Jan 31, 2023

Insider Risk: When Business Gets Personal

5

In an ideal world, there is a clear delineation of where personal and professional engagements take place: anything business related transpires on corporate devices on company time, while anything considered personal occurs elsewhere, away from the company clock and network.

When the COVID-19 pandemic hit the world in 2020, organizations were confronted with changing workforce requirements that forced the decision: adapt or collapse.

With the decision to adapt came the consideration of how employees should connect to the corporate mothership. Some decisions were well thought out, others hurried in the spirit of ‘getting things done’. The latter relied heavily on the trust quotient and, as one might expect, soon unintended and unforeseen consequences appeared downstream.

As the pandemic enters its third year, workplace adaption has evolved to maturation. It’s time to take a breath and level-set expectations on what is and is not acceptable activity originating from within the corporate network, or while connected to the corporate network.

Non-Malicious

Life is complicated, and it isn’t always practical to separate personal from professional activities – no matter how many rules we put in place. During the height of the pandemic, when organizations were experimenting with WFH practices (many for the first time), there was a marked increase in the use of personal devices attached to corporate networks.

An unintended (and undesired) byproduct of this was employer visibility into the personal lives of their employees via the corporate network instance and logs.

What is troubling is the level of anonymity many employees felt they had while conducting personal activities on the corporate network. DTEX’s i3 team has identified several such cases of non-malicious behavior, from employees visiting pornography sites to surfing the dark web for illegal drugs.

While such examples are not necessarily malicious in nature (that is, they don’t intentionally seek to cause harm), they do significantly up the security stakes. Afterall, if an individual believes they can conduct dubious activities on corporate networks unnoticed, chances are they would consider it possible to steal company data or IP. And while someone might not intend to cause organizational harm at one moment in time, intentions can – and do – change, especially in individuals who later find themselves feeling disgruntled or hard-done by.

Non-malicious insider types present two key lessons: the need to delineate personal from corporate to mitigate potential future risk, and the need to set clear expectations and policies that are communicated back to the business to prevent such activities occurring in the first place.

Malicious

The leak of the draft opinion in the Dobbs v. Jackson Women’s Health Organization case to media outlet POLITICO is a prime example of an employee misusing company access to disseminate court-sensitive data via personal means with willful intent.

The ensuing investigation came up empty, as the court’s infrastructure adjustments to support WFH arrangements failed to provide the security and visibility on employee-technology interaction and intent that was required to stand up in a court of law.

“Assuming, however, that the opinion was intentionally provided to POLITICO by a court employee, that individual was evidently able to act without being detected by any of the court’s IT systems,” the investigation report noted.

DTEX Chief Customer Success Officer Rajan Koo said the case is a glaring example of why employee access to company data must be restricted to corporate devices, and how segregation between the two can enable early detection.

“This is an unfortunate example of what can happen when organizations don’t take a proactive approach to insider risk. The ability to recreate events in a court of law weighs on an entity’s ability to provide a holistic audit trail just as much as their ability to segregate company data from personal data.”

Another example involved an employee who used their employer’s infrastructure plus multiple personal webmail accounts to spread extremist material. The employee was quietly supporting a terrorist organization and actively distributing Jihadi propaganda and training material.

The misuse of corporate resources necessitated an investigation which showed the expanse of the employee’s actions, including attempts to clean up after themselves to avoid being detected by the corporate IT team.

Could a prohibition on connecting to outside apps from the corporate instance prevent the employee’s activities? Probably not. What it would have accomplished, however, is to highlight more readily the activities originating from within the corporation as, in this instance, the melding of personal internet activities and corporate internet activities comingled.

Mistaken

In 1711, Alexander Pope wrote “To err is human, to forgive divine.” This sentiment makes sense, as one’s intent in addressing human error is to turn the error into a teachable moment to avoid future repeats of the same error.

Who hasn’t been on the receiving end of a misaddressed email containing sensitive information? Not because the sender wanted to let you in on their corporate secret, but because the autofill on the email client auto-chose the wrong name and the sender missed it.

Common mistakes arise when employees step outside corporate IT and use personal accounts, apps or devices to conduct business activity.

Often file-sharing tools are implemented that are not only easy to use but place the company’s information in unvetted third-party storage or lack security basics such as multifactor authentication.

By and large the world has evolved to the cloud, and third-party cloud environments require configuration to keep information safe and secure. System admins might take a page from carpenters who measure twice and cut once when configuring services. Check and double-check prior to going live.

Outsmarted

Password reuse is another reason to avoid personal accounts in the corporate world. DTEX i3 team has investigated several security incidents originating from breached personal passwords that were linked to corporate accounts.

The Florida Water Treatment Plant Hack is a good example of employees being outsmarted, and highlights the importance of password hygiene. Had more stringent password policies been implemented alongside 2FA, the attacker may have struggled to leverage TeamViewer to remotely access the plant in the first place.

Fostering a Culture of Trust

Lack of trust breeds mistrust and can have devastating impacts – on employee and business performance. Establishing clear policies on what is acceptable and not acceptable on corporate versus personal devices and networks is prudent in reducing risk. But communicating those policies back to the organization – as well as what the organization is NOT doing – is equally important, especially for cultivating a culture of trust and transparency.

No one has the time, nor does any entity have the necessary trust equity, to put in place intrusive and omnipresent technical monitoring and surveillance. Ensuring employees are in the know about lack of surveillance monitoring is a sure way of earning their trust and respect. That said, every entity should have a plan to bring those tools to bear when there is probable cause.

Subscribe today to stay informed and get regular updates from DTEX Systems