The Righteous Moraliser - a new kind of insider threat

The Righteous Moraliser - a new kind of insider threat

The risk of insider threats has long been high on the agenda of information security professionals.

The focus is often on malicious insiders, as seen in recent high profile and publicised cases of fraud, intellectual property theft and sabotage of IT systems.

However, in our increasingly hyper-connected and polarised world, where information is the new currency, its misuse is evolving. No longer is connectivity used only for material gain or revenge, but also to promote personal socio-political views, resulting in a new and more subtle kind of insider threat.

Social issues, the environment, gender politics and even politics in general have now become highly charged and divisive subjects within the workplace.

The threat manifests itself when individuals decide to use the business as a platform to promote or potentially impose their views on the business and its employees, often at odds with a non-partisan culture.

A combination of misinformation, emotionally charged issues and increased employee activism inevitably leads to conflict in the workplace, where differing views collide. The worst case is where an employee decides that the business is either not aligned with their viewpoint, or at least not doing enough to support it, and acts maliciously by stealing, destroying, or exposing confidential business information.

One of the most high-profile examples is that of Frances Haugen, a former Facebook data scientist who leaked thousands of business-sensitive documents to the press revealing how the company knew, amongst other things, of the negative impact some of its content was having on young people's mental health, but then allegedly refused to address them.

There have also been various cases of employees leaking information about a company's not-as-green-as-they-advertise environmental claims, which we now refer to as ‘green washing'.

The defence for Ms Haugen's direct-action hacktivism was that it was morally justified whistleblowing, and indeed there is a very fine line between that and whistleblowing with malicious intent.

Abusing seniority

At the other end of the scale, the threat is more subtle. A recent case reported in the UK media was that of Lloyds Bank's HR director of the Technology & Data Group, Sarah Underhill, taking it upon herself to send an email to all 30,000 of Lloyds bank's employees. The email included the text:

"Like many of you, I was appalled to hear the rhetoric coming from the Conservative Party Conference this week, targeting the trans and non-binary community. Hearing language that fuels hate and division is shocking. To all our trans and non-binary colleagues across Group COO, please know that at Lloyds Banking Group, you are not alone. You are valued. You are welcome here."

The use of such partisan language in an official email to all employees is at best ill-conceived and at worst a threat. The abuse of such a senior position and the corporate email system of a public company to promote a political viewpoint, which we cannot be sure all 30,000 employees agreed with, is in essence a form of soft hacktivism; in this case, the threat being the misuse of the corporate computer systems and the risk being of reputational damage to the business.

What makes this case particularly worrying is that Ms Underhill holds a senior HR role in the Lloyds group. I have worked with many senior HR professionals and one of their most defining attributes is that they at all times conduct themselves in a way as to remain completely neutral and unbiased, regardless of their personal views and beliefs.

A company the size of Lloyds Bank has a large diversity of employees, with many differing political, religious and cultural viewpoints. Some of them will have agreed with Ms Underhill, but some of whom were also offended by her email - enough of them for multiple leaks to the press and on social media. Morally justifiable whistleblowing?

It also begs the question: is this the official position of Lloyds Bank, or just the personal opinion of one of its directors? On top of that, how are those employees who have contrasting views treated? Would they get a fair hearing if they were to write an email in support of the speeches (Editor's note: History suggests not, as in the case of James Damore, a Google engineer who wrote a company-wide memo railing against diversity policies)?

This case came soon after the furore over Nigel Farage being ‘cancelled' by Coutts Bank because of his political views. It is ironic that he recently announced he'd been given a new bank account with, you guessed it, Lloyds Bank.

The publicity around the case has resulted in calls for Ms Underhill to be ‘resigned' (Lloyds wouldn't dare sack her); but from a risk perspective, can the business now trust that her and her opinions will not do something else that might bring it into disrepute?

The key point in this case is not about trans and non-binary rights, or what was said or not said. It's about neutrality of opinion when representing a business in an official capacity. It's about the increased risk of employee activism and using the business as a platform for promoting a political agenda or for righteous moralising, potentially to its detriment - in which case that makes them a threat.

Ian Hill is Director of Information & Cyber Security at Upp.