Sometimes, it only takes one moment — one life-changing incident — for the most trustworthy employee to become an insider threat.

As Nick Cavalancia, founder of Microsoft MVP, observed at Spiceworld 2019, malicious user behavior is all about intent. Coming up with the best approach to addressing insider threats means understanding the reasons behind intent. When you understand why someone would go from a highly rated employee to a potential criminal or serious threat to your company’s well-being, you can design a threat prevention program that will actually work.

What’s Behind Intent?

To recognize the motivators behind malicious user behavior, leadership must be in tune with their employees throughout the entire cycle of employment. That’s easier said than done, since many employees prefer to keep their personal lives separate from their work lives, especially if they believe a life-altering event could jeopardize their job. They might not be quick to talk about a family member having cancer or their ongoing fertility treatments or that they need to bail out a relative in financial crisis. Nor does leadership always know when there’s trouble bubbling up inside the workplace. For example, a junior staffer seeing their manager take all the credit for completed work or a perception of favoritism can create a hostile work environment.

These situations are part of everyday life. Not everyone is going to be happy at work, and there will naturally be outside influences that create hardship. But sometimes things get so bad that the employee feels desperate and does something out of the ordinary that makes them an insider threat. Often, said Cavalancia, this malicious behavior is difficult to detect because it looks like the person is just doing their job.

That’s why circumstantial shifts in human behavior need more attention. When we talk about potential threats (even ones that originate from the inside), there may be a tendency to think of individuals spreading malware or causing data breaches by mistake, but threats caused by circumstance can also cause serious damage to the company from the inside. Threats of this kind must be identified and addressed just like any other.

Employee Risk Assessment Profiles

You don’t know when (or if) something bad is going to happen to an employee, but it is possible to create a risk assessment profile on each person in the company. It’s a matter of looking at where the greatest risk is at any given time, not who could become the greatest threat. Anyone building a risk assessment profile should consider the following:

  • What is the person’s position within the company? The higher their rank, the more access they’ll have to corporate data, financials, intellectual property and other sensitive information.
  • What department do they work in? It’s important to know what type of data they have regular access to.
  • What type of administrative access do they have, and is it permanent access or limited? The more admin access one has, the more they can do without detection.

If you want to go more in-depth on risk assessment, you can add questionnaires to determine how employee access is being supervised, the exact type of access they have and how frequently they rely on remote access. With this information, you can build a robust risk assessment profile that shows the level of monitoring that would be appropriate for an individual or department — while still respecting employees’ right to privacy, of course. This can help highlight any changes in habit and help indicate potential malicious behaviors.

Start Building an Insider Threat Program

A risk assessment profile helps you determine where potential threats may happen. It may even help you narrow down threats to individual employees based on what’s known about their job duties and life circumstances. But knowing where threats are is only part of the solution. Risk assessment profiles are also critical to putting together an insider threat program (ITP) team.

The ITP team’s first task is to define what your company considers insider risk. This will be unique to each company, but you can’t defend against a threat unless you can pinpoint what it is. Along that line, you should also determine which assets have real value and need protecting. Your ITP team will then be able to develop the goals of your threat program. Is the goal to identify where the greatest insider threats are, or to track down the source of data breaches and other cyber incidents, or create a way for employees to document their concerns about potential threats?

Next, your insider threat program should provide documentation that can be used throughout the organization, define data usage policies and outline the solutions that should be used throughout the company to protect corporate assets. Employees are more likely to follow rules if they understand why the rules are there and why their work might require oversight.

Finally, the ITP team should work with other stakeholders to create an incident response plan that lays out what to do if an employee has created an insider threat, how and when to handle behavioral conduct reviews, and what guidelines to follow when an employee leaves.

The more visibility you have into an employee’s behavior, duties and life circumstances, the better your chances become of understanding the intent behind their online conduct in the workplace. Building an insider threat program can give you the guidelines necessary to maintain oversight and address threats before they happen.

More from Data Protection

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today