One of the biggest topics I have been asked to speak on in Webinars, Podcasts and other similar events has been the impact of COVID-19 on security. When asked, most CISO’s will launch into impacts upon technology, technology resources, and figuring out how to secure the endpoint that now sits in an employee’s home. All of these are legitimate topics. You can read some of my comments on that in this article I sat for, How the Covid-19 pandemic has changed the data center business (Judge/Alley 2020).
One of the topics that I always address is the human factor that COVID plays on security. I address this topic because it is a real factor and is something that most CISO’s don’t discuss and therefore gets some response and attention when it is discussed. And of course, having an engaging topic that is unexpected is the point of public speaking. No one wants to sit there and listen to the same story and material over and over again.
So what about this human factor and security? What is it and why do I care as a CISO? According to many sources, Varonis being only one (Click here), “Insider Threats” account for somewhere between 60% and 75% of all data breaches. Let that sink in a moment and let me put it a different way to help it sink in. A vast majority of CISO’s discuss threats from Advanced Persistent Threats (APT’s), script kiddy hackers, and other nefarious units. However, the statistics show that most of the breaches, up to 75% occur because of known people, behind your known walls, doing known tasks often in an abnormal manner. That leaves 25% of breaches that occur as a result of outside forces. To be even more clear, CISO’s frequently talk up, talk about, and defend against 25% of their threat surface and ignore 75% of it.
Why would a bunch of smart people only talk about and teach about a threat that is real in 25%-40% of the cases and not talk about the flipped number? One, because we are trained that the bad guy or situation is “out there” not “in here.” Two, because talking about that space outside of our control allows us to gain tools, staff, and frankly glamour through a fear factor when we defend the environment and can show it. The third is because we are bits and bytes, ones, and zeros machines in most cases and focused on revenue and statistical numbers, not the human side.
Then that begs the question, why do we NOT talk about the insider threat? That has numeric reasons too. One, we are not trained psychiatrists, psychologists, counselors or pastors. The work that those individuals do is “feeling” work, not technical work. It is not part of a technologist’s DNA to address the feelings and emotional matters of humans. Second, we believe that the people aspect is often supposed to be left to managers or HR. Third, because we have been trained that to suspect someone inside of nefarious activity is unbecoming or accusatory and offensive. And finally, number four, there is a myth that it can be a lawsuit waiting to happen.
The reasons for CISO’s to not address the inside threat as described above are not valid. The best CISO is one that has the skills to tackle the business, technical, and human side. If you view this like we do the security CIA triad (Confidentiality, Integrity, and Availability), you can see how being able to successfully maneuver inside the triad of business, technical, and human is essential to a successful CISO and paramount to defending your environment.
Back to the point – COVID has had an impact on insider threat and human aspects of security. As people were rushed out of their offices their entire lives were ripped up and rebuilt. Some people handle this well, others do not. When a person does not handle this well, they are prone to error, revenge, and sloppy work. That is where a lot of our security threats play in. Other factors that we as CISO’s need to consider are:
- Some people have destructive and hostile home environments and relished the opportunity to get away from that by being in the office ten or more hours a day. The thought of going home, or being forced to be home all the time, weighs heavy.
- Home office situations are often on the kitchen table, in a bedroom, or tucked away in a dingy corner of the basement. This makes the work space temporary and “in the way.”
- Children have multiple factors. Some require extensive amounts of care and are distractions. Some are home from school and the employee is doubling as a teacher.
- Animals distract much the same way as kids.
- The online video meeting craze has made some people concerned and embarrassed about having their private lives (i.e. background) now exposed to co-workers, clients, and others in general from all over the world. This would include the kids barking and dogs screaming in the background (oh wait, did you catch that – reverse it. Or just get a cat, they are quiet and take care of themselves.).
- Some people who are hard and diligent workers in the office are used to compartmentalizing life and don’t have a way physically or mentally to step away when the office is in the home.
- The list can go on, so you fill in the blank. You now have the point.
When a human is under stress there are three things that typically happen.
- They thrive and step up to the challenge. In this case, they are usually on target and are less prone to mistake and therefore potentially less of a security threat.
- They wilt. Like a flower under intense heat. A flower will slowly dry up and go away. These people are a security threat because as they wilt they will get lax, leaving laptops open for spouses and kids to get in to, not taking precautions with sensitive data, and generally making data input or command input mistakes. I call this threat also a threat of omission, meaning that it may not be intended but is a byproduct of the mentality.
- They fight. Like an aggressive animal caged or trapped in a corner, some people will try and fight their way out of their problem. If their problem is feeling like they are being mistreated by being sent home to work, or the different or less communication from a supervisor leads to feelings of rejection, that aggression or rejection may come out towards the company and result in errors at best or deliberate actions at worst. I call this a security threat of commission as many times the acts are deliberate revenge.
Which one is your biggest threat? Is it the wilters or the fighters? Be careful in your answer. Although a fighter may cause more deliberate damage, there are likely far more wilters than fighters. The wilters will do their work with no one realizing what is going on before it is too late. And don’t let the thrivers fool you. Many thrivers are like a bull in a china shop, trying to move so fast that they destroy the product. For me, I watch them all as equally as possible. Some are obvious, some are not.
What do we do about this? Segregation of Duties (SoD) is more important than ever right now. SoD is the concept that no one person can cause a major system or process to take any action or no one person can gain complete and total access to data. The idea is that this is accompanied with another control that will alert to the bad or single action situation. That second control could be another person that sets off the alarm. SoD is a technical control.
The best control or action that we can take right now is to manage, lead, and treat people well. We need to teach our managers that it is ok to be looking at their people from the lens of human concern and as a threat without the threat assessment and reporting as being a negative thing towards the employee. When I personally see a person as a threat, I also assume positive intent and also see them as recoverable in most cases. Recovery can be achieved with proper coaching, mentoring, and alignment. It could be that the person is having a tough time adjusting to distractions around them. If that is the case, share stories on your team of how others have overcome these challenges. Sometimes it could be that a person is a people person and missing the companionship of the watercooler or even cubemate. Encourage ways to overcome that by carving out team and individual time for this type of interaction. Some people have concerns over their looks or what is in the background on a video call. Encourage them to dress and act like they were coming to work in the office. Show them how to use virtual backgrounds. There are a multitude of ways to address the persons well being. As managers and leaders, that is our job right now.
When a person has demonstrated that they are unrecoverable or not responding to your coaching and mentoring, do not wait to pull the trigger on termination. The longer a person is exhibiting unrecoverable bad behavior, the more of an opportunity there is for a security incident. Don’t be the person that wakes up one morning and says wow, I should have done that term yesterday, look where we are now. I have been there and learned from it.
My final comments are this. If you are not a CISO and reading this, have some mercy on your CISO when h/she comes to you and says they have observed some out of character behavior by an employee and a discussion is needed. Know that your CISO is paid to be paranoid and it is their job to bring these situations to the table. Also know, it is not easy for that CISO to bring these topics up in a compassionate yet compelling and protective way. Work with your CISO and build that strong relationship that leads to collaboration.
As always, if you have more questions, comments or input, shoot me an email at firstname.lastname@example.org.