Director, Information Security
Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online.
Employees’ Contribution to Breach of Trust
This is a follow up article to our earlier blog post, Thoughts on Breach of Trust vs. Breach of Security.
In his Optiv blog article, Mitch Powers stated that 1 in 5 employees would be willing to sell their password to an outside party. Is this a potential contributor to a breach of trust between organizations? Could such employees be identified prior to or during employment?
In my opinion, the 20 percent who would sell out their employer could be easily identified. The best strategy, in my opinion, is to get some good references, and use LinkedIn and other means to identify other references who can provide an unvarnished opinion of a candidate. Possibly a personality test of some kind might help identify key characteristics.
Part of the problem is this: Employees, when they leave an organization, most often leave their manager. So it could be that single relationship that is the culprit - so a manager's skills and personality may also be a contributor.
Next, it's likely that some employees break their loyalty with the organization when the organization makes moves to break loyalty with them. For instance, if a company changes policies in a negative way, or changes compensation plans in a negative way, employees may feel undervalued and they may lose their sense of loyalty to the company.
Finally, personal circumstances may play a role. For example, an employee could enter a period of financial hardship that could alter their behavior out of simple desperation. For this reason, some organizations conduct periodic background investigations on employees in high-risk positions in order to better understand whether they remain a low risk.
Fortunately, employers are not simply helpless here. Organizations can perform broad and/or focused risk assessments to discover weaknesses in processes and technologies; this can provide opportunities to create, strengthen, or fix controls. Next, organizations can perform threat modeling on specific systems and processes to see could go wrong; this too can provide improvement opportunities.
Here's an example. An organization is fearful that employees might, consciously or not, give up login credentials to an unauthorized party. This actually happens quite often, mostly through credential-stealing malware, some of which is so advanced that it remains undetected even when anti-virus programs are up to date and operating properly. In this situation, multi-factor authentication (MFA) is a common remedy. In organizations that are sensitive to the minor inconvenience that MFA imposes on its users, adaptive authentication can be implemented. This examines the login session more carefully and decides when stronger authentication is called for – like if the login comes from a location far away from the place where the last successful authentication occurred.
Trust can be earned and lost, but it can also be verified. While employees are sometimes the weak link, key activities can be adjusted (sometimes without end user awareness) in order to provide organizations with added confidence that individuals are continuing to practice sound judgment.