Skip to main content

Suspicion: The new corporate asset

Trust in the workplace, once a team-building asset, is now such a risk that employees are required to be suspicious of their colleagues. The high percentage of breaches caused by internal error and rule-breaking could hardly be better illustrated by the recent Reuters report which claims that between 20-25 workers at the NSA regional operations centre in Hawaii gave Edward Snowden their logins and passwords because he told them he needed them to do his job.

There is no suggestion that Snowden had any bogus authorisation from senior staff, no credentials to support this claim, just his own words.

The recent Verizon Data Breach Investigations Report laid great emphasis upon the importance of employees being aware and naturally questioning of processes and actions which seem suspicious.

"Once again, end users represent the most effective means of detecting a breach internally (and it would be even higher if ATM skimmers spotted by employees were included).

"Typically this involves a regular employee who, in the course of their daily responsibilities, notices something strange."

It's an easy aside to suggest that, of all people, NSA employees should be the most suspicious, but the Reuters report shows how trust in the workplace can be the most dangerous risk.

"What agencies are having a hard time grappling with is the insider threat, the idea that the guy in the next cubicle may not be reliable," says Steven Aftergood, an expert in secrecy working with the Federation of American Scientists.

Says Psychology Today: Without trust, you can't create an effective work group, influence or lead people who do or don't report to you, or build strong working relationships. And while people aren't trustworthy to the same extent, when you assess the risks and choose to offer trust incrementally and situationally, you'll increase the likelihood of reaping the benefits trusted relationships at work bring." This is a message we can all ascribe to but one which incurs risk.

The secret, says Rohyt Belani, CEO of Phish Me (left) which has run anti-phishing tests on millions of employees in countries all over the world, is to fully engage the whole team, create an atmosphere of group responsibility for security and not, simply, to suspect everyone.

"There is no silver bullet here, no single solution. Which piece of security technology is 100 per cent effective? You may spend millions on the technology but the end-user still represents the most effective way of detecting a breach."

Create a culture where everyone shares in the security objective. And where members of staff warn others about their lax security behaviour."