Recently, we found ourselves somewhat enthralled by this article from IT World Canada. It wasn’t because it was especially well-written, or something that resonated with us on a philosophical level, or because it was incredibly quotable. Actually, it was because we found the stance that it takes rather…well, controversial.
In case you don’t have time to check out the article, we’ll give you a brief summary: two security professionals give their views on insider threat. One of them, a director of risk advisory services by the name of James Arlen, had some views that we found especially interesting. Arlen argued that insider threat is totally preventable (a bold claim already!) and, to raise your eyebrows even more, goes on to say that insider threat is solely the result of poor management. Here’s one of his quotes:
“If you treat staff like adults and forbid all the things you get adults who act like children. If you treat your staff like adults and expect them to do the job they were hired to do, and do it well, they actually will. Almost every single case I’ve been involved in (as a corporate IT pro or consultant) has come down to one of two things: Either earnest employee trying very hard to meet an un-meetable objective, or an employee treated as less than human and wants their piece. Solve those two problems and you’ve solved insider threat.”
Hopefully it’s obvious that here at Dtex, we’re all for treating employees as adults and giving them the respect and trust that comes along with that. But even so, we can’t help but disagree with Arlen’s words here. In our experience, even in terrific work environments, there’s always someone out there who has some ill-will. Arlen does address these neer-do-wells, but only to state that plain old people management catches. That seems like a surprisingly dismissive attitude towards a very dangerous (and very stealthy!) group of people and frankly, it’s just inaccurate. We’re intimately familiar with the things that plain old people management misses every day, and it’s never insubstantial (you can take a look at our What Insiders Do paper for a taste).
Plus, we would argue that this ignores the huge number of insider threats that are not malicious, just ill-informed. People make mistakes every day that put their company at risk of breach and attack. In almost every risk assessment we perform, we see employees who are bypassing their company security controls and putting company assets at risk. Their motivation isn’t malicious — they’re just trying to get their job done. They’re using cloud services that haven’t been properly secured, storing data on unencrypted USB devices, opening phishing emails and visiting watering hole sites. It’s naive and incorrect to say that a good work environment and respectful management eliminates all insider threat, without fail.
Still, Arlen does have a point. His statements got us thinking about another article we’d read — this one about Nordstrom, a store renowned for its service that also happens to have a high rate of employee satisfaction. The Nordstrom handbook consists of just one sentence: Use good judgement in all situations. They show an enormous amount of trust and respect for their employees, and employees respond by generally being great at their jobs and with satisfaction in their positions. And we find it hard to argue with the idea that as a whole, happy employees create fewer problems and are less likely to do malicious things — like, say, steal from their employer.
Ultimately, we keep coming back to the oft-quoted motto, Trust but verify. There are a lot of security professionals out there who advocate company-wide lockdowns as the best way to prevent insider threat, but we firmly believe that treating all employees as if they’re guilty just makes everyone frustrated, less productive, and more likely to find security workarounds. Employees that feel trusted and respected are harder workers and better employees. At the same time, Arlen’s black-and-white philosophy of trust = no more insider threat is completely unrealistic. While suspicion and restriction is certainly not the answer, companies need to be able to verify the trust that they put in employees. Protective monitoring is great for this, because it doesn’t interfere with employees, but it alerts when not if, but when suspicious activity takes place somewhere in the company. While respect and confidence should certainly be more of a focus in every employer-employee relationship, it does not replace the need for vigilance against the insider threat.
Do you agree that more than employee trust is needed to fight the insider threat? We can help.