Organizations are not in touch with employees, and “misunderstand the strength of someone’s loyalty who doesn’t necessarily want to work 9-5”.
Speaking on a roundtable hosted by Balabit held in central London on the theme of insider threat, social engineer and speaker Jenny Radcliffe said that a social engineer is not always looking for someone who needs money, but looking for someone who is not enamored at that moment and has ambitions beyond the 9 to 5.
“People over-estimate how loyal employees are, and how loyal they can be, but they are more loyal to themselves than the company that they work for,” Radcliffe said.
Also on the panel was Dr Lee Hadlington, senior lecturer in Cognitive Psychology & Chartered Psychologist at De Montfort University, who acknowledged the stigma of reporting insider threats, as it says to the external world that “not even our employees are that engaged with us".
He said that it demonstrates that the employee is not engaged with the company culture or ethos, and most companies ignore and do not accept the problem.
“Companies like to believe in the illusion of security where you put things in the way to stop people attacking the system, but then you get down to the fact that to understand the human is the most complicated element that you could engage with,” he added.
Asked on how an insider threat can be detected and stopped, Adrian Asher, CISO of the London Stock Exchange Group, said that the main problem is that organizations do not know where their critical assets are or where they are hosted, and bad cyber hygiene is missing that organizations do not get the basics right.
“Once you know what they are trying to get to, you can increase the level of controls of monitoring behavior or even more static rules, and if you’re in the privileged position to understand [your users] you can start adding defenses to that,” he said.
“For me, the context of whether they are an internal person or an external person is immaterial, if someone is doing something that I am not expecting them to do whether it is something that I have given them or that they have hijacked, I need to be able to detect and alert and give the business the context to make a decision on whether they should be cut off or alert the authorities.”
Radcliffe said that whilst you have different personalities in an organization you’ll always have bad and lazy behavior, and people will always try and get around what defenses you put in place.