Adam* stayed later than most at the office.He tended to get in late too.Recently, he had been admonished about his time-keeping, and indeed his overall performance.The quality of Adam’s work as a project manager at one of the leading UK defence engineering firms had declined.And it had been noted.He wasn’t delivering on his promises, he was missing deadlines and he was busting budgets.
Adam, 35, was a father of two who had been with his current employer for three years.He was a keen squash player, a good cook and member of his children’s school PTA.He was also in some considerable debt after his wife had lost her job as an administrator for an American bank.
In his time at the company, Adam had seen no real-term increase in pay, despite the fact that his responsibilities had almost doubled in scope.He answered to three different business functions, had had no direct line manager for four months and had a very limited grasp on either the company’s direction of travel or its means of getting there.
Increasingly, Adam felt that he was being ‘done to from on high’ rather than ‘involved in’.He became isolated, disillusioned, disenfranchised and ultimately disengaged.
In 2015, Adam offered the details of passwords, network access codes and security protocols to a direct competitor.Fortunately, that competitor alerted Adam’s employer, who in turn alerted the authorities.
In the aftermath of the case, the company sought the advice of government cybersecurity specialists to help shore up their technical security, firewalls, practices and procedures.These expert findings were stark.Other than a few physical and technical security tweaks here and there, there was nothing really amiss.
What went wrong in Adam’s case – and in the case of most costly ‘insider’ cybersecurity breaches – was nothing to do with IT and everything to do with employee engagement.
The Centre for the Protection of National Infrastructure (CPNI) studies Insider Threat in some considerable detail.Their 2013 study which looked at 120 UK based ‘insider’ cases from a range of industry sectors revealed some remarkable findings:
·There are three key types of cyber threat from an individual inside an organisation:
1)Espionage – the unauthorised disclosure of electronic Intellectual Property or security protocols, passwords and network data;
2)Sabotage – the deliberate act of destroying data /network capability;
3)Human Error – the unintended breach of cybersecurity through a lack of adherence to security culture and protocol.
·Motivating factors are complex and often involve several elements.In all 120 cases, general dissatisfaction with the employing organisation played a role in the employee’s insider action.
·In addition, there are five common primary motivations for an employee to undertake ‘insider’ activity:
1)Financial gain (47% of cases)
3)Desire for recognition (14%)
4)Loyalty to friends/ family/ country (14%)
·There is a strong link between organisational short comings, poor engagement practices and the occurrence of insider cyber breeches.
What these findings show is that much of what organisations are trying to prevent, in terms of cyber security breaches, involves both good technical advice and good people advice.
Yes, in the modern age, where a large proportion of IT systems are internet-connected, security must be designed-in from the beginning.
Yes, protective security processes and protocols should be in place.
And yes, auditing the use of IT systems is vital in spotting irregularities and unusual behaviours.
But, employees who are bought into corporate vision and values, who understand what is expected of them, and who are supported and empowered to perform, do not sell passwords.
Likewise, employees who have access to adequate resources and a safe environment in which to debate and challenge the status quo do not destroy networks.
A climate that fosters collaboration, where successes are celebrated, and failures are learning opportunities have no Adams.
Creating an environment where there is a genuine recognition of effort and going the extra mile, where being part of the team is paramount, and where the security culture is respected and meaningful: that is the workplace that carries the smallest insider Cybersecurity risk.