Skip to content ↓ | Skip to navigation ↓

The outbreak of COVID-19 has led many businesses to transition a large number of employees to remote work. The shift could end up becoming a long-term trend; it’s expected to continue after the pandemic ends. Therefore, it is more important than ever to develop strategies for managing and responding to risks within your organization. Internal risk management procedures will need to adapt to the issue of insider threats, a challenge which is compounded by remote work.

Assessing Your Risk

There are several types of risk assessments that can help to protect organizations against insider threats. These assessments are relevant both for local and remote workers. But they become essential as you transition to a remote workforce.

List of risky insiders

Organizations need to identify key business processes and information assets, intellectual property rights and information that can be used for fraud. Next, they must map departments and users to assets in order to determine who can access them. The result will be a list of potential malicious insiders. Finally, the company needs to make sure that all of these internal employees actually need access to those key assets. If not, they should revoke access.

Single points of failure

In many cases, specific individuals approve critical business processes. Organizations can identify cases like this and check to see if they are warranted. What monitoring is needed to ensure that these processes are not interrupted by risky insiders? Subsequently, they can implement policies and procedures that ensure least privilege, separation of duties and two-person approval for improved integrity as well as resolve access control conflicts.

Vulnerability assessment

Organizations need to conduct an assessment intended to find organizational, behavioral and technical vulnerabilities that insiders can use to compromise an organization’s key assets.

How Can You Successfully Manage Risk from Remote Employees?

Managing internal risk in a corporate environment is inherently difficult. Even so, migrating to a remote workforce makes these challenges even worse. An insider risk management plan has four main goals: awareness, asset holders, visibility and protection. In a borderless workplace, traditional risk management practices must be adjusted and coordinated.

Training and Awareness

In a traditional workplace, employee training focuses on best practices for office environments. Employees learn how to detect anomalous behavior exhibited by colleagues as well as prevent common social engineering attacks. (See the U.S. Intelligence and National Security Alliance’s guidelines for insider threat training.)

In a remote workplace, training should emphasize:

  • Rules for accessing company information—Taking into account risks like fake hotspots, shoulder surfing, website and IP address spoofing
  • Handling corporate information outside the office—Printing, storing and transferring data
  • Safety and security of devices—Both personal and corporate
  • File sharing and transfer—Using cloud storage, file sharing sites, USB, emails or other mechanisms

You must provide a readily available hotline for reporting suspicious activity. In addition, you can set up a robust monitoring framework for identifying the anomalous behavior of insiders who access corporate assets remotely.

Asset Holders

In the traditional workplace, companies are the “asset holders” insofar as they are in possession of company equipment, IT infrastructure and physical facilities.

In a remote workplace, insiders are the “asset holders.” They possess personal and corporate devices, storage devices, cloud storage accounts, etc. Employees can work remotely and use multiple mechanisms for handling and storing assets. The risk model should include threats and vulnerabilities related to operations conducted with these assets outside the office environment.


In traditional workplaces, visibility is often limited to company-owned devices and actions that occur on networks and corporate facilities.

In remote workplaces, the organization must gain visibility over the movement, transmission and storage of data assets. To track the flow of data and assets outside the corporate network, organizations require governance and tooling.

Other steps should be taken to identify warning signs. Consider using openly available data sources such as social media to gain insights into behavioral triggers that might result in an insider threat. Establish a pipeline for continuous examination of remote workers as potential insider threats.


In traditional workplaces, the main priority is to control equipment and human endpoints. Organizations use various controls to learn of events taking place within the corporate network or physical facility.

In a remote workplace, controls are needed to manage access before a malicious event takes place. A special focus must be placed on encryption of data in transit to prevent malicious insiders from accessing data that was not explicitly intended for them.

Best Practices for Building an Insider Threat Program

As you build or revise your insider threat program for the new remote work environment, consider the best practices listed below.

Name your program carefully

Program terminology is as important as program design. Employees can resist the name “Inside Threat Program.” Choose a friendly name such as “Critical Asset Protection” or “Employee Protection Plan.” The message is that data and employees are equally important to your organization and that you want to protect them both. While this may seem trivial, well-named programs are widely accepted, and terminology is known to have a huge impact on program success.

Be transparent

Insider threat programs cannot be run only by IT security or management teams. They require collaboration from employees. Treat employees as partners in your plan. Let them know that they are trusted with the organization’s valuable assets but that there is a need for controls because of the security risks. Being transparent allows you to inform employees clearly about:

  • What behavior is monitored,
  • What constitutes a security violation,
  • What the result of a violation will be, and
  • What employee’s privacy rights are and how they are respected.

This approach allows employees to make the right decisions and take responsible action with respect to their own behavior and the behavior of their colleagues.

Explain benefits for employees

Employees need to understand the benefit of an insider threat program for them personally, not only for the organization. Data breaches can affect your organization’s financial stability and reputation. This will also have a personal impact on them and their colleagues.

With those costs in mind, following rules and expectations can help protect intellectual property and improve organizational performance. This helps them in terms of rewards, career development and other opportunities.

Prefer automated monitoring

Obviously, all internal threat programs are designed to identify anomalous behavior and take appropriate corrective action. It is also important to understand the true intent of these actions. Therefore, organizations need to invest in solutions, typically based on artificial intelligence and machine learning (AI/ML) that can automatically analyze user behavior, learn more about baseline behavior and identify anomalies in real time.

Traditional security systems may not report these indicators. It is no longer enough to know who accessed a specific dataset and when. You need an automated way to know why they accessed it and whether access is reasonable or not.

Gilad David MaayanAbout the Author: Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today, he heads Agile SEO, the leading marketing agency in the technology industry.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.