Besides the sheer extent of the harm, the news coverage of the Sony pictures hack has presented two very different points of view on the origin of the hack and the actors involved. The FBI has held the view that cyber-attack was committed by the nation State of North Korea, which has led to sanctions being imposed against North Korea by the US government. Other security and forensics professionals have advanced the view that the incident was perpetrated by insiders such as a disgruntled former employee.
The impact of an attack executed by a nation state can be devastating to any business. The likelihood is another matter and larger organizations such as Sony have a higher likelihood of being attacked than a typical small business. However, the likelihood of an attack by an inside actor is high for any size of business and the impact can be devastating as well. Almost any business, regardless of size or industry will have exposure to the possibility of an insider attack as part of their threat and risk profile.
What motivates an employee to do harm to the organization? There are really only two general motivators, and those are: (1) to settle a score, or (2) financial gain. Stated differently, we can refer to these in another way as hacktivism and cybercrime respectively.
Employees can certainly be deceptive and from the perspective of a career in management spanning over three decades and across multiple industries, I have witnessed crimes which have surprised me from individuals I would have never expected would commit a crime. For example, I can recall having a very nice young lady on the IT team about 10 years ago who handled laptop builds for new hires. Most of the hires were field sales reps, so machines were constantly being cycled in and out as staff turned over. The young lady was the nicest person one could ever meet; very considerate, polite, responsive, and even devoutly religious. She was proactive in every way and we received numerous compliments from line mangers who were impressed at her speed and timeliness ensuring that new hires were setup and hit the street on day one. She was also a thief.
Admittedly, the organization’s asset tracking system was ad hoc and spreadsheet based and this incident led to funding to implement a decent asset tracking system. We discovered the threat when we were contacted by an individual requesting that we contact Dell and agree to transfer the balance of the warranty coverage to him as he had just purchased a laptop off of eBay and according to the service tag, the laptop was still under extended warranty coverage registered to us. The problem was that we had not sold the laptop! After contacting law enforcement and eBay, we determined that the seller had purchased the laptop from our helpful young lady who represented that she was simply disposing of surplus IT equipment. The police actually searched the seller’s residence and we recovered several laptops as we were able to prove ownership. The moral of this story is that insider threats can come from people you would least expect. The statement former President Reagan made about Russia years ago still holds true in today’s business environment as well: “Trust but verify.”
Since every business has the insider threat as part of their risk profile, how does this threat affect the attack surface? Specifically, for a small business where many IT and security functions are outsourced, does outsourcing expand the attack surface? I think that it does and due care needs to be exercised to manage the risk. Let’s explore this theme for a bit.
Disgruntled or underpaid employees are likely to settle a score or steal from their employer or customers. Team morale can often be low in the IT department as businesses move jobs overseas, cut back staffing to save costs, and still require increasing deliverables from the IT team. Support roles, while a great opportunity to launch technical careers are often burnout jobs with 24×7 demands from multiple constituencies. Settling scores can range from mischief such as wiping the hard drive of a laptop on the way out the door, to more serious damage as may potentially be the case at Sony.
Perceptions of being underpaid are also concerns. Particularly in the challenging economic environment most regions have had to endure over the last several years, wage growth has been minimal and this has fueled the continued drive to outsource IT labor off shores to locations with cheap labor. When employees have the perception of being under compensated, they are likely targets for cyber criminals seeking to gain access to an organization from the inside. Finding disgruntled employees is easy for a cyber-criminal as the resumes are out there online and easily obtained.
Can outsourcing help reduce the cost of IT as well as the risks of insider threats? Perhaps it can, although due care must be taken when vetting the supplier as often suppliers are doing the very same things to their staff which leads to poor morale. Before selecting a service provider, and along with contractual points such as SLAs, and security, insist on vetting the supplier’s staffing profile.
Glass Door (http://www.glassdoor.com) is a great place to start vetting the staff morale at a potential service provider. You may even discover previously unknown feedback on your own staff as well! Are the employees generally happy, motivated and are the feedback postings generally positive? Of course, there will always be a negative posting and that is to be expected, but it should be a big red flag if the preponderance of the postings are negative, particularly from job roles which could be servicing your account.
Will the vendor permit an onsite visit? Customer visits to the vendor’s SOC, or NOC are often staged pony shows and more sales than substance. Ask to meet and interview several of the team who will be servicing your account during the visit to gauge morale. Technical staff tend to be more open and transparent vs. sales and pre-sales staff who consistently frame conversations in a positive light.
If a site visit is not practical, consider a backdoor approach. Any business can acquire an account on job search boards such as Indeed.com, Dice.com, Career Builder, etc. An investment of a few hundred dollars will expose resumes of employees at the proposed service supplier and they can be contacted individually to further vet the supplier.
Inquire of the potential service provider about staff turnover metrics. Some turnover is to be expected in technical fields, although an annual turnover of greater than 25% should be a red flag and potential indicator of staff dissatisfaction. Ask to see average turnover rates for the last three years as a single year may not always be a reliable indicator. Look at trends. Is staff turnover turnover steady, declining or increasing? If you already have a service provider, and notice staff turnover and familiar people leaving, that too could be a sign of trouble and should trigger a review of the relationship.
Another area to review when vetting a potential service provider is the number of hours allocated each year per employee for training. Certifications, particularly in technologies being supported are important, although not the entire picture. Besides the obvious service competencies, technical employees are always motivated by training and will at times accept lower salaries if the training opportunities are plentiful and allow them to expand their skills. Lack of serious investment in training should be a serious concern and risk for staff turnover when vetting a potential service provider.
If you cannot achieve a confident impression of the vendor’s staff, then select and alternate vendor. Cost of the service is not the sole driver and the old adage of “you get what you pay for” certainly applies in this situation. Beyond the potential for simply poor or mediocre service, a supplier with poor staff morale also becomes a security risk and exposes additional attack surfaces for the organization. Not only must management worry about their own employees committing cyber crimes, but also the vendor’s employees.
Investments in staff morale, as well as proper vetting of vendor staff pays dividends as those investments can decrease both the impact as well as the likelihood of the insider threat. No risk can ever be completely eliminated, but motivated and loyal teams can reduce risks to acceptable levels.