Sometimes, it only takes one moment — one life-changing incident — for the most trustworthy employee to become an insider threat.

As Nick Cavalancia, founder of Microsoft MVP, observed at Spiceworld 2019, malicious user behavior is all about intent. Coming up with the best approach to addressing insider threats means understanding the reasons behind intent. When you understand why someone would go from a highly rated employee to a potential criminal or serious threat to your company’s well-being, you can design a threat prevention program that will actually work.

What’s Behind Intent?

To recognize the motivators behind malicious user behavior, leadership must be in tune with their employees throughout the entire cycle of employment. That’s easier said than done, since many employees prefer to keep their personal lives separate from their work lives, especially if they believe a life-altering event could jeopardize their job. They might not be quick to talk about a family member having cancer or their ongoing fertility treatments or that they need to bail out a relative in financial crisis. Nor does leadership always know when there’s trouble bubbling up inside the workplace. For example, a junior staffer seeing their manager take all the credit for completed work or a perception of favoritism can create a hostile work environment.

These situations are part of everyday life. Not everyone is going to be happy at work, and there will naturally be outside influences that create hardship. But sometimes things get so bad that the employee feels desperate and does something out of the ordinary that makes them an insider threat. Often, said Cavalancia, this malicious behavior is difficult to detect because it looks like the person is just doing their job.

That’s why circumstantial shifts in human behavior need more attention. When we talk about potential threats (even ones that originate from the inside), there may be a tendency to think of individuals spreading malware or causing data breaches by mistake, but threats caused by circumstance can also cause serious damage to the company from the inside. Threats of this kind must be identified and addressed just like any other.

Employee Risk Assessment Profiles

You don’t know when (or if) something bad is going to happen to an employee, but it is possible to create a risk assessment profile on each person in the company. It’s a matter of looking at where the greatest risk is at any given time, not who could become the greatest threat. Anyone building a risk assessment profile should consider the following:

• What is the person’s position within the company? The higher their rank, the more access they’ll have to corporate data, financials, intellectual property and other sensitive information.
• What department do they work in? It’s important to know what type of data they have regular access to.
• What type of administrative access do they have, and is it permanent access or limited? The more admin access one has, the more they can do without detection.

If you want to go more in-depth on risk assessment, you can add questionnaires to determine how employee access is being supervised, the exact type of access they have and how frequently they rely on remote access. With this information, you can build a robust risk assessment profile that shows the level of monitoring that would be appropriate for an individual or department — while still respecting employees’ right to privacy, of course. This can help highlight any changes in habit and help indicate potential malicious behaviors.

Start Building an Insider Threat Program

A risk assessment profile helps you determine where potential threats may happen. It may even help you narrow down threats to individual employees based on what’s known about their job duties and life circumstances. But knowing where threats are is only part of the solution. Risk assessment profiles are also critical to putting together an insider threat program (ITP) team.

The ITP team’s first task is to define what your company considers insider risk. This will be unique to each company, but you can’t defend against a threat unless you can pinpoint what it is. Along that line, you should also determine which assets have real value and need protecting. Your ITP team will then be able to develop the goals of your threat program. Is the goal to identify where the greatest insider threats are, or to track down the source of data breaches and other cyber incidents, or create a way for employees to document their concerns about potential threats?

Next, your insider threat program should provide documentation that can be used throughout the organization, define data usage policies and outline the solutions that should be used throughout the company to protect corporate assets. Employees are more likely to follow rules if they understand why the rules are there and why their work might require oversight.

Finally, the ITP team should work with other stakeholders to create an incident response plan that lays out what to do if an employee has created an insider threat, how and when to handle behavioral conduct reviews, and what guidelines to follow when an employee leaves.

The more visibility you have into an employee’s behavior, duties and life circumstances, the better your chances become of understanding the intent behind their online conduct in the workplace. Building an insider threat program can give you the guidelines necessary to maintain oversight and address threats before they happen.