Troublemaker CISO: Penny-Wise, Pound-Foolish & Insider RiskThe Rant of the Day From Ian Keller, Ericsson
See Also: Stopping BEC and EAC
But enough shameless self-indulgence. On with the rant. You all know the adage, "Pennywise, pound-foolish." No, not the clown, although I spelled "penny-wise" incorrectly there on purpose, to fool you.
The saying is relevant when we talk to those friendly and knowledgeable finance people about ongoing employee screening due to the dreaded insider threat and the costs associated with it - which leads to us pulling out our hair in utter frustration when we try to explain to them how the investment is worth it. Well, this rant is about that.
Any staff member can develop an exploitable weakness, gambling debt or medical bills they cannot pay or become disgruntled for one reason or another.
"Let’s face it, why should the company keep on screening staff? We did it already," is the usual response we get from the finance department when we talk about the security investment on the insider threat. Finance is worried about liquidity ratios, share dividends, our bonuses and who knows what else.
I usually respond with, "This is the same concept as insurance: You update it regularly to know you are covered and to identify any areas where your coverage might be lacking. You pay every month to make sure that when something bad happens, you can recover from it but it doesn’t stop you from driving into the gate. Info Sec is the same, we just try and prevent it from happening in the first place, and if it does, we try to ensure that the impact is minimized. So, if you don’t see anything going wrong, it means its working like we said it would."
The Dreaded Insider Threat
The insider threat and the cost of dealing with it is most likely the most difficult of all the issues to deal with. It comes up right at the beginning of the employment process: We interview a shiny new face to fill a position in our company and check for cultural fit, skills, passion and all the good things. Some companies go all the way with vetting a potential staff member: They send them off for psychometric assessments, skills verification and every background check known to man, including reading their blog posts and reviewing their social media activity.
All the checks are done at that point in time, and it costs a lot of money to do these tests and verifications. Most companies take the standpoint that if a new hire started good, they will stay good. But we know this is not the case. Any staff member can develop an exploitable weakness, gambling debt or medical bills they cannot pay or become disgruntled for one reason or another.
What You Should Be Doing
Companies should verify staff on a regular basis and depending on the role, a polygraph test might even be in order - if you have a twisted sense of humor, you can have a lot of fun here. The best case I have seen was a quarterly assessment done for all staff with a position of influence, but this is seldom done. At most, companies assess staff every few years and only for one or two critical positions.
The recent case involving AT&T is an example of this problem. Staff members were enticed with large sums of money to assist in illegally unlocking phones, which reportedly cost AT&T north of $200 million. This was going on for years before it was detected and fixed.
The point is: When you do regular checks on your staff, you can quickly see and respond to a change in circumstance. If your call center agent drives a Lambo but can only afford a bicycle, that should raise a flag. Yes, it could be that mommy and daddy are wealthy, in which case kudos for splurging on the kid while making them work. On the other hand, you may have a serious issue to deal with.
Not all of it is bad; checking on staff can also lead to preventative actions. When you see that a staff member's credit score has tanked, you can have a sincere conversation with that individual and maybe help to get them out of the hole they are in. When you see that their social environment changed, you can act accordingly.
I am not saying you should spy on them day in and day out - only when you need to verify that all is still OK.
People are our greatest asset and our greatest weakness - much like cloud. Always do good by your people because, without them, your business is going nowhere.
CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, who is director of customer security at Ericsson, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force’s Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.