Workplace Security – The Emerging New Threat

Posted on: October 26th, 2014

Contents

  1. Workplace Violence Remains a Business Concern
  2. The Emerging Threat
  3. Case Study

Workplace Violence Remains a Business Concern

From all available research and recent studies, Workplace Violence continues to be a major business security threat facing the workplace today followed by Business Continuity/Business Interruption and Terrorism, Pinkerton Security Survey.

Dr. Robert F. Hester in article entitled: Business Continuity for Small Businesses said, Safety, security and preparedness aren’t routinely a focus in our lives. Being on guard is not something Americans enjoy doing. Still danger and threat never go away; only fades in memory.”

The Emerging Threat

The use of email and the internet by disgruntled employees who wish to cause a person, or a business harm is the new emerging threat causing business executives considerable angst, so say a variety of current surveys and research.

 

While traditional company approaches suggest that the problem typically deals with the hostile behavior of a disgruntled employee or the escalation of disputes between employees; security directors also include the risk posed by the armed robber and the opportunity criminals as workplace security concerns.

 

That was the traditional perspective. Not factored into the traditional equation is the calculated threat posed by the “Insider” who has privileged access to the company Intranet, business email, company files, remote access and management, and oversight via his or her computer. The advent of remote access has further muddied the waters.

 

New, non-traditional approaches to the Prevention of Workplace Violence and Workplace Security do not disqualify any potential threat to the safety and security of the workplace, hence the discovery of new more potent threats. These innovative approaches require an analytical perspective that looks beyond the walls and into the world of minimized detection and maximum damage.

 

No longer should responsible officials limit their scope to preventing escalation of violence between employees; companies are at risk. New, harder-to-detect methods have arisen for employees to exact revenge or “make a point”.

 

One new retaliatory measure at employees’ disposal involves network “privileged access”. Devastating damage can be inflicted using such access. While we await the other “Threats from Within – the Terrorist” to strike, the new “lying in wait” culprit is the “privileged user” who might be a current employee, former employee, vendor, or contractor with access…who has an ax to grind or score to settle.

 

What makes this perpetrator extremely dangerous and drastically effective is access. The physical access controls that deny unauthorized intruders do not deny the privileged user access.

 

“For many years external security threats received more attention than internal security threats, but the focus has changed. While viruses, worms, Trojans, and DoS are serious, attacks perpetrated by people with trusted insider status – employee, ex-employees, contractors, and business partners-pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from the outside”. (“The Enemy Inside”, Kristin Gallina Lovejoy, CSO, April 2006).

 

Following this thought process, one quickly surmises the magnitude and capability of this perpetrator’s reach. Gone are days of risking exposure; this perpetrator chooses to wait for the opportunity, lay a trap, sabotage systems, disrupt operations and even transfer company files to competitors. “Getting even” takes on new dimensions.

 

And so, now we have a new, broader profile and threat to contend with. The traditional “going postal” profile: Males, 17-60 years of age, holds a technical position, being married… does not matter anymore.

 

The new profile is racially and ethnically diverse and can come from a broad pool of employees. These are the new suspects. Common amongst perpetrators, though, is the perception of victimization and revenge and the facility of theft of information, conflicting interest, abuse of privileges and disgruntled behavior. Whereas the act of violence is physical in orientation, the Internet or Computer Predator chooses this medium of retaliation that is cleaner and has a faceless victim.

Case Study:

An employee of a major government agency, feeling victimized by coworkers and sensing no intervention by management, resorts to acts of retaliation and revenge.

 

Initially he adapts to the common threats of physical harm, which include use of his vehicle, and verbal threats through the escalatory phases, which included death threats. Fortunately, he did not ever get the chance to deliver on his believed threat. While searching the internet for bomb making materials, his unsuspecting supervisor happened on his computer terminal accidentally, as he returned from an early lunch. He found the employee browsing at a bomb-making website.

 

Sensing a serious breach of user privileges, superiors were notified, and the computer was isolated and confiscated. An examination of the hard drive revealed an interesting forensic footprint.

 

Upon investigation, it was disclosed that the employee was on the last phase of his bomb-making venture, having left the purchase of the last ingredients as the last step.

 

The employee admitted to his actions but denied his intentions. Because his intent was not clearly established, no criminal charges were lodged. Suffice it to say, anyone can see the potential for, and potency of the power of abuse, for a computer with its built-in tools.

 

Why does this innovative approach matter? It matters because the workplace is the most exposed target for any predator with a revenge motivation, a terrorist bent or driven by greed and manipulation. Countermeasures call for a return to astute vigilance and new policies.

 

What can you implement immediately? Change passwords for ex-and former employees. Lock out contractors, vendors, and business partners at the conclusion of official business dealings, and establish clear policies, guidelines, and procedures – with consequences for breaches and criminal violations.

 

To efficiently evaluate all visible and camouflaged areas of risk, create experience-based policy development by consultation with a qualified security consultant.

 

When the policies have been set, secure the mindset and daily habits of managers and employees with follow-up implementation and education by the security consultant.

 

Not every company is fated to become a victim statistic in a publicized study or survey. Use a broad, innovative approach. In addition to securing against Workplace Violence using traditional methods, protect against the new, emerging threats that cause concerned managers considerable angst, engage a Security Consultant when necessary, and protect the health of employees and your business.

What are your thoughts?