detech-knee-jerkTaking the “Knee-Jerk” out of Knee-Jerk Reaction

  By: Laura Combs, CISSP

Recently, I was reading an article about the latest NSA data breach that was disclosed last week. A Booz Allen government contractor working for NSA (Harold Martin III) was arrested in August, and veritable treasure trove of classified and unclassified information was discovered in his house and shed. The information was stored in paper form as well as on several computers discovered at the house. Few details have been released about how the FBI was tipped off or a possible motive other than the fact some of the classified information had been posted on an online forum and Mr. Martin had recently left the NSA contract and started working on a contract for the Defense Department. The FBI also mentioned that this doesn’t appear to be a case of “malicious intent to harm” as in the infamous case of Edward Snowden, but it is an example of an insider threat nonetheless.

History, especially recent history, seems to be littered with examples of people in positions of trust that misused that trust for their own personal gain or ideology; however, the somewhat less explored topic is the chaos left behind and how it impacts the rest of the organization’s employees. All too often, organizations in the aftermath of such a breach tend to have a knee-jerk reaction, and over-correct to the point of trusting no one. It’s important for the organization to quickly identify whether the breach was made possible by a pervasive security issue or if the person responsible was just a bad apple. If the management team gets it wrong in the response to the breach and decides no employees are trustworthy, it then runs the risk of demoralizing the rest of the workforce and causing the remaining employees to become disengaged.

There are numerous risks associated with a disengaged workforce. If management doesn’t trust employees, employees will pick up on that and begin to lose their sense of personal investment in the projects they’re working on and in the organization as a whole. At that point, a previously thriving and innovative organization can quickly become stagnant. Another risk associated with employee disengagement is that a previously trustworthy individual will suddenly find themselves in a situation where they don’t feel valued, they’re under stress, and they begin to have the perception that they have very little to lose by becoming an insider threat themselves. With the information we have about the most recent NSA case, this appears to be at least a possibility. After the Edward Snowden case, government contractors were suddenly treated much less like valued colleagues and instead treated as co-located service providers. It appears as if Mr. Martin had a small amount of information pre-dating the Edward Snowden case, but the number of documents and source code he stole appeared to have increased afterwards. This would indicate his feelings of disenfranchisement were intensified after the Snowden case and after the subsequent change in the tone of the organization.

After a breach, it can be difficult to focus on anything other than cleaning up the mess, but it’s also essential to strike the correct balance between closing security loopholes without making employees feel like untrustworthy children. I hope Booz Allen is striking that balance in the face of this latest news, but only time will tell.

***
Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.