Unveiling the Menace of Passive Insider Threats in Your Business
“They mash keys!”
That is what a law enforcement officer told me when I asked him about passive insider threats. These are the people who fail the phishing tests. They resist changing passwords. They are a threat to an organization.
September was Insider Threat Month, prime time to talk about the risks posed by passive insider threats. An insider is any person who has (or had) authorized access to (or knowledge of) an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. These aren’t necessarily malicious people, and they may be long-time employees.
As a kid, the first nightmare I got from reading a book was Salem’s Lot by Stephen King. As terrified as I was, I learned that vampires have rules. They must be invited in. Passive insiders are opening the windows and leaving the doors ajar for these cyber vampires.
How do you identify these employees for additional training and monitoring?
- They visit websites that they wouldn’t at home
- They click on links in emails carelessly
- They mash the keys on their keyboards
- They fail the organizational phishing email tests
- They are slow to embrace change
These are the people who also fall victim to social engineering. By using the principles of persuasion (romance, finance, job, academic, etc.), cyber vampires enter their lives and organizations.
How can an organization mitigate these Insider Threats?
As our friends at CISA note in their Insider Threat .pdf, “…coworkers, peers, friends, family members, or casual observers are the human components for the detection and identification of an insider threat. They are frequently positioned to have insight into and awareness of predispositions, stressors, and behaviors of insiders. Behaviors reflect patterns of activity over time, based on the way the insider interacts within the organization. These indicators are directly observable by peers, HR personnel, supervisors, managers, and technological systems.”
The moral of this horror story is that the best defense against passive Insider Threats is community. When the leadership and staff of organizations look out for each other, the threats diminish. Rebecca Morgan (Insider Threat guru) closed a presentation a few years ago by sending a simple message to leaders, “Just be nice.”