I don’t normally take security advice from goats, but I think I need to make an exception for Red Goats. A recent report on insider threats from Red Goat Cyber Security made for fascinating and actionable reading.
The report is based on a study of 1100+ professionals in multiple companies, industries and countries and focuses on when and how employees would (or would not) report suspicious insider activity.
Unsurprisingly, respondents were much more likely to rat out new employees and contractors than others. Also unsurprising was that reporting suspicious activity of senior personnel was negligible. One surprising tidbit was that employees are more likely to report suspicions about co workers that they consider friends.
Employees also expressed frustration that their companies provide little guidance or training on what kinds of behavior should be reported or where to report it to. Most employees felt more comfortable reporting potential issues to Human Resources rather than Security. I guess we’re a bit scary.
My takeaways from this were:
1. We need to be more specific than “if your colleague is acting suspiciously, report it.” We need to describe what kinds of behavior are suspicious.
2. We need to give employees clear instructions as to how and where to report suspicious activities. If HR is going to be the gatekeeper, they need to understand how to deal with and escalate reports quickly and confidentially.
3. Since employees tend not to report suspicious behavior, having technical and procedural controls to detect and flag such behavior is really important.
Don’t take my word for it though – this report is interesting reading and worth sharing with your HR department. Insiders are the most dangerous threat actors since they already have access and persistence – but they are also the most likely to be overlooked. So, listen to the goat…