Companies must rebuild employee-employer loyalty to curb insider threats
The modern workplace is, to put it mildly, unsettled. The employee/employer relationship has been fractured in the wake of a chain of events that includes the COVID-19 shutdowns, the increase in remote work, the Great Resignation and the recent rash of layoffs combined with a labor market that nevertheless remains stubbornly tight.
A disconnect between employers and employees has emerged concerning work-life balance and the familiar-but-vague concept known as "organizational commitment," driven in part by social media-fueled myths such as "quiet quitting.”" A key concern for employers is that, according to workplace theory and several case studies, a lower level of "organizational commitment" among employees leads to an increase in the likelihood of insider threats. Whether they are leaving companies or staying on the job, employees who aren’t committed to their organizations are more likely to steal critical information.
MITRE’s Insider Threat Research & Solutions group, noting that little actual research had been done on this issue, reviewed and analyzed the relationship between organizational commitment and insider threats. They concluded that the idea of organizational commitment doesn’t sufficiently cover the employee/employer relationship. Instead, MITRE has proposed a new concept -- Bi-Directional Loyalty -- that, it says, better addresses the relationship and its effect on insider threats.
Developing Bi-Directional Loyalty, or BDL, is a goal that organizations might want to focus on.
Recent Events Have Eroded Trust
Quiet quitting -- the idea of keeping your job but doing as little as possible -- caught on as an internet sensation because it tapped into a zeitgeist. But the popular notion about quiet quitting was largely mythological. The TikTok videos that introduced the notion merely sought to reassess work-life balance, doing one’s job well but resisting the pressure to let work overtake life by continually doing more with less. It wasn’t encouraging everyone to become Bartleby the Scrivener.
The bonds further weakened as people working remotely began to feel less loyal to their employers because they saw them less often. In this case, absence does not make the heart grow fonder. The Great Resignation in 2021 and widespread layoffs beginning in late 2022 also stressed the employee-employer relationship.
A recent Gallup survey of employee well-being found that 55 percent of workers were "struggling" in the poll’s Life Evaluation Index. And less than a quarter -- 24 percent -- said they felt their organizations cared about their overall well-being, which is less than half of the 49 percent who said so in May 2020. By any measure, employees are disillusioned -- which increases the chances of them becoming an insider security risk.
Organizational Culture Contributes to the Risk
Companies need to realize that a major cause of this threat comes from the top. A lack of leadership and a poor company culture that doesn’t recognize, value, and respect employees’ contributions, or support their growth has created a void in the employee-employer relationship. As a result, a lack of loyalty, partly driven by a poor organizational culture, has developed among employees, creating a huge security risk. Employees with no loyalty to the company are more likely to take confidential intellectual property, either for malicious purposes or to help them in their next gig. It also can make employees indifferent to the information they handle, possibly resulting in breaches caused by mistakes or negligence.
Managing insider risks traditionally has been the province of the IT team because defending against insider threats has traditionally focused on the means of stealing or misusing data. Access controls, firewalls and monitoring have been among the many defensive tactics. But in today’s workforce environment, HR should be taking a larger role or at least working together with IT. In fact, DTEX’s research found that, in 2022, 75 percent of internal-risk investigation requests came from HR departments.
Companies are finding that HR departments’ records on employees’ performance plans, internal complaints, at-risk top performers, resignations, and other developments are essential to identifying potential insider threats. They are also key to repairing the employer-employee relationship and building a culture of two-way loyalty going forward.
Restoring Two-way Loyalty Can Reduce Threats
Bi-Directional Loyalty is a new concept in terms of identifying insider risks, though it incorporates ideas and practices that are familiar to workplace relations. MITRE defines it as, "when an organization and employee demonstrate a positive relationship of mutual reliance and overlapping goals, values and outcomes." In addition to being useful in deterring insider threats, it also presents something of a model for organizations to aim for overall.
As a practical matter, HR and IT departments need to work together, using both HR records that could indicate employee disengagement and cybersecurity steps that will deter the malicious exfiltration of data. Just as important as identifying insider threats, companies can use this information to help address the sources of employee disengagement By tending to these, companies can begin to rebuild workplace relationships and develop mutual loyalty with employees. Ultimately, the best way to reduce risk is to try to act proactively and tackle problems that, if left unchecked, would create threats.
Lynsey Wolf is the Team Lead for the i3 Investigations at DTEX Systems. An experienced insider threat investigator and researcher, she uses scoring frameworks proven to stop malicious actors and insider threats, as well as human behavior analysis to mitigate data loss and other malicious behaviors.