Insider Threat Deep Dive on IT Sabotage: Lessons for Organizations (Part 2 of 2)
In my previous blog post, I began to update sabotage statistics provided in 2010. In this second post, I explore how organizations can begin to protect themselves from IT sabotage by learning to identify and appropriately respond to its precursors. The CERT Insider Threat Incident Corpus contains 153 incidents of sabotage.
According to available incident data, precursors of insider sabotage may include the following:
- Disgruntlement. Twenty-six insiders (17%) who committed sabotage displayed signs of being disgruntled, nearly a quarter of which were employed with their victim organization for a year or less (6 or 23.1%). (For context, information on disgruntlement was unavailable in 85 incidents.)
- Workplace conflict. Twenty-eight insiders (18.3%) had conflict with supervisors (14) or coworkers (14) prior to committing sabotage; of those, five insiders had conflict with both supervisors and coworkers. Twenty-one insiders (13.7%) were not called disgruntled, but were otherwise engaged in some sort of workplace conflict or aggression.
- Unmet expectations. Unmet expectations were identified in 21.6% of sabotage incidents. The unmet expectations most reported by insiders were promotion (11) and financial rewards (10) (e.g., a desire for recognition, benefits, or royalties for work products).
- Poor performance. Twenty-four insiders (15.7%) had a history of job performance problems before committing sabotage. Of these 24 insiders, half were terminated or had pending terminations and over half (58.3%) were technical staff.
While organizations can certainly begin to identify the aforementioned incidents of sabotage, that is only the first step. There was no known organizational response in 32 incidents where insiders had a history of concerning behaviors, including three insiders that also had history of security violations.
Indeed, a lack of organizational response is a concern not only for human resources, but also security. Considering that a majority of sabotage incidents were motivated by revenge (73.2%), organizations should spend time to thoughtfully consider approaches that appropriately respond to workplace concerns while simultaneously de-escalating the threat of IT sabotage.
The most common responses by organizations observed prior to an insider committing sabotage include the following:
Revoked access. Sixteen insiders (10.5%) had their access revoked by their victim organization before committing sabotage. In half of these incidents, insiders used accounts that were not their own to commit sabotage, through shared passwords, compromised accounts, or unauthorized accounts. In addition to changing shared passwords after employee terminations, organizations should regularly monitor systems for compromised and unauthorized accounts.
Terminations and pending terminations. In addition to the 9 insiders that were terminated in relation to poor performance, 23 other insiders had pending terminations. Terminations were the most commonly identified consequence imposed by victim organizations that preceded insiders committing sabotage (32 or 20.9%). While ensuring that terminated employees do not have access to organizational resources is one approach, organizations can explore human resources procedures that limit organizational exposure to sabotage. For instance, organizations can limit the time between employee notification and termination to reduce the opportunity for sabotage. In addition, organizations can leverage exit surveys to allow terminated employees to feel respected and recognized (potentially curbing the appetite for revenge), the results of which could be used to make organizational shifts that reduce the threat of insider risk in general.
For more information on strategies for combating insider sabotage, check out the paper Four Insider Sabotage Mitigation Patterns and an Initial Effectiveness Analysis.