Malicious insider threat in an organization, and the consequences of their actions
If an essential leader in your organisation supervised a project that delivered a completely unusable new service, would you assume that leader was incompetent? Or malicious? Both? What if I told you the project was a simple and straightforward replacement of existing kit? Something so easy to manage that an untrained teenager could handle the job? How would that affect your assessment?
Security Human Risk specialists often quote Hanlon’s Razor at times like this: "Never attribute to malice that which is adequately explained by stupidity." One would assume that our incessant worry about insider threats would make us suspect wilful perfidy in every case, experience teaches that true maliciousness – real “stick it to the man” energy – is rare. Most human-caused problems can be attributed to ignorance, poor training, miscommunication, or some other less malign cause. The answer isn’t always sabotage.
Sometimes, though, malice is the correct answer. As an example, let’s consider Natalie’s handling of the Great Coffee Crisis of 1Q23.
For context, Natalie – not her real name – is the Facilities lead for a large industrial site in Texas. Natalie has been with her company for a good long while; long enough to know her job and understand her office culture. From what I’ve been told, Natalie unambiguously hates her job, hates her site, and hates everyone she works with. No one I’ve asked can explain why Natalie is disgruntled; she’s a prickly sort that no one wants to deal with.
Sometime around New Years, her site’s break room coffee machine stopped working. Not surprising; when hundreds of employees depend on one brewer to get them through their daily grind, it’s going to wear out quickly. Many commercial coffee vendors build this into their service: they visit their clients regularly to clean, tune up, and assess their equipment. When a machine looks like it’s about to fail, they pre-emptively replace it so there’s no interruption in caffeination.
For … reasons? … Natalie’s contract with her external vendor didn’t include such service. To me, that seems like an inexcusable oversight. Anyway, their brewer broke down and there were no backups. The entire site relied on one brewer … Again, an inexcusable oversight; go-fluid redundancy is mandatory at a site working 24/7.
Per her remit, Natalie was responsible for sorting the crisis. She contacted her vendor and arranged to get a new machine delivered (an upgrade, not just a like-for-like replacement). Either Natalie chose or the vendor talked her into buying one of the fancy-schmancy devices that makes a dozen different types of coffee drinks: cappuccinos, lattes, shots, even … *urk* … decaf. Natalie didn’t reveal her intent; she just set up the installation.
What Natalie didn’t do was check the breakroom to ensure the new equipment would fit. Natalie didn’t clear any space for the vendor to work in. According to witnesses, Natalie didn’t do anything, which is her usual approach to work. Sure enough, when the commercial coffee vendor arrived the next workday with their new giant silver box [1] the installer couldn’t find any space on the breakroom counters where the new brewer would fit.
I imagine that there must have been some sort of conversation between the installer and Natalie about making things right: “Should we delay until you can clear a space?” “No! Do it today.” “But it doesn’t fit!” “I don’t care; just put it anywhere.” No one knows what really happened; all they do know is that the installer plumbed and wired in the new brewer in the middle of the room … atop a 30cm tall accent table, like a small shrine to the patron saint of futility.
When the first employees went to the breakroom to get their much-needed cuppa joe, they were horrified to find that the only way to use the new brewer was to either squat painfully before it like a penitent or else sit on the dirty floor for the entire brew cycle. To say the workers were “displeased” doesn’t do the undercaffeinated workers’ rage justice.
One account claimed that a delegation of angry workers went to Natalie’s office and demanded to know when the machine would be properly installed. The Facilities Queen responded (they claimed) that “if it brewed coffee, then it’s working properly” and acidly declared there would be no effort invested in putting the brewer on a counter where it belonged, morale be damned.
To add insult to injury, the awesome new brewer makes horrid coffee, no matter which varietal is chosen. They’re all awful. Accordingly, no one in the facility has ever used it more than once. That factor alone constitutes adequate cause for the construction of a guillotine in my opinion.
To return to my opening question: if an essential leader in your organisation – like Natalie, the Facilities tyrant – supervised a project that delivered a completely unusable new coffee brewer, would you assume that Natalie was incompetent? Or malicious? Both?
For my money – and please remember that I’m getting all this second-hand – a villain like Natalie qualifies as a malicious insider threat. For me, the key “tell” in the story is that once the installation was botched and reported, Natalie declined to do anything to fix it. At that moment, the possibility of ignorance being the culprit went right out the window. Natalie’s was an act of wilful spite, full stop. One that’s sure to cause follow-on negative consequences, like unprofessional behaviour, tardiness, and preventable accidents. Possibly even a fistfight or two.
This story shouldn’t be treated as an isolated incident. Disgruntled employees like Natalie are found everywhere. They’re also neither subtle nor cunning; everyone who works with them knows what they’re about. If you have a “Natalie” in your organisation, know that they’re doing to your workers’ morale what a dysentery outbreak does to the office lavatories.
What’s fascinating about this example, I find, is that most security professionals don’t consider a monster like Natalie to be a true insider threat! That’s because she’s not interested in stealing money, classified information, and/or equipment from the company. Instead, a Natalie is classically disgruntled and, if unchecked, will make everyone else’s life at the office miserable. She doesn’t need to steal anything, but she is wilfully harming the business. So why doesn’t she count?
My hypothesis is that most insider threat programmes are too narrowly focused on technology and don’t factor simple behaviour as something that requires intervention. If a Natalie says something bigoted over email, IT or Security can act on it as a violation of the organisation’s Acceptable Use Policy. If Natalie says the exact same bigoted thing to someone in person in the breakroom, that’s HR’s problem; IT and Security won’t get involved.
That’s a mistake. I personally believe that the remit of an insider threat program should cover the entire range of human behaviour, not just things that require a computer. That’s a tall order, I know, but … consider just how badly productivity would plummet in your office if Natalie fouled up your only coffee machine. Rancid behaviour away from the keyboard is still rancid behaviour, and needs to be sorted sooner rather than later.
First, though, I need a refill. All this talk of “no coffee” is making me twitchy.
[1] The way the tale was told, it sounded like a “Revolution Touch” automatic espresso machine or something similar.
Keil Hubert
Most Viewed
The Expert View: Building a cyber-resilient organisationSponsored by BT & Zscaler
Six key takeaways from CISOs on AI’s role in securitySponsored by Tines
Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF
23-29 Hendon Lane, London, N3 1RT
020 8349 4363
© 2024, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543