Light Dark
November 7, 2019 By Sue Poremba 3 min read
Data Protection
Identity & Access
Risk Management

Sometimes, it only takes one moment — one life-changing incident — for the most trustworthy employee to become an insider threat.

As Nick Cavalancia, founder of Microsoft MVP, observed at Spiceworld 2019, malicious user behavior is all about intent. Coming up with the best approach to addressing insider threats means understanding the reasons behind intent. When you understand why someone would go from a highly rated employee to a potential criminal or serious threat to your company’s well-being, you can design a threat prevention program that will actually work.

What’s Behind Intent?

To recognize the motivators behind malicious user behavior, leadership must be in tune with their employees throughout the entire cycle of employment. That’s easier said than done, since many employees prefer to keep their personal lives separate from their work lives, especially if they believe a life-altering event could jeopardize their job. They might not be quick to talk about a family member having cancer or their ongoing fertility treatments or that they need to bail out a relative in financial crisis. Nor does leadership always know when there’s trouble bubbling up inside the workplace. For example, a junior staffer seeing their manager take all the credit for completed work or a perception of favoritism can create a hostile work environment.

These situations are part of everyday life. Not everyone is going to be happy at work, and there will naturally be outside influences that create hardship. But sometimes things get so bad that the employee feels desperate and does something out of the ordinary that makes them an insider threat. Often, said Cavalancia, this malicious behavior is difficult to detect because it looks like the person is just doing their job.

That’s why circumstantial shifts in human behavior need more attention. When we talk about potential threats (even ones that originate from the inside), there may be a tendency to think of individuals spreading malware or causing data breaches by mistake, but threats caused by circumstance can also cause serious damage to the company from the inside. Threats of this kind must be identified and addressed just like any other.

Employee Risk Assessment Profiles

You don’t know when (or if) something bad is going to happen to an employee, but it is possible to create a risk assessment profile on each person in the company. It’s a matter of looking at where the greatest risk is at any given time, not who could become the greatest threat. Anyone building a risk assessment profile should consider the following:

  • What is the person’s position within the company? The higher their rank, the more access they’ll have to corporate data, financials, intellectual property and other sensitive information.
  • What department do they work in? It’s important to know what type of data they have regular access to.
  • What type of administrative access do they have, and is it permanent access or limited? The more admin access one has, the more they can do without detection.

If you want to go more in-depth on risk assessment, you can add questionnaires to determine how employee access is being supervised, the exact type of access they have and how frequently they rely on remote access. With this information, you can build a robust risk assessment profile that shows the level of monitoring that would be appropriate for an individual or department — while still respecting employees’ right to privacy, of course. This can help highlight any changes in habit and help indicate potential malicious behaviors.

Start Building an Insider Threat Program

A risk assessment profile helps you determine where potential threats may happen. It may even help you narrow down threats to individual employees based on what’s known about their job duties and life circumstances. But knowing where threats are is only part of the solution. Risk assessment profiles are also critical to putting together an insider threat program (ITP) team.

The ITP team’s first task is to define what your company considers insider risk. This will be unique to each company, but you can’t defend against a threat unless you can pinpoint what it is. Along that line, you should also determine which assets have real value and need protecting. Your ITP team will then be able to develop the goals of your threat program. Is the goal to identify where the greatest insider threats are, or to track down the source of data breaches and other cyber incidents, or create a way for employees to document their concerns about potential threats?

Next, your insider threat program should provide documentation that can be used throughout the organization, define data usage policies and outline the solutions that should be used throughout the company to protect corporate assets. Employees are more likely to follow rules if they understand why the rules are there and why their work might require oversight.

Finally, the ITP team should work with other stakeholders to create an incident response plan that lays out what to do if an employee has created an insider threat, how and when to handle behavioral conduct reviews, and what guidelines to follow when an employee leaves.

The more visibility you have into an employee’s behavior, duties and life circumstances, the better your chances become of understanding the intent behind their online conduct in the workplace. Building an insider threat program can give you the guidelines necessary to maintain oversight and address threats before they happen.

 |  |  |  |  |  |  |  |  |  | 
Sue Poremba

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature