I think I can answer the question in the title of this post simply by pointing out that the FBI maintains a web page called "The Insider Threat: An Introduction to Detecting and Deterring an Insider Spy." Malevolent insiders have always been a threat, but they have worked their way to the top of our minds lately. We all had our consciousness raised last December when the GOP (the "Guardians of Peace," not that other GOP) claimed it had insider help in the Sony hack.
FBI’s “Insider Threat” page lists nearly a dozen motives your own employees might have for stealing from your company or sabotaging its operations, ranging from greed to problems at work, from family problems to divided loyalties. Some of these you can mitigate: excellent management can minimize problems at work and reduce employee alienation. But there’s not much you can do to deter thrill seekers, blackmail victims, addicts, or moles. So the FBI’s page describes more than a dozen types of signs that an employee may be an insider spy.
Here are just a few of those types of signs:
- An employee who takes proprietary or other material home without authorization, particularly if it’s outside their area of responsibility.
- An employee who uses the company network remotely while on vacation or sick leave.
- An employee who violates company policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.
- An employee who shows exceptional eagerness for overtime work, weekend work, or strange schedules.
These aren’t necessarily indications you’re got a spy in your midst. There can be legitimate reasons for all of these behaviors. While the FBI’s site is a great resource, I take a much broader view of the threat posed by your own employees. While the FBI’s concern is primarily espionage and theft, I think there are two other behaviors it fails to cover: sabotage and incompetence.
If I had to guess, I would say that incompetence is the most common of the four threats, particularly in the age of BYOD. Now that company business is all over your employees’ smart phones, tablets, and personal laptops, you need to worry about far more than employee intentions. You need to worry about where they might leave their laptops, whether they might foolishly install rogue apps on their tablets, or to whom they might lend their smartphones.
You need strong and well thought-out policies to cover such contingencies, but remember that good policies don’t have much effect on incompetent employees. Their obliviousness to policies is often part of the problem. How do you handle incompetence? Termination of employment might be too strong a response to say, an innocent mistake of very little consequence.
Your best bet is to prevent incompetence through training, or at least use training to identify it early. It turns out the FBI and I are on the same page here. The Bureau recommends security training as the first step to deter theft. Everybody who uses your network needs to be trained in cybersecurity. Everybody in the organization needs to know what looks suspicious. They also need to understand safe computing practices. My advice is to create a cybersecurity training plan and use it to minimize the danger of incompetence to your information assets.