider Threats – Telecommunications and Competitive Advantages

Huawei's corporate espionage is an insider threat

In 2012, Steve Kroft reported on Huawei ‘s corporate espionage for 60 Minutes, CBS

Closer to home, you may have heard some troubling (and confusing) stories about the telecom company Huawei and one of their executives who experienced serious legal problems while in Canada. Huawei makes smartphones and equipment that is used in wireless networks, including the emerging super-fast 5G networks that are now being built. Huawei has been banned by the US, Australia, and New Zealand, over suspicions that it could insert “back doors” into its equipment that would be used for spying or causing problems on telecommunications (that is, voice and data) networks.

Another big part of the story is about industrial espionage or corporate spying. In January 2019, The Washington Post reported that a former Huawei employee filed a legal claim alleging that he was directed by Huawei to steal rivals’ valuable trade secrets or intellectual property. Specifically, while spending time on-site at a rival company, “the engineer slipped a robot arm into his bag and walked out of the laboratory. Overnight, he photographed the device and took critical measurements before returning it the next day, apologizing that it was taken by ‘mistake.’ According to the charges filed, Huawei had created a bonus program for workers who stole information from its competitors.”

Once again, no cybersecurity software or equipment would have prevented this analogue theft. It’s an excellent example of how policies and human behaviour (i.e., psychology) can be the weakest link even when IT security hardware and software measures are in place.

Although the specifics of this incident relate to telecommunications, the same arguments apply in many other industries where data or intellectual property are the sources of a company’s value (e.g., financial services, pharmaceuticals, IT companies, biotechnology companies, etc.).

Insider Threats – Physical Security Breached in Chicago Shooting

On February 15, 2019, five people were killed and six police officers injured after a recently fired employee shot bullets into the massive warehouse where he worked in a suburb southwest of Chicago, IL. Apparently, the 45-year-old gunman had been fired from his job just before the shooting rampage began.

Fired employee becomes an insider threat

Source: PressTV.com Feb. 15, 2019

 

Apparently, he was the only person fired that day. From my research and experience, I know that many HR actions and/or policies that have a negative impact on employees are known predictors of insider threat. Many HR actions and policies that are far less serious than termination are associated with insider threats.

Once again, this incident was not an external or technical problem, it was something that originated within an organization that appears to be linked to HR and/or human behaviour (i.e., psychology).

 

 

BBC Tech Correspondent Rory Cellan-Jones says it well “if protecting your vital information depends on making humans more sensible rather than using all sorts of whizzbang technology, wouldn’t it be better to hire psychologists rather than cyber-security companies? They might even be cheaper.” Time will tell …

 

If you’d like to learn more about how psychology and HR can help prevent insider threats, listen to Episode 27 of The Insider Threat Podcast where I speak to host Steve Higdon about this topic. Note – since the time that this article was published, I was an invited guest on Scott Wright and Tom Eston’s Shared Security Podcast and we spoke about different aspects of this issue.

Have a sensitive career or HR-related concern? I invite you to contact me by emailphone, or via direct message on Twitter, Facebook, or LinkedIn if you’d like to discuss any of these topics in more detail.

 

More than career coaching, it’s career psychology®.

 

I/O Advisory Services – Building Resilient Careers and Organizations.

 

Easily share this article using any of the social media icons below.

Latest Posts

What Does It Mean to Demonstrate Authentic Leadership?

What Does It Mean to Demonstrate Authentic Leadership?

Inexperienced leaders must recognize the difference between playing the “character” of what they think a leader should be and what authentic leadership is. This requires self-reflection and intentionally developing a genuine leadership style based on their own strengths, values, and a keen understanding of the team’s dynamics. Otherwise, their approach will seem hollow or one-sided and come across as inauthentic.

Including Gen Z, four generations in the workplace. What’s the secret to making it work?

Including Gen Z, four generations in the workplace. What’s the secret to making it work?

In today’s dynamic workplace, organizations are navigating a unique era in which the workforce spans four distinct generations Baby Boomers, Generation X, Millennials, to the emerging Generation Z or “Gen-Z.” With each generation bringing its own set of values, skills, and work styles to the table, building an effective, cohesive multigenerational team presents opportunities and challenges.

Exploring the Consequences of Microaggressions in the Workplace

Exploring the Consequences of Microaggressions in the Workplace

During past training sessions, I’ve provided empirical and concrete examples of how discrimination and microaggressions can hurt more than the intended victims. Here, I’ll share one clear example, inspired by a recent TV interview, of how microaggressions and chronic mistreatment can impair retention and hurt the majority.

Dealing with Professional Setbacks

Dealing with Professional Setbacks

Professional setbacks and disappointments are an inevitable part of any career journey. Setbacks come in various forms, whether it’s missing out on a promotion, being laid off, dealing with the fallout associated with a failed project, or enduring systemic barriers.