Workplace violence: the forgotten insider threat

Credit to Author: Jovi Umawing| Date: Fri, 12 Oct 2018 16:00:00 +0000

Organizations are no stranger to insider threats. In fact, for those who have been around long before the Internet, workplace violence, (alongside spying) is a problem many businesses have seen before and sought to address.

However, the adoption and use of the Internet completely changed the way organizations run and grow their businesses, how customers can communicate with companies, and how employees do their jobs. And with this advancement—as we’re well aware by now—comes new, more sophisticated challenges that can compound the risks that organizations face from insiders.

When it comes to security, many enterprises are focused on beefing up their system and network defenses to keep outside hackers from getting their hands on digital assets. In addition, organizations are now more aware of the threat that malicious insiders pose—whether that’s stealing proprietary information or spying for competitors. Yet it seems that little or no attention is given to addressing workplace violence as a whole.

An overview of workplace violence

In our previous blog on insider threats, we defined workplace violence (WPV) as “violence or threat of violence against employees and/or themselves.” This can manifest in the form of physical attacks, threatening or intimidating behavior and speech (written, verbal, or electronically transmitted), harassment, property damage, or other acts that could put people at risk.

Early signs of potential for violence include threats of bodily harm (often framed as a joke, a passing comment, or a verbalization of violent thoughts), insults, passive-aggressive actions, dramatic or unreasonable demands, withdrawal (especially if they used to be sociable), and sudden undue whining or complaining. Other manifestations may not be evident at first, too.

Knowing this, one might think it is essential for organizations of any size to be able to identify and tackle workplace violence head on, on top of improving their network defenses. Sadly, this isn’t the case.

Although organizations are required by law to keep employees safe by creating a healthy, hazard-free workplace environment, almost half of executives in a corporate survey conducted by TAL Global, a security and risk management company, believe that “workplace violence is not an issue that needs to be addressed.” It’s also frustrating to note that more than half of these executives “do not believe that workplace violence will create a negative impact on their budget.”

This is a serious oversight, especially when the Department of Justice estimates that workplace violence costs US businesses about $36 billion per year in lost productivity, property, and most importantly, employee lives.

The workplace, redefined

While we’re about WPV, it’s important to remind ourselves that the definition of “workplace” has evolved over time and is no longer confined within the walls of a traditional office building. Today, the workplace can be your home, your favorite coffee shop, the local library, or even a co-working space.

Over the last decade, the number of telecommuting workers has increased by 115 percent, according to a 2017 report from Global Workplace Analytics and FlexJobs. And while working from home is beneficial for both employees and employers, it also comes with its own risks.

While organizations must be sure to protect their sensitive client and company data accessed outside of the office network by remote workers, they also have to ensure workplace security in the telecommuter’s home office.

Why? Because a home office, according to the Occupational Safety and Health Administration, is still under the employer’s jurisdiction. Therefore, they must make sure that home offices are safe and hazard-free. This could also mean that policies governing workplace violence could be adapted from the office to the home office.

Is workplace violence on the rise?

Perhaps. The TL;DR answer to that question is this: It depends on the industry (e.g., incidents of workplace violence in healthcare are far more common than in other industries) or the type of violent incident (e.g., non-fatal assaults have decreased while workplace homicides have increased).

Regardless of whether WPV has decreased or increased, it’s clear that the issue needs addressing. The promotion and adherence to the “It wouldn’t happen to us!” myth didn’t save organizations from hackers breaching their systems, so why should it keep them from WPV incidents?


Read: 5 cybersecurity questions retailers must ask to protect their businesses


Types of WPV

Talking about workplace violence may conjure up highly-publicized images of active shooters stationed on campus. Let us keep in mind, however, that not all workplace violence events happen this way. According to Steve Crimando, an expert in the field of threat assessment and threat management, there are five current types we all need to familiarize ourselves with. They are:

  • Criminal intent. This type usually involves criminals who target establishments, often, with the intent to steal. Robbers and shoplifters belong to this type.
  • Customer/Client. This type is perpetrated by customers or patients (including their relatives) against one or more workers servicing them. Verbal abuse against workers in healthcare and social services is an example.
  • Worker-to-worker. This is probably the type employees can relate to the most. These acts of violence can be perpetrated by either current or former employees toward one or more other employees of an organization. Workplace bullying is an example of this type.
  • Domestic violence. More commonly, women have been victims of domestic violence in the workplace, but that isn’t to say that this doesn’t happen to men.
  • Ideological violence. This type could either be perpetrated by radicalized employees or external actors targeting organizations, its people, and properties for reasons related to their ideology, politics, or religion. Active shootings and terrorist attacks are examples that fall under this type.

Some organizations only partially recognize stalking and cyberbullying as workplace violence, but we’d consider them to be as well.

Practical ways organizations can help address WPV

Marianne Alvarez, co-founder and director of training at the ALICE (Alert, Lockdown, Inform, Counter, Evaluate) Training Institute in California, has provided tips on how organizations can prepare themselves for potential incidents of workplace violence. Her recommendations include:

Assess

Organizations must check the overall health of the organization’s safety and physical security. This may involve hiring a certified risk assessment professional who can conduct a full onsite evaluation of security gaps or weaknesses the business may have to address. The risk assessment professional inspects infrastructure weaknesses (locks, CCTV cameras, etc.) and prevention and training programs that are in place to see if these need to be enhanced as well.

Prioritize

Once the risks and weaknesses are identified, the organization can then prioritize which ones to address first. During the prioritize phase, they should also set a plan and a budget.

Train

Organizations must continue training—or in some cases, re-training—their employees on how to how to respond to incidents of workplace violence, whether it be a full-blown shouting match between two workers or an incident involving aggressive intruders.

It’s imperative that companies stress the importance of preventing the escalation of a negative encounter in the workplace to an active shooting event.

“The training should include a blended model of classroom-type learning, a test to ensure learning, and drills to practice what they learned,” said Alvarez. “Much like CPR, one must be able to apply the appropriate concepts while under the pressure of a critical event. The only way to ensure this is to repeat the practice of the concepts in live drills.”

When work life bleeds into personal life

Modern-day workers have come to perceive and accept their work lives as something inseparable from their personal lives. It’s a mindset and lifestyle prevalent to those working in tech industry hotspots like Silicon Valley, as well as financial hubs such as Wall Street. So feeling like a failure in work could make one feel like a failure in life.

“An employee can feel that they give their all to a company, making employment feel like less of a job and more a way of life,” said Leslie Garcia, CEO of Executech Security Solutions. “When not recognized for their efforts or terminated for poor work performance, this could possibly trigger a retaliatory emotional and potentially dangerous physical response.”

It’s vital to address vulnerabilities in systems that endanger valuable data. However, it is equally important to take care of the people under organizations’ watch. Ideally, an overall workplace security posture—that which covers the protection and safety of the business’s infrastructure, tangible assets, digital assets, and its people—coupled with a culture that intentionally ingrains security behaviors, awareness, and proper reporting practices—would be able to mitigate workplace violence as well.

In the face of workplace violence, these are thoughts organizations must ponder, recognize, accept, and take action on. The lives of their employees depend on it.

Recommended reading:

The post Workplace violence: the forgotten insider threat appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/