Safety - Personnel as a threat to your businessArticle of Ivana Spoustová, external collaborator to Personal Connect
How to efficiently prevent the risk of an informational leakage caused by the negligence of employees? Can we recognise when someone is intentionally trying to harm our business? How can we prevent all of this?
The fact that internal intentional or unintentional human error from the side of the employees presents a bigger threat than any external attack is very significant. These statements have been supported with evidence. The global research conducted by Kaspersky states that more than 80% of companies has experienced an information leakage, which happened as a direct result of internal personnel, in 2012. We can only theorize about the full number of such cases. In addition, the study concludes that the investments, in order to prevent such issues from happening, do not correspond with the urgency of this problem. It is fair to state that the study did not include Czech firms, however there is no reason to doubt its legitimacy and pretend that the situation is different in the Czech Republic.
The aim of this article is to summarize basic precarious situations and non-technological measures in order to prevent the compromising of data caused intentionally as well as unintentionally. Such measures, which according to our judgement and experience, should not be missing in the security concept of larger organisations and companies.
Unintentional harm to the company’s assets
Regardless of the needed technological measures, there is still a considerable amount of space for information leakage caused by the lack of attention or the ignorance or mistake of employees.
We can combat these by introducing these preventative measures:
- Thorough education of your own personnel
- Setting out guidelines
- Code of conduct
Promise of secrecy and non-disclosure agreements
Ad a) in numerous organisations, the trainings which encompass the theme of security are not done in a thorough manner. There are recorded cases of employees signing forms of compilation of such trainings, while the individuals have not even been present during the training. With higher position, the risk of avoiding these training events also increases, even though the probability of coming into contact with sensitive information correlates with the rank of a position. It is therefore absolutely crucial for the manager to act responsibly, making sure that his colleagues engage in such events and possibly making it obligatory to attend such trainings.
In the case that the training is already taking place, it is important not to underestimate two factors:
The first one being getting familiar with what might seem to be absolutely obvious. The lecturer or the coach might take some things for certainties, for example the fact that documents with classified information do not belong to bin but to the shredder. As a matter of fact, these working habits are virtually absent among a lot of top managers. It is therefore crucial to provide a more specific explanation of the lifecycle of such a document and where can such confidential information end up.
The second one being feasibility. The lecturer should be certain, that every participant is able to use the necessary equipment, from scanners to shredders and chip card readers. Do the employees know where to turn to when their smartphones get stolen? It is necessary to count with the fact that from the employees’ point of view, information security is not taken as seriously as it should be. The attention they give to these training events unfortunately corresponds with that fact. Therefore, a leaving exam should be compulsory.
Recently, online training is being promoted quite often. Even though there are many advantages to it, it is also important to consider its downsides. It is a certain compromise between an employee and their employer, for the employer cannot be sure and can never find out, whether the participant paid enough attention. Ultimately, how do we know they have participated themselves?
Ad b) there needn’t be any emphasis on the importance of guidelines. Though it is important to highlight the common mistakes, the first one being its length. It is obvious that no one will bother with ten pages of guidelines “just to handle information safely”. Excessively condensed information is another mistake, for those who write these guidelines, the lowest number of characters has become their goal. Condensed information then influences its intelligibility and eventually the execution of these guidelines. When it becomes a text of mere abbreviations, how can anyone undoubtedly understand their obligations when it comes to information security?
Another common misconception is that guidelines need to be formulated using as many technical terms as possible. Even expressions, which an IT expert uses daily and sees as commonplace, can be for a substantial amount of recipient completely unintelligible. Therefore, it would be convenient for everyone to base your guidelines on the principle that "recipient's ability to understand academic text is lower than we expect, even when we consider this precept". We must not forget that the recipient will not be willing to study this almost scholarly text, even if they did have the ability to do so. If we want our employees to be truly familiar with our guidelines, they have to be easy to read and ideally, entertaining. Hence we recommend to collaborate with your marketing department on creating these guidelines (wherever possible). With their help, you can make use of stories, comics, distinct and clear graphics etc. It all depends on the size of your company, budget and even creativity.
An obligatory part of the creation-process of your guidelines should be its testing. Recipients from various areas should read your guidelines and thereafter be given tests. It will make any additional editing that much easier.
Ad c) and d) code of conduct can lead your employees in the right direction, too. Furthermore, it is the area of employment and legal documents, which commits any employee to confidentiality, both during their employment and after its termination.
Few companies still use the Non-Compete clause (Covenant not to compete, CNC), in which the employee agrees not to enter into or start a similar profession or trade in competition against another party (usually the employer). This commitment, however, means that the employer must pay financial compensation for the duration of the CNC, amounting to at least half of the gross salary for the corresponding period. And so it comes with no surprise that this measure is being taken much more sparingly than would be desired to achieve maximum information security.
While negligence, carelessness, ignorance or lax attitude of employees may be uncomfortable, it is much more difficult to face deliberate breaches of security of information where an employee pursues their own agenda, mostly revenge or unjust enrichment.
This commonly occurs in following situations:
- Feelings of injustice, unfairness, failure to comply with certain promises or conditions
- Personal or family relationship problems
Manifestation of certain personal characteristics, i.e. greed
In almost every case, a dismissal and a subsequent departure of an employee becomes a very emotional affair on both sides. Experience shows that there is not an abundance of managers that are able to handle such a situation sensitively. To part with an employee without them feeling slighted is imperative, since otherwise, they might try to exact revenge on their former employer.
It may all result in a breach of information security in the common sense of the word - theft of corporate customer database, unauthorised acquisition of personal information and information about salaries and its subsequent publication, erasing important data or its change. However, it may also lead to confidential information being transmitted orally and spreading rumours, both of which are almost impossible to prevent.
Risks associated with a dismissal of an employee can be mitigated in several ways:
- Managers can be trained how to dismiss their employees, moreover, they can be given certain directives on how to handle such a situation. These can encompass not only the dismissal itself, but also how to help them after they have parted with your company (outplacement). Usually, IT and information security do not interfere in such matters. Nevertheless, it is important to realise the close link between a dismissal and information security.
Technological measures and processes, which do not concern solely a dismissal of an employee but all operations of a company can help, too. An example of this may be one technology company, which had to downsize the count of its number of employees in their Slovak branch. This meant the dismissal of four account managers. On the last day, they handed in their company laptops, which had formatted disks. Upon further inspection, the company found out that their central customer database had not been updated for more than a year. In similar cases, it is clear, that there is not an issue in the dismissal itself, but rather insufficient information risk management.
In terms of information security, there should be a clear process of what to do in case of dismissing an employee, or what to pay attention to in case of a “risky” dismissal. This process can focus on variety of issues from access to certain data to immediate removal of access rights and blocking of mobile devices. These issues need to be addressed with an attorney in a timely manner (especially issues concerning private mobile devices) since when such a situation occurs, there will not be enough time to do so.
Feeling of injustice, unfairness, failure to comply with certain promises or conditions…
In all of these cases, it is important to realise that the driving force behind an intentional tort might in be failing to meet the expectations of your employee. That means, that even where there has not been in fact any injustice done, such a feeling can arise, thus increasing the probability of a potential risky situation. It differs greatly from a dismissal, since in this case, not only one employee may have these feelings but rather a larger group, which may even be mutually supportive in their feelings. In case this “upset” employee remains in your company, and still keeps all the access rights, the possibility of greater harm rises.
The key role, when such a situation arises, plays the direct superior. Where both formal and informal communication works, where employee relations are friendly or at least respectful, the risk is much lower.
The lack of clear rules and directives raises the possibility that an employee will feel slighted, too. Vague job descriptions only lead to misunderstandings on both sides. A manager responsible for information security should be most careful in precisely those situation, where the rules are unclear and where there is a new direct superior with a distinctly different approach towards work that his predecessor.
If a company conducts regular employee satisfaction surveys, an information security manager should pay close attention to its results. Risky situations are indicated by declined satisfaction across the whole department of a company.
Personal or family relationship problems
Even an employee who would have usually followed the rules may be capable of criminal behaviour when under too much pressure. Some such situations can be identified relatively easily by the company; sometimes it is not so clear though still possible (e.g. the child of your employee has a serious illness and needs expensive treatment). There are some situations, where it is almost impossible to detect any strange behaviour (e.g. pregnant mistress). In addition, we are getting into an area where any closer observance or “spying” on your employees breaches the privacy of your employees.
Manifestation of certain personal characteristics
This is an area where sometimes even a thorough examination cannot prevent an unpleasant surprise. There is a never-ending debate on whether it is possible to identify (through testing) someone’s inclination towards criminal behaviour or pathological greed, possibly even deep-seated envy. Some even ask themselves whether these tests are truly reliable and whether they can really estimate and predict someone’s behaviour in the long term. Are highly intelligent people able to fool these tests? There surely exist certain standardized typologies and psychoanalytical tools. In this article, we will satisfy ourselves with few brief recommendations, the most important one being that when you perform psychological testing of candidates, you need to touch upon the topic of information security.
This brings us to the question of defence measures, for in this case trainings and awareness campaigns do not solve the issue. However, there is still the possibility of introducing a stricter environment in terms of both technology and internal processes. In case of a dismissal of an employee, the employee in question may still have the right to inspect and use your internal database, but without the ability to delete, modify or copy its data. It is also possible to monitor the behaviour of employees in the internal network more closely, be stricter in allocation of user rights and the like. However, the fact remains that the most effective means of dealing with such danger is addressing the situation, thus eliminating the cause of the frustration of employees, achieving a relatively amicable agreement about the breakup etc.
Damage inflicted by your employees tends to be higher than external attacks and it is important to say that information security managers are generally aware of this fact. Nevertheless, the amount of investment and the rate of effort directed in this direction is mostly negligible in comparison with the technological aspects of this issue.
Therefore, we recommend closer cooperation with the HR department and careful comparison of investment not only in the sense of comparing different technologies, but also in terms of comparing investments in security technology with investment in training and staff motivation. Furthermore, it is essential to realize that a number of measures, most of which are presented solely as a matter of human resources (e.g. outplacement) are also measures aimed at strengthening your information security.
What about internal ad campaign?
A useful tool in raising awareness of the principles of information security may be an internal communications campaign. In some organizations, the various security principles are summarized at various conspicuous locations in the offices of the company or on the intranet, it has however the disadvantage of overloading your employees with “guides” on information security. After a certain time, they simply cease to perceive the information. One-time communication campaign overcomes this disadvantage, particularly when it is executed in an interesting, novel or even an entertaining way.
Your campaign could address information security through following communication channels:
- Directly addressing the issue in an e-mail or letter
- Intranet pages specifically focused on the issue of information security
- Information banners on your intranet
- Small gifts containing a message on information security
- Posters and banners in meeting rooms, entrance halls, but also for example in the employee kitchens
- Small stickers in places where you may be met with faulty behaviour - inscription near the paper bin can for example point out that confidential documents do not belong in a bin
- Various stands and conspicuous objects attracting attention
- Leaflets, magazines or newsletters appertaining to your campaign
- “guerrilla marketing” – situations, where a group of masked participants role-play a situation on the topic of information security that stirs the bystanders and attracts attention
Transform your information into images or videos that become so popular they go viral (these usually contain jokes or sexual subtext)
The use of these channels exceeds the capabilities of the usual IT or information security department. It is therefore useful to cooperate with your marketing department or an external advertising agency (there exist communication agencies that specialize in information security issues). The prerequisite for success, however, is very close and smooth cooperation between experts on information security and the creative component. Nevertheless, the usual procedure of handing over your assignment to an agency and waiting for results may fail you, since some agencies have the tendency to lie to their customers and claim they understand your issues and needs completely, even though that is evidently not the case.
Watch out for the assistants!
It is generally well known that dismissed managers and IT administrators can represent a major risk to your company. The dismissal of assistants, however, is much more underestimated. This is a serious error, which may come back to haunt you. In many cases, assistants know access data of their superiors, and sometimes the superiors do not even know, which access data their assistants know or not. Add to this the fact that, especially in cases of personal assistants, work relationship often comprises of a certain emotional commitment and it can all result in a dismissal that can be taken very personally indeed. It is clear that the dismissal of an assistant presents almost always a significant security risk. What may be perceived as exceedingly strict work conditions can therefore represent a rational counter-measure taken to deal with “unhappy” soon to be ex-assistants.
A psychological contract is a term describing a set of mutual expectations and obligation between an employee and an employer. These expectations are about values and norms, desired behavior, work performance, compensation, promotion, principles of dealing with people, and indeed all aspects of the functioning of the organization and the people in it.
Essential is the fact that although the psychological contract is not in writing, both sides understand it well and behave almost as if it were a legally enforceable contract. In the event that one of the Parties ceases to respect it, they can count on an angry reaction from the Counterparty. Psychological contracts can relate to relative details (e.g. the right to use the company’s phone for private calls) but also fundamental issues of for example "mandatory" pay rise over three successful projects.
Case study Colt
Research in the famous armaments manufacturing company Colt showed that a substantial part of employees tend to trust strangers if contacted through seemingly trusted electronic channels (e.g. E-mail address ending with well-known companies). Therefore, in 2012, there was an internal campaign aimed to change the behavior of their employees in this area.
The basis of this campaign was a story of an identity thieves and their victims. Week by week, the employees could observe how the thieves prepare and what methods and means do they use to obtain sensitive data until they completely gain control over all access rights and information sources of their victims. Part of the story has been created as a comic book characters, though the recipients of this campaign were also able to see diaries of these victims, read their e-mails, etc.
The campaign was originally prepared so that the victim was a female figure, but testing showed that the arms factory workers (mostly men) had a problem with identifying with her. Therefore, the authors of this campaign made the victim a male figure.
Mgr. Ivana Spoustová studied adult education and during her 20-year career, she worked in various HR positions, from specialists to HR Director for 8 countries.
Published in Data Security Management magazine in April 2014