Sometimes, it only takes one moment — one life-changing incident — for the most trustworthy employee to become an insider threat.

As Nick Cavalancia, founder of Microsoft MVP, observed at Spiceworld 2019, malicious user behavior is all about intent. Coming up with the best approach to addressing insider threats means understanding the reasons behind intent. When you understand why someone would go from a highly rated employee to a potential criminal or serious threat to your company’s well-being, you can design a threat prevention program that will actually work.

What’s Behind Intent?

To recognize the motivators behind malicious user behavior, leadership must be in tune with their employees throughout the entire cycle of employment. That’s easier said than done, since many employees prefer to keep their personal lives separate from their work lives, especially if they believe a life-altering event could jeopardize their job. They might not be quick to talk about a family member having cancer or their ongoing fertility treatments or that they need to bail out a relative in financial crisis. Nor does leadership always know when there’s trouble bubbling up inside the workplace. For example, a junior staffer seeing their manager take all the credit for completed work or a perception of favoritism can create a hostile work environment.

These situations are part of everyday life. Not everyone is going to be happy at work, and there will naturally be outside influences that create hardship. But sometimes things get so bad that the employee feels desperate and does something out of the ordinary that makes them an insider threat. Often, said Cavalancia, this malicious behavior is difficult to detect because it looks like the person is just doing their job.

That’s why circumstantial shifts in human behavior need more attention. When we talk about potential threats (even ones that originate from the inside), there may be a tendency to think of individuals spreading malware or causing data breaches by mistake, but threats caused by circumstance can also cause serious damage to the company from the inside. Threats of this kind must be identified and addressed just like any other.

Employee Risk Assessment Profiles

You don’t know when (or if) something bad is going to happen to an employee, but it is possible to create a risk assessment profile on each person in the company. It’s a matter of looking at where the greatest risk is at any given time, not who could become the greatest threat. Anyone building a risk assessment profile should consider the following:

  • What is the person’s position within the company? The higher their rank, the more access they’ll have to corporate data, financials, intellectual property and other sensitive information.
  • What department do they work in? It’s important to know what type of data they have regular access to.
  • What type of administrative access do they have, and is it permanent access or limited? The more admin access one has, the more they can do without detection.

If you want to go more in-depth on risk assessment, you can add questionnaires to determine how employee access is being supervised, the exact type of access they have and how frequently they rely on remote access. With this information, you can build a robust risk assessment profile that shows the level of monitoring that would be appropriate for an individual or department — while still respecting employees’ right to privacy, of course. This can help highlight any changes in habit and help indicate potential malicious behaviors.

Start Building an Insider Threat Program

A risk assessment profile helps you determine where potential threats may happen. It may even help you narrow down threats to individual employees based on what’s known about their job duties and life circumstances. But knowing where threats are is only part of the solution. Risk assessment profiles are also critical to putting together an insider threat program (ITP) team.

The ITP team’s first task is to define what your company considers insider risk. This will be unique to each company, but you can’t defend against a threat unless you can pinpoint what it is. Along that line, you should also determine which assets have real value and need protecting. Your ITP team will then be able to develop the goals of your threat program. Is the goal to identify where the greatest insider threats are, or to track down the source of data breaches and other cyber incidents, or create a way for employees to document their concerns about potential threats?

Next, your insider threat program should provide documentation that can be used throughout the organization, define data usage policies and outline the solutions that should be used throughout the company to protect corporate assets. Employees are more likely to follow rules if they understand why the rules are there and why their work might require oversight.

Finally, the ITP team should work with other stakeholders to create an incident response plan that lays out what to do if an employee has created an insider threat, how and when to handle behavioral conduct reviews, and what guidelines to follow when an employee leaves.

The more visibility you have into an employee’s behavior, duties and life circumstances, the better your chances become of understanding the intent behind their online conduct in the workplace. Building an insider threat program can give you the guidelines necessary to maintain oversight and address threats before they happen.

More from Data Protection

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates.Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?[button link=""…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read