The Carebear Stare and The Reading Rainbow Using childhood philosophies against adult threats, minimizing and eliminating insider threats through loyalty and education

Types of Insider Threats Infiltrators- Those who sought employment in the company for the purpose of exploiting Disgruntled Employees- Those who feel wronged by their company and will exploit their position for revenge, gain or both. Financially Strained Employees- Employees suffering from crushing financial responsibilities, possibly from medical bills, gambling debts, coke habits, loan sharks, world of warcraft, an amazon prime account, etc. A Delphi study in The Journal of the Naval Postgraduate School Center for Homeland Defense and Security suggests Infiltrators, not career employees, are the more likely threat. This is an interesting point as researchers initially expected the opposite, that career employees were the major threat. Citation 2

Sources of Insider Threats Motivations for insider threats according to a CERT report published in 2012 Financial gain was a motive in 81% of cases, Revenge in 23% of cases Financial difficulties 27% cases Here we can see where our career employees do come into play, finances can account for infiltrators or employees. Revenge, however indicates a personal motivation, unlikely in an infiltrator. Unless your company specializes in giving cancer to babies, in which case pretty much everyone hates you. Citation 1

What can we learn from this? Your employees are not the enemy Your “insider threat” is more likely an outsider pretending to be one of you If one of your employees does become the enemy, it may be your fault Your employees are your greatest asset in every sense, for profits, productivity and security. Bringing your workforce on board your security team gives you security at every level of the company and more information than any monitoring software could ever hope to achieve. By showing and earning trust you can add loyalty to your defenses, a trait which, when strong enough, can overcome greed, theft, and slights real or imagined.

Building Trust and Goodwill Educate Employees Let them know they aren’t an enemy Teach them to identify potential threats Teach them secure practices Teach them how this benefits them personally Open Door in IT Do not be condescending to “users” Encourage IT to be viewed as a friendly resource Actually listen Cut Invasive Measures Weigh all security measures against invasiveness Be discrete with policies deemed necessary Morale and HR Build solid lines of communication with HR and Management Take an active interest in morale building

Employee Education Let them know they aren’t an enemy Be open with your employees that you don’t consider them an enemy. Let them know you’re on a team fighting against outside threats and infiltrators. Teach them to identify potential threats Educate employees on how to identify infiltrators, or just something that feels off. Encourage them to voice concerns without fear of being blown off or “getting someone in trouble”. Teach them secure practices Obvious yes, and you likely already have this in place to some extent. Consider though if your training needs an overhaul, or if some of your current security measures could be cut in favor of more extensive training. Teach them how this benefits them personally When you educate on secure passwords, cover the whys and draw real world examples of how they can use this knowledge in their personal life, say for keeping their bank account secure for example. Engaging employees on a personal level will result in better knowledge retention and inspires goodwill.

Open Door in IT Do not be condescending to “users” It’s hard, sometimes people ask terrible questions or throw fits over things of insignificant proportions, but they are still people and they are still part of your team. Learn to appreciate the skills they bring to the company and try to share knowledge rather than belittle. Encourage IT to be viewed as a friendly resource Make the IT department open door, encourage employees to voice concerns. IT is in a unique position to listen, they aren’t management or HR, there is not stigma of “tattling”, and they can make the best of information received, through discrete monitoring and threat assessment. Actually listen Once you have employees willing to talk, actually listen or they’ll never bother talking to you again.

Cut Invasive Measures Weigh all security measures against invasiveness Start with all the policies you have in place, weigh their success against perceived invasiveness, get feedback on what employees dislike most. Be vocal when you retire a known policy, share with employees your desire to trust them. Explain you would rather spend the budget on raises and bonuses than any superfluous security measures and encourage their aid in making that happen. When a new security measure is considered, always take impact on employees into consideration and if necessary explain why an new measure is being adopted. Be discrete with policies deemed necessary Keep little known policies little known, don’t try to scare employees by reminding them you can read their s or that you track server usage. Fear will not inspire trust and is an insufficient deterrent to the angry or desperate.

Morale and HR Build solid lines of communication with HR and Management When a concern does arise over a possibly disgruntled or struggling employee, IT should hear that concern immediately. This doesn’t require sharing sensitive or private information about an employee. A simple request to increase monitoring or a number code to indicate level of concern is sufficient. Take an active interest in morale building IT departments should keep a close eye on the company’s general morale, and make efforts to keep security a continuous topic on everyone’s mind. Hold a security contest. Call employees and try to social sensitive information, recruit your security team to attempt to follow employees in through key card access doors. Publicly reward those who handle it successfully, provide one on one training for failures, not disciplinary action. Handled properly, regular contests can be entertaining and will sharpen skills while keeping security threats on everyone’s mind but not in an oppressive way.

The Organizational Golden Rule In the end this all comes down to the golden rule, the more loyalty you build and the better you educate the better your chances of eliminating threats that stem from ill will or ignorance. Harming you becomes difficult for me because the two of us are part of We. Cultivating the We mindset benefits employees and the company from a financial and security standpoint

Why Carebears And Reading Rainbow?

Carebear Stare & Reading Rainbow Carebears specialize in defeating their enemies by making them allies with the Carebear Stare, in other words love and friendship. Reading Rainbow seeks to make education entertaining and accessible to the general public. It got your attention… or you realized this time slot is empty in track one. So hey, no competition.

Citations 1.SEI- Cummings, Adam; Lewellen, Todd; McIntire, David; Moore, Andrew; & Trzeciak, Randall. Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector (CMU/SEI-2012-SR-004). Software Engineering Institute, Carnegie Mellon University, view.cfm?AssetID= view.cfm?AssetID= Homeland Security Affairs- The Journal of the Naval PostGraduate School Center for Homeland Defense and Security — Volume VI No. 2: May 2010 — No Dark Corners: A Different Answer to Insider Threats - Nick Catrantzos— Volume VI No. 2: May 2010 —No Dark Corners: A Different Answer to Insider Threats - Nick Catrantzos