Organizations should educate employees
about emails they send on the job.
Sometimes cyber threats come from people who know the organization best:
The Gyges Group,
Aware Force: When it comes to employees doing bad things or allowing bad things to happen, how bad a problem is it for organizations?
Steve Bongardt: It’s really bad. The threat is worse than an external attack or threat for most Organizations. That’s because most organizations aren’t on the radar screen for a lot of cyber attackers. But most organizations have a realistic threat involving insiders. It’s under-reported because it’s embarrassing.
There is a bias in human behavior that we don’t take look at the people who threaten us the most, that we’re closest to, that we’ve placed trust in. It’s natural for humans to look externally for threats. But you have to build your walls high. With the proliferation of malware it’s wise to think about threats from external hackers, but you really need some kind of insider-threat program.
Aware Force: So what percentage of cyber breaches in organizations is evil and planned…and what percentage is just mistakes that people make?
Steve Bongardt: Based on the interactions I’ve studied, I’d say 35% is accidental, 65% involves some type of intent. And then there’s the gray area. Employees get internal training on what you should click on or not. This is the concept of due diligence. When employees don’t care, that’s a darker area.
Aware Force: What are the most common reasons for those who commit cybercrimes intentionally?
Steve Bongardt: It’s usually disgruntlement. You can track it back to that as a primary human behavioral motivator. As far as what they’re after: it depends. They could be intending to destroy the organization. More often than that, it’s an individual stealing intellectual property like a client list. If the organization had some sort of process to stop it, they would do it. And then there’s full-blown theft of intellectual property where that property is what the company’s value is. I would also throw in insider fraud…traditional fraud. I see it in a lot of organizations. So, four camps, theft, fraud (like customer data), and attempting to destroy the organization on some level.
Aware Force: Analyzing employee behavior — without asking people to be paranoid — what are characteristics of someone who is committing cybercrime internally?
Steve Bongardt: Look for people who are spending outside of their means. And this can take place in a private company or in government. But it’s usually not just one thing. It’s a confluence involving some stressor inside or outside of work.
Some personality types that are difficult are over-represented, like narcissism. Often they have some flexibility in their thinking. Maybe they downloaded something from the web (I’m not talking about porn) — maybe its certain types of productivity tools like backup tools.
Those combination of things: stressors and predispositions, tech indicators.
And finally, there’s something else that’s often hard to see and that’s where something is going on in the organization. I’m not saying a case where the organization isn’t delivering for customers well. Instead, there are issues with the way things are handled internally.
Aware Force: What should an employee do if they think there might be some sort of cybercrime going on with a co-worker?
Steve Bongardt: One thing is you have is the ability for employees to report it to someone — an insider program. There should be a process — if you think you see something, you can say something confidentially and won’t be reprisals.
Where that information goes must be highly compartmentalized because the stigma of potentially being an insider is highly detrimental. It’s breaking trust: you’re saying “I trusted you before but now I don’t really trust you.”
What’s particularly hard is when a manager or someone in a position of authority is involved.