Lloyd Hession, CSO of BT Radianz, said insider security threats – a leading cause of financial loss among enterprises – are less likely to occur at companies where employees are content.
“It’s a fascinating concept, and it’s one, unfortunately, that we don’t have good empirical survey date to extrapolate from. But those firms who have very high satisfaction ratings…tend to have a much better culture and much lower incidence of insider threat,” Hession said in an interview after his one-hour presentation.
In contrast, the nation’s growing mobile workforce is becoming the new face of insider attacks, Hession said. He said that remote employees lack the loyalty and ethics their home office-based colleagues share.
“When we actually meet in an office, when we meet face to face, that kind of human bond helps foster a higher sense of accountability than we are going to see from employees who are just remote,” he said.
But as the age of information connectivity grows, employees are no longer the only insiders who could compromise a network, Hession said. Consultants, business partners and outsourcers also have access to an enterprise’s sensitive data.
“With all the changes in technology…we’re actually seeing that the set we call the insiders stretches way beyond our physical boundaries,” he said. “All these people are given some kind of access.”
One attendee from a large financial institution, who wished to remain anonymous, said this is why he ensures that proprietary information is made available to certain employees only on a “need to know basis.”
In addition to overlooking better controlling access rights to data, revenge and financial gain are the best-known reasons for insider threats, Hession added. A less often thought of problem, however, is simple nosiness.
“Many people just (do it) for the benefit of gossip and to get ahead of their colleagues, to know what people make, what people’s (performance) reviews are, whose saying what about whom in emails,” Hession said.
He suggests companies, in addition to following the obvious tips to prevent insider threats (U.S.-CERT provides a comprehensive list), also should document their controls and separate test and production.