For a few years, I have quietly been watching incidents where insider threats have been the primary cause of severe and often expensive problems that have affected over 100 million people. To make sure we’re on the same page,
“Insider threats can be defined as risks posed by rogue employees who deliberately cause harm, or by those who may be negligent in the workplace.”
For a while, I’ve argued that psychology and human resources (HR) have been underutilized as tools to protect valuable information and intellectual property. Some of my previous thinking and work is captured in magazine articles that I wrote in 2016 (Is Cyber Security Alone Ever Enough; no longer online via Frontline Security) and 2017 (Corporate Security Hinges on its People; no longer online via Frontline Secutity) and also addressed in a couple of blog posts on my website. Lately, these insider threat stories seem to be growing more common and more consequential.
Insider Threats – National Safety and Security
If you’ve been following any of the news stories related to Special Counsel Robert Mueller’s ongoing Russia investigation, then you may have heard of Michael Flynn. In summary, Flynn served as President Trump’s National Security Advisor for less than one month. He resigned after information became public that he had lied to the FBI and Vice President Mike Pence about his communications with a Russian Ambassador to the U.S. The salient issue was that Flynn may have been compromised by Russian intelligence agents. In other words, Flynn was apparently under the control of Russian spies. As someone advising the President on issues of national security, it is extremely dangerous for him to be making recommendations that may serve the interests of Russia instead of the US.
On December 1, 2017, Flynn appeared in federal court to formalize a deal with Special Counsel Robert Mueller to plead guilty to “willfully and knowingly” making “false, fictitious and fraudulent statements” to the FBI. Flynn is now cooperating with Mueller’s Russia investigation. This means he is providing information about the Trump Campaign and possibly individuals associated with President Trump who may have unpatriotic ties to a foreign country (or countries).
Why does this matter?
- The National Security Advisor to the President of the United States should be providing advice that prioritizes American interests, not the interests of a known adversary.
- When someone in Michael Flynn’s position of power and influence is motivated to prioritize an adversary’s interests over the US’ interests, it puts the US, its citizens, and potentially its allies at risk.
- Historically, Americans have been concerned about outsiders spying, eavesdropping, or hacking etc. to gain access to American information and undermine its security and autonomy. This means they needed to protect themselves from ‘external threats.’
- In the Flynn situation, the Russian government did not need to hack or break into anything. Instead, they had someone on the inside who could undermine US national security and work against American interests. This is an extreme form of insider threat and Michael Flynn’s guilty plea confirms it.
- This is also an example of what happens when appropriate vetting is not completed as part of the hiring process before appointing someone to a position where they will have access to sensitive information.
- Equally important, no IT or cybersecurity hardware or software could thwart this particular threat. This problem is more closely linked to HR policies and human psychology.
Insider Threats – Telecommunications and Competitive Advantages
Closer to home, you may have heard some troubling (and confusing) stories about the telecom company Huawei and one of their executives who experienced serious legal problems while in Canada. Huawei makes smartphones and equipment that is used in wireless networks, including the emerging super-fast 5G networks that are now being built. Huawei has been banned by the US, Australia, and New Zealand, over suspicions that it could insert “back doors” into its equipment that would be used for spying or causing problems on telecommunications (that is, voice and data) networks.
Another big part of the story is about industrial espionage or corporate spying. In January 2019, The Washington Post reported that a former Huawei employee filed a legal claim alleging that he was directed by Huawei to steal rivals’ valuable trade secrets or intellectual property. Specifically, while spending time on-site at a rival company, “the engineer slipped a robot arm into his bag and walked out of the laboratory. Overnight, he photographed the device and took critical measurements before returning it the next day, apologizing that it was taken by ‘mistake.’ According to the charges filed, Huawei had created a bonus program for workers who stole information from its competitors.”
Once again, no cybersecurity software or equipment would have prevented this analogue theft. It’s an excellent example of how policies and human behaviour (i.e., psychology) can be the weakest link even when IT security hardware and software measures are in place.
Although the specifics of this incident relate to telecommunications, the same arguments apply in many other industries where data or intellectual property are the sources of a company’s value (e.g., financial services, pharmaceuticals, IT companies, biotechnology companies, etc.).
Insider Threats – Physical Security Breached in Chicago Shooting
On February 15, 2019, five people were killed and six police officers injured after a recently fired employee shot bullets into the massive warehouse where he worked in a suburb southwest of Chicago, IL. Apparently, the 45-year-old gunman had been fired from his job just before the shooting rampage began.
Apparently, he was the only person fired that day. From my research and experience, I know that many HR actions and/or policies that have a negative impact on employees are known predictors of insider threat. Many HR actions and policies that are far less serious than termination are associated with insider threats.
Once again, this incident was not an external or technical problem, it was something that originated within an organization that appears to be linked to HR and/or human behaviour (i.e., psychology).
BBC Tech Correspondent Rory Cellan-Jones says it well “if protecting your vital information depends on making humans more sensible rather than using all sorts of whizzbang technology, wouldn’t it be better to hire psychologists rather than cyber-security companies? They might even be cheaper.” Time will tell …
If you’d like to learn more about how psychology and HR can help prevent insider threats, listen to Episode 27 of The Insider Threat Podcast where I speak to host Steve Higdon about this topic. Note – since the time that this article was published, I was an invited guest on Scott Wright and Tom Eston’s Shared Security Podcast and we spoke about different aspects of this issue.
Have a sensitive career or HR-related concern? I invite you to contact me by email, phone, or via direct message on Twitter, Facebook, or LinkedIn if you’d like to discuss any of these topics in more detail.
More than career coaching, it’s career psychology®.
I/O Advisory Services – Building Resilient Careers and Organizations.
Easily share this article using any of the social media icons below.