By: Sydney Britton, GPSG Intern
How does your organization view insider incidents compared
to whistleblowers? Both threaten all sectors with downtime and lost productivity.
Forcepoint’s latest cybersecurity report predicts
that in 2019 we will see a data breach where an employee claims innocence,
possibly whistleblowing, while their employer claims deliberate action.
We have already seen an example of an insider incident vs. a whistleblowing case from the auto manufacturing industry. In June of 2018, Tesla accused an employee of sabotage for changing operating system code and leaking sensitive corporate information shortly after he was denied a promotion. The employee denied the accusations and claimed to be a concerned whistleblower sharing that the company was knowingly installing faulty batteries in cars. Although still under investigation, the case reminds us how challenging it can be to manage insider risk.
Organizations that proactively seek to understand the
motivations behind insider activity and equip their workforce to prevent,
detect, and respond to incidents will be better postured to mitigate harm to
their organization.
The following scenarios illustrate how trusted employees can
be motivated to act against the best interests of an organization in the legal,
pharmaceutical, and entertainment industries.
Would your organization characterize each scenario as an
insider or whistleblowing incident? How could this type of incident be
prevented?
Legal Industry Example: A law firm with five partners has weekly meetings. One week, four of the partners meet to discuss firing the fifth partner for not bringing in enough clients. All team members agree, except for one, who is loyal to the fifth partner. After the meeting, the loyal partner tells the fifth partner what happened because if the roles were reversed, he would want to know. After the fifth partner was fired, he threatened the rest of the partners, got hired at a competing law firm, and took as many clients with him as he could.
Pharmaceutical Industry Example:A Quality Assurance officer flags to senior management that an ingredient being used in a new drug to treat depression is carcinogenic. Company executives are alerted to the issue, yet ultimately decide to forego further testing and continue with production. After the quality officer learns that production will continue, he decides to leak the ingredient, along with his research, to a local media outlet because he thinks that the public should be made aware of the risk.
Entertainment Industry Example: An intern at an animal and amusement park overhears the staff discussing that in order to ensure that the animals behave when they are around the public they are often secluded from interacting with other animals or fed very strict diets. The intern sensed from the conversation that this oftentimes resulted in the animals displaying aggressive behaviors. The intern secretly records and then posts the conversations on social media. Special interest groups suspect foul play at the park and file a lawsuit against the organization.
Each scenario illustrates how challenging it can be to
differentiate an insider threat incident from a whistleblower case.
The following four actionable recommendations can help your organization prevent insider or whistleblowing incidents from occurring:
Proactively seek to meet federal and private sector regulations. GDPR took effect in May of 2018 and already we have seen the number of whistleblower reports triple. Including time and resource planning in your enterprise cyber budget and roadmap planning can help adequately prepare your organization to meet federal and private sector security and privacy regulations and guidelines.
Follow up on concerns flagged by your workforce. Ensure that employees have someone to call in your organization that they can voice their concerns to or establish an anonymous tip line. Reassure them that their insights will remain anonymous and that the information they share with your management team will be treated with sensitivity and handled appropriately with anti-retaliation policies.
Equip your managers to be your first line of defense. Train your supervisors to understand what signs to look for in employees who may be undergoing stressful life events. Provide useful tools and tips for your leadership team to be able to engage in meaningful conversations with potential problem employees. This will help your management team more accurately assess whether the employee poses an insider risk to your organization.
Increase workforce awareness of ethics and compliance policies. Offer your employees training on transparency, accountability and ethical and lawful conduct. Share your organization’s key values across the organization and seek enterprise-wide buy-in.
Contact GPSG today for a free insider threat risk management consultation: cyberteam@gpsg.co