At the airport recently, waiting for boarding, flipping through an issue of United States Cybersecurity Magazine, an article about detecting insider threats caught my eye. It was loosely based on a list of behaviors it claimed were ideal indicators for detecting insider threats. I thought, “Wow, this is great! I know plenty of clients who could benefit from this information.” Insider threats are difficult to detect, and I was excited by the opportunity to get new insight, but I became more and more distraught as I read on. The longer I read, the more I saw myself, and many of my cyber-colleagues, being described by the author’s so-called threat indicators. How could we, the good guys, be mistaken for threats?
I read through the list again, and for each point, I asked, “Is this a reliable indicator of a real threat, or a false positive?” I’ve provided the entire list below with my thoughts on each item.
- Remotely accesses the network while on vacation, sick or at odd times
Would a threat actor access the network at odd times? Certainly possible, but an honest, dedicated employee might also check-in while on vacation or out sick. I have spent many sick days at home reading through documents. So have my colleagues. Last vacation, I spent evenings after the kids were in bed logged into the network working on a report due shortly after my return. This triggers both “odd times” and “while on vacation,” yet the activities clearly benefited my employer.
- Works odd hours without authorization
This is fairly similar to the prior indicator, so I will focus on the added caveat “without authorization.” I am assuming we are talking about exempt employees here, where extra work does not impact pay or add additional cost to the company. Dedicated employees work when it’s required, which can be at unexpected and unusual times. Work schedules in today’s world are all about flexibility and self-determined priorities. We entrust our employees to make good decisions on our behalf, get work done and accomplish goals. Now we are going to be suspicious when they do so without asking first? That used to be called self-motivated and able to work independently, and it was considered a good quality for employees to exhibit.
- Notable enthusiasm for overtime, weekend or unusual work schedules
This essentially says that if you are enthusiastic and ambitious about your career, if you want to be successful and volunteer when needed, you are a threat and need to be watched. Will interest in how your company works outside of your immediate duties also be considered suspect?
- Interest in matters outside of the scope of their duties
Well, it’s not like I didn’t know it was coming, but that doesn’t make it any less confounding. Don’t we want employees to take an interest in the company, grow into new positions and take on more authority? From decades of performance reviews, I can’t tell you how often I’ve been told I will be promoted when I’m doing the job at the level above me.
- Unnecessarily copies material
I agree this one could go either way. A lot of data access and movement to local devices can be a true indicator of theft of IP and exfiltration, and it should be monitored. Despite that, it may also indicate an employee who is researching projects and building a local knowledge base for valid company use.I personally have extensive local (encrypted) stores of data from past projects that I use regularly for reference and as templates on current projects. A software developer who doesn’t have a “library” of code for reuse, or a consultant who doesn’t keep prior reports for future reference? They may exist, but I haven’t met one.
Ultimately, there is a larger problem at play here. This list is based on an industrial-age mentality, but we are fighting an information-age war. And we’re failing. We need to start thinking about cyber with an information-age mentality. Our employees are highly educated, invested and dedicated to the success of our organizations. We want to encourage this behavior, not inhibit it.
My colleague, Julian Ackert, recently wrote here about how to combat insider threats. His excellent approach focuses on securing assets and thinking about how our data is stored, not undermining our employee morale and questioning employees who are volunteering for extra duties, interested in the firm beyond their immediate job, willing to work off-hours, and checking in while on vacation. These employees should be considered for recognition, and possibly promotion, not treated as suspects or threats.
Do I believe insider threats are a problem? Yes. Do I want to find ways to shut them down before they act? Yes. But do I also worry that we may end up destroying much of what makes our organizations great in the name of being vigilant against cyberthreats? I do.
It’s important to be ready to react to security issues, and that includes being prepared by identifying the potential problems early. However, there is real harm that you can do to your firm and your most important assets, your employees, by overreacting and creating problems that don’t really exist.