Posted on by Insider Threatin
In my previous blog post, I began to update sabotage statistics provided in 2010. In this second post, I explore how organizations can begin to protect themselves from IT sabotage by learning to identify and appropriately respond to its precursors. The CERT Insider Threat Incident Corpus contains 153 incidents of sabotage.
According to available incident data, precursors of insider sabotage may include the following:
While organizations can certainly begin to identify the aforementioned incidents of sabotage, that is only the first step. There was no known organizational response in 32 incidents where insiders had a history of concerning behaviors, including three insiders that also had history of security violations.
Indeed, a lack of organizational response is a concern not only for human resources, but also security. Considering that a majority of sabotage incidents were motivated by revenge (73.2%), organizations should spend time to thoughtfully consider approaches that appropriately respond to workplace concerns while simultaneously de-escalating the threat of IT sabotage.
The most common responses by organizations observed prior to an insider committing sabotage include the following:
Revoked access. Sixteen insiders (10.5%) had their access revoked by their victim organization before committing sabotage. In half of these incidents, insiders used accounts that were not their own to commit sabotage, through shared passwords, compromised accounts, or unauthorized accounts. In addition to changing shared passwords after employee terminations, organizations should regularly monitor systems for compromised and unauthorized accounts.
Terminations and pending terminations. In addition to the 9 insiders that were terminated in relation to poor performance, 23 other insiders had pending terminations. Terminations were the most commonly identified consequence imposed by victim organizations that preceded insiders committing sabotage (32 or 20.9%). While ensuring that terminated employees do not have access to organizational resources is one approach, organizations can explore human resources procedures that limit organizational exposure to sabotage. For instance, organizations can limit the time between employee notification and termination to reduce the opportunity for sabotage. In addition, organizations can leverage exit surveys to allow terminated employees to feel respected and recognized (potentially curbing the appetite for revenge), the results of which could be used to make organizational shifts that reduce the threat of insider risk in general.
For more information on strategies for combating insider sabotage, check out the paper Four Insider Sabotage Mitigation Patterns and an Initial Effectiveness Analysis.