The American View: Consider the Insider Threats You Might Not Be Able to Influence

We spend a lot of time in the security awareness world arguing about how to detect and pre-empt “insider threats.” Often – that is to say, 95%+ of the time – these people are what we call “non-malicious insiders.” That is, they’re normal employees who never intended to harm anyone yet created a security incident by making mistakes. The other 5% of insider threats are “malicious insiders” … what we used to call “disgruntled employees.” These are people who very much want to hurt someone or something. Maybe they’re angry with their supervisor. Maybe they feel underpaid. Maybe they’re frustrated with perceived mismanagement. Whatever an individual actor’s motivations might be, organisations breed their own malicious insiders because of their own corporate culture, because of a worker’s beliefs … or through the third-party vendors who supply them their workers. 

I want to share a real story on how a company turned a cheerful new hire into a worker with a foul attitude. I want you to note every time in the story where this “disgruntlement” process could have been interrupted because the outcome was completely preventable … Which leaves me curious as to how the entities involved could have screwed things up. 

Let’s go back about a month. A young adult that we’ll call “Bob” was searching for full-time work. Bob had applied to several different open reqs for tradesman positions, as he has no professional experience. Bob was stuck in the typical early twenties limbo where every job req requires 1+ years of experience in the role to qualify, but there are no apprenticeship or entry level roles offered to get that first critical year of experience. [1]

One afternoon, a recruiter from a temp agency noticed Bob’s LinkedIn profile and saw that he was interested in blue collar work. The recruiter called Bob and asked if he would be willing to work a contract-to-hire role as a machinist with a well-respected local company that was established, solid … exactly the sort of place where a young person starting out in the trades might be able to learn some skills and build their résumé. Bob enthusiastically agreed. 

He expected it to be honest blue collar work, the way careers were launched in his grandfather’s day.    

On his first Monday, Austin drove an hour to the manufacturer’s complex and was introduced to the crew. They taught him how to work his machines and get started. Bob came home tired but hyped with how friendly and professional the full-time staff had been and how much they stressed quality over speed. The new gig seemed like a great fit. He was excited.

On Tuesday, Bob returned to work and put in a productive day’s labour. His supervisor seemed confident enough in him to let Bob work on his own. He strove to improve his technique on the machine that auto-welded component assemblies. 

On Wednesday, Bob returned to work and put in another day’s productive labour. He was gaining confidence. His supervisor remained friendly, supportive, and accessible. Then, an hour after he got home, the temp agency that had recruited him. They unceremoniously told him that he’s been fired. No explanation, no rationale. Since this is Texas – a “right to work” state – an employer can make any worker redundant at any time without a reason. 

Bob was shocked. He pressed the temp agency as to what had happened. Two hours earlier, he’d been cheerfully speaking with his manager and discussing Thursday’s schedule. He’d never been given any indication that the staff was dissatisfied with him or with his work. The temp agency didn’t know … or didn’t seem to care in the slightest.

“The nerve of this guy, expecting me to do my job! As if!” 

Two weeks later, Bob called the temp agency and asked when he’d be paid for the work he’d done. Three days’ pay wasn’t much, but it was something, and he’d earned it. The temp agency hemmed and hawed, then insisted that he’ll have to drive out to their office in Dallas to pick up a paper cheque since they’d never finished setting up his direct deposit. 

Annoyed, Bob drove to the temp agency. They handed him a paper check … for one day’s work. Bob kept his cool even as his blood began to boil. He asked why he wasn’t being paid for all three days’ work that he’d put in. The clerk claimed – without evidence – that the underpayment had been his fault, saying “you only clocked in on Monday.” 

Seething, Bob countered that the temp agency knew that was incorrect, as their rep had told him on his termination notice call that they had expressly waited for him to get home from work before they’d phoned to announce that he’d been fired. Moreover, the temps working at the manufacturer hadn’t controlled their own timecards; a full-time manager had clocked all of the temps in and out as a standard practice that the temp agency was fully aware of. 

The temp agency rep was ambivalent. They didn’t care. They’ve gotten their 30% cut of his pay (meagre as it was) and couldn’t be bothered to pretend to smooth things over. They suggested they might look into getting his missing wages or might not. It wasn’t their problem. But, hey! They’d be happy to help place him in his next role! [2]

Can you imagine how you’d feel in Bob’s place? The agency that botched your hire, failed to represent or protect you, and tried to steal your wages has the audacity to ask if you’d like to allow them to screw you over again? Why would you even consider taking them up on it? 

This is America. I’ll give you one guess why anyone would take such a raw deal, knowing in advance how badly they’ll likely be mistreated by their employer. 

Why? Because you’re desperate for work. There are few entry-level jobs that pay a living wage, fewer still with health benefits and we’re still in a pandemic. There’s a shortage of entry-level housing in the Dallas market, too. Further, the more time a young adult goes unemployed, the more their résumé screams “I’m poison” to HR people. When you’re desperate for employment, you’ll take whatever you can from whomever can provide it.

You won’t be happy about it, though. If Bob had taken the temp agency up on their offer, how likely is it that he would be a “disgruntled employee” before he ever set foot on the new employer’s property? I argue that it’s not a matter of likelihood; it’s a certainty. This worker – who’s grimly committed to doing whatever it takes to bring in a pay cheque – will come to work every day with a foul attitude. They’re a malicious insider waiting to explode; it will likely take only one major affront or perceived injustice to set them off. Not because of anything the employer did, but because of what their third-party body-shopper had already done to them.

Let’s look at this through a slightly different lens: put yourself in the CSO’s seat at the company Bob is sent to next. Imagine that the other executives ask what you’re doing to reduce the incidence of malicious insider threats. Sure, you can invest in behaviour monitoring for anomaly detection. You can work with HR on culture shaping and morale. You can work with finance to incentivize faithful service. You can offer paid leave and special accommodations for people that need it. There are lots of options in your toolkit for improving employee morale and satisfaction.

There’s the problem, though: Employee morale. Not contractor or temp morale. Your incentives and culture shaping efforts don’t work on them. Parties and cash bonuses and promotions are benefits for the full-time staff. Those corporate mercenaries that you rent by the hour, though? Their morale is partially affected by how well you treat them but is mostlyaffected by their real employer: the temp agency that steals 30-50% of their pay cheque and might be callously mistreating them behind your back. The agency’s whose indifference, caustic disregard, or outright abuse is cultivating a highly motivated insider threat inside your business … right under your nose.

Might as well pay your night-time janitorial staff to clean your carpets with petrol for all the good it’ll do over the long run.   

Still thinking as the CSO, what can you do about this? How much are you even aware of how your body-shoppers treat their people? Heck, how much do you really know about your third-party staffing agencies? And what, if anything, can you do to protect yourself from the threat they pose to your operations other than to simply stop doing business with them after the damage has already been done? 

There are no easy answers to these questions, especially since most companies’ only real remedy is to terminate their business relationship with the third-party entity after a malicious insider threat event has manifested. Any significant attempt to probe into the body shopper’s culture, history, or treatment of staff might well exceed what you’re allowed to ask. It’s a mess … 

Meanwhile, powerless young people like Bob are caught in the machinery, résumés mangled and attitudes ruined, all because they couldn’t skip the temp agency and get a real entry-level job instead … because your company demands that every new applicant have 1+ years of experience before HR will deign to offer them an interview. 

We’re doing this to ourselves, folks. Sure, we all knew about the risks of mistreating our full-time staff. Make people angry enough and they’ll turn on the organisation. The thing is, the last year of catastrophic job losses thanks to the pandemic has exacerbated a harmful trend that we’ve been seeing for the last twenty years, especially in high-tech: reducing the number of full-time positions in favour of disposable “independent contractors.” People who are purposefully kept at an arm’s length and never have any reason to feel loyalty to their patron du jour.  

Now, we’re compounding the problem by forcing our youngest and most vulnerable workers into IC roles. If we don’t provide a genuine pathway for young people to assimilate into the full-time workforce, we’re going to create an entire generation of angry, disinterested, and uninvested mercenaries that our promises of “great company culture” only serve to further alienate. In effect, we’re going to keep creating our own internal threats … by proxy, so we never see the blow-up coming. 


[1] This is completely normal for the U.S. jobs market, by the way.

[2] Bob eventually got those two days’ pay back, although most of it was already spent on the petrol it took to drive to Dallas and back to pick up his own bloody paper cheque. 

Pop Culture Allusion: Sang-yoon Lim, A Company Man (2012 film)

Keil Hubert

Keil Hubert

POC is Keil Hubert, keil.hubert@gmail.com Follow him on Twitter at @keilhubert. You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store. Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.

© Business Reporter 2021

Top Articles

Driving digital transformation with effective application delivery

Application delivery is not just for the IT department. It's a strategic issue that senior decision makers in business need…

C-suite executives reveal the top HR metrics they need

HR metrics can drive positive business outcomes: but the c-suite is often denied the right data

Next in the firing line: the probation period

The pandemic has left employees with the power. Employers that want to attract top talent must accept that hiring has…

Related Articles

Register for our newsletter