6 September 2019

Adversaries Are Eyeing Your IT Staff. Why Aren't You?

Scott Stewart

Information technology (IT) personnel often have access to communications, applications and data storage that contains a company's most valuable proprietary information and trade secrets. As a result, espionage actors often consider disgruntled and underpaid IT employees as prime targets for human intelligence recruitment. To mitigate this risk, companies should take measures to ensure their IT staffers are happy, well-respected and fairly compensated for their work. Because of their access to highly coveted data, they should also be subjected to the same security protocols as the rest of the staff.

Since the advent of encrypted electronic communications, those who operate these communication systems at intelligence, military and foreign affairs agencies have naturally been a prime target of espionage operations. These communicators, or who the U.S. State Department calls "information management specialists," often have access to some of the most sought-after information like encryption keys that could be catastrophic in the wrong hands. Despite this, however, they've historically been treated as second-class citizens next to their affluent, Ivy League-educated colleagues who are conducting the actual diplomacy or intelligence operations.


But while they may be overlooked by their own organization, they've long been placed in the crosshairs of hostile intelligence services. This dangerous oxymoron — where some of the most underpaid, overworked employees are the ones with the most power to implode an organization — continues to play out in today's business world. But instead of information specialists, they're called information technology (IT) specialists.

The Big Picture

Corporate espionage remains a serious and persistent threat from a wide array of state and private actors. Many, if not most, companies provide training on cyberthreats such as phishing. But very few provide any training to help their employees understand and spot human intelligence recruitment attempts.

The Dangers of Dismissing the IT Employee

Like communicators and code clerks, IT employees hold the key to the information that bad actors want. But also like their diplomatic and intelligence counterparts, they're often undervalued compared to those who are actually designing, making or selling a company's core mission, service or product. As a result, IT personnel can be among a company's lowest-paid staff, and their hard work may not be recognized as readily as their colleagues in more visible parts of the company.

Many companies also relegate IT personnel to remote areas of the office, or even other office buildings entirely. Thus, they're often isolated physically, socially and culturally from much of the rest of the company's staff, which can naturally lead to anger, resentment and poor morale. This situation leaves them vulnerable to a variety of human intelligence approaches and bribery tactics — especially those that pander to desires for money, friendship, sex or an ego boost. 

But these underpaid or underappreciated employees also happen to be the ones with access to communications, applications and data storage that contain a company's most valuable proprietary information and trade secrets. Thus, an IT person who breaks bad can cause considerable damage to the company he is working for. The person who recruits one of your IT staff can quickly own your company's entire IT system — especially if it's a sophisticated actor who can have their spy inject high-end malware or provide them with instructions on how to keep their activities from being detected.

In a recent survey of nearly 500 IT security professionals conducted by the cybersecurity firm Gurucul, a whopping 24 percent of respondents said they would steal information from their current company to help them apply for a job with a competitor. Bear in mind that these were not just rank-and-file helpdesk staffers, but cybersecurity personnel. And while this number may be striking, it's not really surprising when you consider the work conditions they're often placed in. Indeed, it's not difficult to see how such poor morale could translate into these people being recruited by a competitor or a malicious state actor for a few thousand dollars in cold hard cash or an attractive honeytrap.

Not all IT staff that betray a company have to be recruited, however. Some willingly volunteer or sell their information to an actor who might be interested. Edward Snowden is perhaps the most notorious example of an IT employee who leaked information on his own accord. In doing so, he not only hurt the companies he worked for (Dell and Booz Allen), but he also caused significant damage to the client those companies had assigned him to work with: the National Security Agency.
Credit Where Credit's Due

But desperate times often call for desperate measures — meaning the more mistreated your IT staff is, the more likely they are to do something drastic, like going out of their way to offer a competitor access or information in exchange for the money you're not paying them. Thus, perhaps the most important way to mitigate this threat is through a change in corporate culture that makes IT workers feel as important as they actually are. Companies that foster an environment in which the contributions of all their staff are recognized and appreciated are better able to build loyalty to the company than those that do not. At a minimum, IT personnel should be provided with the same or similar raise and bonus opportunities that other employees receive. And likewise, they should have their efforts recognized when they go above and beyond the call of duty.

Treat concerns from IT seriously, too. Employees are the eyes and ears of a company's security program. And IT employees, in particular, are going to have a much better idea of the network vulnerabilities your company faces. When they raise concerns, address them. Ignoring them not only disheartens employees, but also plants the seed for revenge later on. Indeed, there have been several cases in which IT personnel attacked a company using a vulnerability they had flagged only to be dismissed. It can also be easy to only acknowledge IT staff when something's not working properly. But make sure you don't forget to call out all the times that things are working properly thanks to their hard work, so that the attention they receive isn't only negative.

If you value your company's data, you should value, limit and monitor the people who hold the key to it.

Whenever possible, I would also strongly advise against employing temp or contract IT help. By doing so, you're giving someone who's even less likely to feel loyalty to your company access to your most valuable information. But if you do need to bring in outsiders with IT skills for a short-term project, make sure their access is at least limited to only the relevant information they need for the project at hand, and that what they do with that information is then closely monitored.

Regardless of whether they're contract or in-house, however, properly vetting IT staff is essential. And vetting must extend beyond just running a background check before hiring someone. An employee's behavior can change drastically during their tenure due to factors such as mental illness, debt, traumatic life experiences or drug addiction. Because of this, vetting must not be viewed as a "one-and-done" security step, but as an ongoing process.
Watching the Watcher 

But treating IT staff like the rest of the team also means subjecting them to the same security measures that they themselves often implement. There are pretty good software programs available that help monitor employees' online activity. But ironically, while the IT staff often implements these types of programs, they themselves are often exempt from them. The same goes for security measures, such as disabling USB ports that can be used to download information.

Identifying critical information and then enacting strict "need to know" policiesregarding that information is also a good measure to take. In the same way that companies ensure employees can access only the sensitive information required for their jobs, the same type of limits can and should be placed on IT personnel. What this all boils down to, really, is the question of "who's watching the watcher." In other words, does every member of the IT staff really need access to all the keys to the kingdom?

Last, but certainly not least, is the importance of education. Most companies today provide all their employees training on phishing, but very few provide training on how the human intelligence recruitment process works. Everyone at your organization, including IT staff, should be aware of the signs that someone is attempting to recruit them, and who to report such activity to. This not only helps employees protect themselves but can also help them spot when a co-worker is being targeted by such approaches, like the recent grad at the helpdesk who's suddenly driving a Porsche.

Right now, corporate leadership often conflates the role of maintaining IT systems with that of other "maintenance" positions, like electricians and plumbers. But these "electronic janitors" aren't handling your trash — they're handling the information underpinning business' everyday operations, and even your company's ability to compete in the market. And thus, they should be treated like it. Put simply, if you value your company's data, you should value, limit and monitor the people who hold the key to it.

No comments: