One of the key areas within the insider risk matrix is the role of the benevolent or malevolent employee. With the former, their actions are of good intent, though their execution and decision-making may be flawed and fraught with unintended consequences. With the latter, the employee knows their action is outside of the approved swim lanes, yet they persist for their own reasons which conflict with established processes and procedures.
The most glaring example of employees trying to do the right thing, yet doing it poorly, can be summed up in the term “Shadow IT.” These are workarounds, infusion of personal applications, scripts and processes all designed to get the job done in a way that corporate IT may be totally unaware – ergo, in the shadows. This unregistered unrecognized risk is far too often the pathway to compromise as evidenced by several examples.
Take the 2017 episode that occurred at the Boeing Company, where an employee emailed a spreadsheet outside the company to his wife (who was not an employee) to help him with formatting issues. The spreadsheet contained hidden columns, which held the PII of approximately 36,000 coworkers. While trying to do his job, he exited the swim lane.
LastPass recently revealed the context of their second breach, the provenance of which can be tied to a DevOps Engineer. This engineer was, according to the company’s statement, one of four individuals within the company who had the requisite credentials and access to this sensitive database. The employee was operating from his home network on a device to which he loaded a third-party application, which was compromised. This led to a daisy chain of events that resulted in LastPass being compromised.
In a recent piece, How to Handle the Risks of BYOA/BYOD and Shadow IT, Armaan Mahbod wrote that applications introduced to devices by employees aren’t always benign. “Unsanctioned applications that are not vetted and approved by corporate IT and security teams pose a major security risk for businesses. This is because these tools haven’t been tested thoroughly to determine if the applications are susceptible to compromise or have functionalities that enable an individual to steal IP from the business.”
The LastPass compromise perhaps could have been avoided had there been a different set of policies in place which applies to those with the most sensitive access. But this engineer was swimming in his approved swim lane and operating within acceptable parameters.
As I recently wrote, “Rare is the home computer that is hardened at the same level as the corporate provisioned device.”
The LastPass compromise is a perfect example of the importance of keeping personal and corporate information and assets separate. If the protocol was to use only “approved” applications, then when the employee went to use this third-party app, it would have been detected and the opportunity to mitigate the risk and close the loop with education would have been present.
It is not hard to recognize the malicious user. It is, however, more difficult to detect the malicious employee when they are operating within the expected parameters.
In the 2012-2017 Coca -Cola trade secret theft case, a engineer used one of many ubiquitous commercial cloud services to facilitate the theft of intellectual property: Google Drive. Her actions went undetected within Coca-Cola, and it was only when she used the same technique at a company that did not permit such, that she was found out. With this information at hand, and well after the fact, Coca-Cola was able to determine the extent of the IP theft conducted by their former employee.
Another example comes from the aviation sector in 2017, when a reservation clerk departed PenAir. Prior to leaving the company, she set up a fake user account, with the appropriate level of access to allow her to re-enter the corporate network. She subsequently used that fake account to sabotage the airline’s ticketing and station management network database services. Malicious, indeed.
What to do?
Behavior analysis is so important, and the MITRE Inside-R Protect is an excellent example of a program that goes deep in analyzing the behavioral side of insider threats. In mid-2022 I observed, “As an individual who has been on both sides of the covert information acquisition process, I attest to the value of understanding the behavior of the individual to be of paramount importance.” These were my thoughts then and they remain valid today.
If one is only following the threat indicators of the past, then one is essentially watching their neighbors’ cows meander down the road. It is important to close the barn door and understand what is going on inside.
As such, our pragmatism allows us to realize some employees may take short cuts (Shadow IT) or make well-meaning decisions (benevolent) that violate policy. Yet we remain hesitant to accept that there are those who will and are acting in a malicious fashion. The dichotomy lies within the basic human desire to assume and expect the best – and we should. We also must do our part: to cultivate a trusted, respected, protected and engaged workforce.
As Mohan Koo, Co-Founder and CTO of DTEX told Authority Magazine, in 2021, “An un-engaged workforce opens the door for outside attackers to find a way in through employees.”
Insider risk management programs are built on trust. We expect our colleagues to stay within the established protocols, yet far too often we encounter those for who rules have no meaning and consequences be damned. Aleksandr Solzhenitsyn perhaps says it best in his Gulag Archipelago: “If only there were evil people somewhere insidiously committing evil deeds, and it were necessary only to separate them from the rest of us and destroy them. But the line dividing good and evil cuts through the heart of every human being. And who is willing to destroy a piece of his own heart?”
This is the third installment of a leadership series from Christopher Burgess. See When Business Gets Personal for the first post and The Importance of Trust in your Insider Risk Program for the second.