Senior Staff Immune from Insider Threat Finger-Pointing
Research into insider threats has found that employees are so reticent to snitch on bosses they suspect are threat actors that senior staff are virtually immune from being reported.
Researchers at Red Goat Cyber Security questioned 1,145 participants across a range of roles, countries, and industries to gain insight into insider threat reporting practices. Respondents were asked how likely they would be to report colleagues, friends, new staff, senior staff, and contractors as threat actors in five different suspicious scenarios.
Scenarios included observing withdrawn behavior in the person and becoming aware that the person had criticized the company on social media.
The data gathered revealed an overall reluctance to report friends and colleagues irrespective of the severity of their actions. And even in the fifth and most potentially damning scenario—clocking that a person was keeping strange hours and bringing unauthorized people into the business—only 14% of respondents said they would report a senior staff member.
Employees were most likely to report suspicious behavior observed outside their immediate tribe. When it came to scenario five, 96% of respondents would rat on new staff, and 97% would point the finger at a contractor.
Piers Shearman, partner at Red Goat Cyber Security, said the results indicate "that the people with the most authority and the most access to data will not be reported if they abuse their position."
With a rise in the number of companies falling victim to insider threats, this new research exposes a problem destined to become more serious. According to research carried out by Verizon, the percentage of companies hit by insider attacks increased from 26% in 2016 to 34% in 2018.
Insider threats are not only hard to spot—who hasn't appeared withdrawn at work at some point?—but the majority stem from accidents, negligence, and staff unwittingly being taken in by phishing scams.
Asked how businesses can neutralize insider threats, Shearman said: "Make sure HR are heavily involved in any insider threat program you implement. Provide staff with adequate training on detection of concerning behaviors, why they are concerning, and how to report them.
"The key point to note when it comes to monitoring behavior is to be able to identify significant and sustained changes in someone. This requires a holistic view and needs to be handled sensitively too."
Source: Information Security Magazine