Sometimes, it only takes one moment — one life-changing incident — for the most trustworthy employee to become an insider threat.

As Nick Cavalancia, founder of Microsoft MVP, observed at Spiceworld 2019, malicious user behavior is all about intent. Coming up with the best approach to addressing insider threats means understanding the reasons behind intent. When you understand why someone would go from a highly rated employee to a potential criminal or serious threat to your company’s well-being, you can design a threat prevention program that will actually work.

What’s Behind Intent?

To recognize the motivators behind malicious user behavior, leadership must be in tune with their employees throughout the entire cycle of employment. That’s easier said than done, since many employees prefer to keep their personal lives separate from their work lives, especially if they believe a life-altering event could jeopardize their job. They might not be quick to talk about a family member having cancer or their ongoing fertility treatments or that they need to bail out a relative in financial crisis. Nor does leadership always know when there’s trouble bubbling up inside the workplace. For example, a junior staffer seeing their manager take all the credit for completed work or a perception of favoritism can create a hostile work environment.

These situations are part of everyday life. Not everyone is going to be happy at work, and there will naturally be outside influences that create hardship. But sometimes things get so bad that the employee feels desperate and does something out of the ordinary that makes them an insider threat. Often, said Cavalancia, this malicious behavior is difficult to detect because it looks like the person is just doing their job.

That’s why circumstantial shifts in human behavior need more attention. When we talk about potential threats (even ones that originate from the inside), there may be a tendency to think of individuals spreading malware or causing data breaches by mistake, but threats caused by circumstance can also cause serious damage to the company from the inside. Threats of this kind must be identified and addressed just like any other.

Employee Risk Assessment Profiles

You don’t know when (or if) something bad is going to happen to an employee, but it is possible to create a risk assessment profile on each person in the company. It’s a matter of looking at where the greatest risk is at any given time, not who could become the greatest threat. Anyone building a risk assessment profile should consider the following:

  • What is the person’s position within the company? The higher their rank, the more access they’ll have to corporate data, financials, intellectual property and other sensitive information.
  • What department do they work in? It’s important to know what type of data they have regular access to.
  • What type of administrative access do they have, and is it permanent access or limited? The more admin access one has, the more they can do without detection.

If you want to go more in-depth on risk assessment, you can add questionnaires to determine how employee access is being supervised, the exact type of access they have and how frequently they rely on remote access. With this information, you can build a robust risk assessment profile that shows the level of monitoring that would be appropriate for an individual or department — while still respecting employees’ right to privacy, of course. This can help highlight any changes in habit and help indicate potential malicious behaviors.

Start Building an Insider Threat Program

A risk assessment profile helps you determine where potential threats may happen. It may even help you narrow down threats to individual employees based on what’s known about their job duties and life circumstances. But knowing where threats are is only part of the solution. Risk assessment profiles are also critical to putting together an insider threat program (ITP) team.

The ITP team’s first task is to define what your company considers insider risk. This will be unique to each company, but you can’t defend against a threat unless you can pinpoint what it is. Along that line, you should also determine which assets have real value and need protecting. Your ITP team will then be able to develop the goals of your threat program. Is the goal to identify where the greatest insider threats are, or to track down the source of data breaches and other cyber incidents, or create a way for employees to document their concerns about potential threats?

Next, your insider threat program should provide documentation that can be used throughout the organization, define data usage policies and outline the solutions that should be used throughout the company to protect corporate assets. Employees are more likely to follow rules if they understand why the rules are there and why their work might require oversight.

Finally, the ITP team should work with other stakeholders to create an incident response plan that lays out what to do if an employee has created an insider threat, how and when to handle behavioral conduct reviews, and what guidelines to follow when an employee leaves.

The more visibility you have into an employee’s behavior, duties and life circumstances, the better your chances become of understanding the intent behind their online conduct in the workplace. Building an insider threat program can give you the guidelines necessary to maintain oversight and address threats before they happen.

More from Data Protection

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today