The insider threat is in the news again. On 8 December it was reported that ex-Apple employee, Paul Devine, had been sentenced to jail and a fine following a guilty plea on counts of wire fraud and money laundering .
From the news reporting, this trusted insider was involved in providing Apple suppliers with confidential information about forthcoming products, which in turn allowed them to establish more favourable deals with Apple.
Apple filed its own civil suit against the insider, charging him with accepting more than $1 million in bribes from at least six supplier companies (as reported by C|Net).
Insider threat and crime
This situation highlights what is likely to happen when an insider breaks the company policies as well as the law.
Paul was charged with very serious crimes – wire fraud, conspiracy and money laundering – which meant he faced 20 years in prison if found guilty. As a result of this, law enforcement investigative resources were involved and he had a very strong incentive to plead guilty for a lesser charge.
However, it is unlikely that even if Apple gets all $4.5 million of the fine, it will cover the business lost over the 5 years he was providing insider information to suppliers and the costs of the subsequent legal actions.
Insider security breaches can be significantly harmful, even for the most technologically advanced company.
Insider threats and your business
The unfortunate reality is that most insider security breaches are not this high profile, are not this clearly a crime but significantly more harmful to the company involved.
Your trusted workers are the vital lifeblood for your business, they have to know secrets you want to keep from your competitors (or suppliers, or even customers) and this is why the insider threat is so harmful.
When it comes to risk assessments ask yourself how well you would cope if your key employees were cutting deals to get kickbacks from suppliers, customers or even competitors.
Can you cope with this happening?
Would you be able to detect it?
What could you do about it?
Combating the insider threat
There are no simple answers and any action you take to minimise the insider threat has to be driven by your own organisational risk assessments and prevailing circumstances. Your controls should evolve as your business changes and if you are ever in any doubt, specialist advice is available from Halkyn Consulting.
However, in very general terms, there are three things you need to consider in minimising the insider risk:
- Pre-employment / Background Screening. Before you hire a new employee you should carry out some checks. As a bare minimum in the UK, you need to verify they have a right to work, but over and above this you should be checking that their application or CV is true and they are who they say they are. For sensitive posts you can consider additional checks into financial probity or criminal records, but this has to be proportionate for the role.
- Employee Aftercare. Once you hire someone it is important that your organisation keeps your employees feeling welcome and part of the overall team. Your managers should be alert to the indicators of disaffected or dishonest employees and co-workers should feel able to discuss concerns. Remember, it is in every employees interest that you stay in business.
- Monitoring. Employees with access to sensitive or business critical information should be monitored and made aware of this monitoring. As part of your overall security environment, you should consider having audit controls in place to alert you to suspicious events (such as suppliers suddenly taking a hard line, or emails from an employee to a competitor) and a way to track behaviours back to the correct insider.
Of course, none of this guarantees you will be safe from insider breaches, but they do mean you can minimise the risk and maximise your ability to detect and recover from them.
Remember, your employees are your lifeblood but it only takes the poison of one bad insider to kill off your business. Make sure your trust is well placed and remain alert to problems.