Skip to main content

Employees’ Contribution to Breach of Trust

April 26, 2018

This is a follow up article to our earlier blog post, Thoughts on Breach of Trust vs. Breach of Security

In his Optiv blog article, Mitch Powers stated that 1 in 5 employees would be willing to sell their password to an outside party. Is this a potential contributor to a breach of trust between organizations? Could such employees be identified prior to or during employment? 

In my opinion, the 20 percent who would sell out their employer could be easily identified. The best strategy, in my opinion, is to get some good references, and use LinkedIn and other means to identify other references who can provide an unvarnished opinion of a candidate. Possibly a personality test of some kind might help identify key characteristics. 

Part of the problem is this: Employees, when they leave an organization, most often leave their manager.  So it could be that single relationship that is the culprit - so a manager's skills and personality may also be a contributor. 

Next, it's likely that some employees break their loyalty with the organization when the organization makes moves to break loyalty with them. For instance, if a company changes policies in a negative way, or changes compensation plans in a negative way, employees may feel undervalued and they may lose their sense of loyalty to the company. 

Finally, personal circumstances may play a role. For example, an employee could enter a period of financial hardship that could alter their behavior out of simple desperation. For this reason, some organizations conduct periodic background investigations on employees in high-risk positions in order to better understand whether they remain a low risk. 

Fortunately, employers are not simply helpless here. Organizations can perform broad and/or focused risk assessments to discover weaknesses in processes and technologies; this can provide opportunities to create, strengthen, or fix controls.  Next, organizations can perform threat modeling on specific systems and processes to see could go wrong; this too can provide improvement opportunities.  

Here's an example. An organization is fearful that employees might, consciously or not, give up login credentials to an unauthorized party. This actually happens quite often, mostly through credential-stealing malware, some of which is so advanced that it remains undetected even when anti-virus programs are up to date and operating properly. In this situation, multi-factor authentication (MFA) is a common remedy. In organizations that are sensitive to the minor inconvenience that MFA imposes on its users, adaptive authentication can be implemented. This examines the login session more carefully and decides when stronger authentication is called for – like if the login comes from a location far away from the place where the last successful authentication occurred.  

Trust can be earned and lost, but it can also be verified. While employees are sometimes the weak link, key activities can be adjusted (sometimes without end user awareness) in order to provide organizations with added confidence that individuals are continuing to practice sound judgment.  


    Peter Gregory

By: Peter Gregory

Director, Information Security

See More

Related Blogs

April 26, 2018

Thoughts on Breach of Trust vs. a Breach of Security

General thought: A breach of trust is different than a breach of security. Trust and security, while related, are very different from each other. In r...

See Details

January 24, 2014

Trends in Credit Card Data Breaches and Why You Should Be Concerned

As FishNet Security's Incident Management team handled credit card data breaches, PFIs and other response engagements in 2013, they observed a rise in...

See Details

November 09, 2017

Third-Party Breaches Will Continue Until Morale Improves

I have some bad news for you: breaches at third parties are not going to stop – not any time soon. Various studies show that somewhere between one-thi...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

December 23, 2014

The Transcendence of Breach Assessments

This blog post isn’t intended to be a panacea that will resolve past, present and future organization security breaches. That is a tall order many fee...

See Details

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.