I recently presented at the 2nd Annual ISACA Cybersecurity Conference in Houston, TX, held by the Information Systems Audit and Control Association (ISACA), a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance. Other presenters revealed some new, interesting ways to protect organizations from security threats, and as always, conversations other attendees proved enlightening. This year, they gave me some insight into reasons why people don’t have more effective security systems.
I was shocked to learn that many organizations aren't using Identity Management (IdM) solution to secure their data. The reason why? It’s often perceived as is too difficult and expensive to implement; before speaking to me, they didn't know that an IdM system can be scaled to fit individual needs (and budgets). I was also surprised by the amount of attendees that didn't realize that there is a local IdM solutions provider located in Houston.
Of particular note was the volume of questions generated by my presentation, “Your Biggest Security Threat? Rogue Employees.” Although the term “rogue employee” is new, the idea of employees doing damage to an organization is not new. Despite this, I was floored by the number of people that weren't prepared for the threat of a rogue employee.
We identify three types of rogue employees: the Innovative, the Bad, and the Lazy. Of these, the innovative employee is probably last on your list of suspects because they are generally exceptional employees. Despite having a dose of rebelliousness, these employees as some of the best people in your organization because of their ability to work independently and think outside the box. While these traits are ideal when problem solving, the Innovative employee’s drive for efficiency means that they may not obey certain security protocols if they feel that they are too burdensome and prevent them from moving quickly. In addition, Innovative employees will be curious about how new technology can help them do their job better, so they may attempt to “try out” new programs that bend company rules and may even put your organization at risk.
Bad employees are what we typically think about when we think of a rogue employee: someone out to steal information or otherwise damage your company for personal gain. Bad employees can come in the form of hackers, data thieves, or even corporate spies—but they aren't generally the type of people you need to look out for. The typical Bad employee is usually not as cool as a corporate spy or a hacker; generally, they are usually just a disgruntled person with a grudge against the company. Bad employees almost always have access to high level information (intentionally granted or not) and are usually someone that has been recently reprimanded or is on the verge of being terminated. Employees that quit dramatically or were recently terminated are also prime candidates to become Bad employees. No matter what their reasoning, Bad employees are defined by their malicious intent.
The most dangerous rogue employee is the Lazy one. They are by far the most prevalent in any organization, and they typically fly under the radar. Lazy employees don't follow security protocols and may not even know they exist. Lazy employees write down their usernames and passwords down and leave them in a open area. Lazy employees may leave sensitive programs open or even accidentally leak information to others.
An IdM solution is the best defense against rogue employees because it restricts access to certain data and applications on an individual basis, meaning that a rogue employee can only do a limited amount of damage. An IdM solution should also monitor accounts automatically, so you’ll know if an employee accesses a program or data in an inappropriate manner. An IdM solution can even proactively disable an account that accesses files or applications in a manner not consistent with security policies. Due to this automated monitoring, an IdM solution frees up IT staff to concentrate on more important areas of your business, making your organization run more efficiently.
As I said before the term “rogue employee” is relatively new, and many organizations aren't prepared for (or even aware) of the serious threat they pose. This article (and my presentation) is intended to be an overview of the rogue employee.
For an in-depth explanation of rogue employees and ways an IdM solution can safeguard your organization, download our free ebook The 3 Types of Rogue Employees — and How to Stop Them.