We speak to Dr John Buckley, an intelligence and counter-terrorism specialist who runs HSM Training and Consultancy, about insider threats in organisations, how management can turn happy employees into malicious actors, and the very real need to focus on personnel security.
How does someone who comes into your organisation as an asset suddenly transform into a cyber threat who wants to harm your business? This week, Dr John Buckley discusses how internal – rather than external – individuals can cause the most harm to your organisation, through the lens of internal triggers that change how a person feels, acts and ultimately behaves towards their employer.
How do you help organisations deal with complex insider-threat situations?
It’s about looking at various cases and trying to work out why somebody who has perhaps been loyal to their organisation for a period of time, why all of a sudden they turn around and betray them and cause their organisation a lot of harm. It’s a very difficult thing to combat because it’s not like we can just go to the store and buy some antivirus to combat the threat from people. It really comes down to trying to understand people better and what drives their behaviours, and then take a risk-based approach to mitigate the harm they may cause.
How do you understand their motivations?
Most of us are familiar with Maslow’s Hierarchy of Needs – there are four or five different groups of motivation and we all bring our own prejudices to that discussion. A lot of us also think it’s all about the money. People will always do something bad for money. But looking at Maslow and looking at money as a motivator – both those aspects are very often deeply flawed and simplistic ways of looking at things.
Let’s say someone has a malicious intent which is developed as a self-starter versus someone who is clearly being influenced and has had a vulnerability exploited. Are there clear differences in terms of how those individuals behave in the early stages?
Someone who has been recruited to cause harm to the company is going to be much more likely to do it without being caught – because someone’s going to be guiding them about exactly what to do. Just look at the recent attack on Tesla where there was a foreign actor offering large sums of money to plant malware into the system and instructing that person exactly what to do.
When we talk about these things, it’s important to realise there are different things driving people at different times. So you may have someone who has always been a low performer at work who’s vastly exaggerated their CV when applying for their job. They’ve come into the workplace and are consistently underperforming. The longer you allow that person to continue, the more likely they are to cause you harm.
I also think it’s important to look at the problems that, as managers, we actually create ourselves. If you have a bad manager, quite often they will either act as a catalyst or actually start the person on that journey towards vengeance.
So, what does that look like? These things happen over a period of time. It’s not just one major thing that happens to a person, it’s a series of small cuts. It’s almost like death by a thousand cuts. It’s a longer journey and there are many steps involved. But in all cases the person is mistreated over a period of time by management, and there’s been no redress by the company. Those people begin to say to themselves, “They’ve hurt me, so I’m going to hurt them.”
When it comes to that transition from being a ‘friendly colleague’ to a ‘cyber terrorist’, is it like a switch that’s impulsive or will happen over a long time?
It can be impulsive because the opportunity presents itself, or it can be planned where they go and look for a way to attack the company. Here’s a very simple example I came across recently.
An employee was in dispute with their company over a relatively small sum of money – we’re talking $5,000. For a multinational company, that’s nothing, but $5,000 to an individual is a huge sum of money. This individual made complaints about how they’d been treated and the go-to response from the company was: “Talk to our lawyers.” Now, there’s never a dispute where one person is 100% right and the other party is 100% wrong. In this case, there was there was common ground – it was probably an 80/20 dispute. But the go-to response from the company about talking to their lawyers to protect their $5,000, that immediately put the employee in a position where they knew they couldn’t afford a team of lawyers.
So, they have no power against this multinational company that are throwing everything at them. They think: “I’m aggrieved. I’m feeling bad about it. I’m getting angry about it. I’ve been embarrassed in front of all my colleagues. I’m now going to take action.”
It got to the point where they didn’t actually care about the $5,000. It was more important to hurt the company. Organisations need to start accepting that this can happen.
Where does the onus sit on investing in awareness training and having the appropriate mitigation strategies in place?
It sits with the CEO. It doesn’t sit with HR because they are one of the resources the organisation will need to call upon to help solve the problem. If the company has a risk manager, it’s making the assumption that they actually know enough about it – or at least know where to get proper training on the subject – because they need to see what the risks are.
It’s the same way as we look at physical security. A security manager will look at the building’s physical security. The IT department will protect the company’s hardware and software from attacks. But we also need the third protection element: personnel security. If we’re not addressing our own employees and the threats they could potentially cause, then we’re not doing security right.
If someone approaches an employee saying they want to exploit a vulnerability to carry out a malicious attack, is it inevitable that their target will turn?
No, it’s not. If we look at the case with Tesla, that person was offered $500,000 – that’s a lot of money to anyone. So even if that person was disgruntled in the past, why did they stay loyal to the company?
What you will probably find is that the person felt that the company had treated them fairly. Very few of us will actually take money to betray the ones that we hold in esteem or we hold dear.
Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the Identity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.