/ 4 September 2023

Cybercrime the silent spectre of insider threats

Swift 1 Cybercrime
Organisations must raise security awareness among employees of the omnipresent threats of the digital age

Last week, Elon Musk woke up to a shocking turn of events as Tesla fell victim to an insider threat leaking the personally identifiable information of more than 75 000 of its employees to a media outlet, casting a dark cloud over the tech titan’s reputation for innovation and security prowess. 

This latest incident, in a digital tsunami of data breaches affecting many organisations worldwide, highlights the vulnerabilities inherent in even the most heavily fortified digital bastions that invest millions of dollars looking to state of the art technology as the silver bullet to secure the organisations crown jewels, that being the critical assets.

In addition, Tesla’s breach highlighting the growing insider threat pandemic, hammers home the point (and is a stark reminder) that organisations that underestimate the potential of the human firewall, either as their greatest asset or most vulnerable weakness is a perilous gamble that is unaffordable. The human firewall is, after all, the organisation’s last line of defence standing at the intersection of technology and instinct, leading the charge against cyber threats to safeguard the organisation’s critical assets. This perilous but vital link represents the interface between cyber criminals (in this instance, in the form of disgruntled or greedy employees) and the company’s vitals. 

Upon reflection, the crucial point is why this point is and remains open to debate. Said in another way, what psychological blind spot prevents the company from appreciating this Achilles’ heel in their defence strategy? 

Many organisations are under the erroneous assumption that investment in fostering a robust security culture is a mere luxury, when it is in fact a strategic imperative that ingrains a collective sense of responsibility and equips employees to repel both internal and external threats. Apart from the notion that a security culture is a luxury which could be dispelled without consequence, another factor in this comedy of errors is the perception among many companies that they are sustainably safe. The reason is that because of their having invested heavily in technology (hundreds of millions in any currency, for that matter), technology is seen and believed to be the silver bullet as far as company securitisation is concerned. 

Even if we rightly consider this erroneous assumption as the recognition of a technology fallacy, the important point is to examine the reasons this fallacy has taken hold so successfully of so many executives’ psyche. 

We all have our biases, as the influential 20th century German philosopher Hans-Georg Gadamer (1900-2002) once demonstrated, but the trick is to ensure that we are aware of these parameters to our understanding and, more to the point, whether we have examined our identified range of prejudices. He is famous for his work in hermeneutics, which is the study of the interpretation of texts. Gadamer studied under the formidable Martin Heidegger at Freiburg University before the outbreak of World War II and succeeded Karl Jaspers as professor of philosophy at Heidelberg in 1949. 

His mother died of uncontrolled diabetes when he was four years old and I suggest that this internal threat claims many lives because it either goes undetected or its effect on the organisational structure is underappreciated. I have suggested that the fallacious perceptions of having spent heavily on security (because of the bias towards money-oriented solutions as necessarily being sufficient) and/or the technology fallacy (namely, the unexamined prejudice towards the perceived adequacy of technology solutions).

The illuminating guide by Perry Carpenter and Kai Roer, The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer, (published by Wiley, 2022) distils the essence of security culture into a captivating ABC.

A stands for Awareness. Organisations must raise security awareness among employees of the omnipresent threats of the digital age; threats abound all around us and are not only external, as the Tesla breach highlights.

B stands for Behaviour. Through robust security awareness and training programmes employees are able to transform knowledge into habitual action bolstering the human line of defence.

C stands for Culture. This emphasises that a strong security culture does not comprise merely a set of policies that employees hardly ever read. Rather, it is a dynamic collective mindset where every employee becomes a proactive defender, maturing the security culture seamlessly into every day decisions. Every business decision is after all a risk decision. (This is the song which one of my collaborators used to sing to her executives on a regular basis when looking to fund her risk initiatives).

Just as Gadamer’s mother died because of the lack of awareness and/or the inability to appreciate the devastating effect of an insider threat, the ABC formula is an essential survival guide in an era of increasing insider threats — as Musk discovered to his horror. In an ever-evolving cyber threat landscape, a robust security culture is the fulcrum upon which an organisation’s survival hinges and to dismiss or underestimate its significance spells peril for the digital heartbeat of that organisation.

Dr Casper Lötter is a conflict criminologist affiliated with North-West University’s School of Philosophy (Potchefstroom) as a research fellow. He has a special interest in cybercrime.