Skip to content ↓ | Skip to navigation ↓

This article is part 3 of 3 in the “Insider Enterprise Threats” series, outlining effective policies and practices for combating insider cyber security threats (human behavior) to the modern enterprise.

Over the course of this series, we’ve broadly examined the dangerous but highly-overlooked cybersecurity threat of malicious insiders. As discussed, insiders can take the form of employees, contractors, or really anyone with legitimate and credentialed access to your data, systems and other digital services.

In the first article, we profiled these insider threats and analyzed their implications for user activity monitoring, whereas in the second article, we examined technical methods for securing technology itself against these threats. In this third and final piece, we’ll examine how to address and combat insider threats through monitoring non-cyber behavior and building a strong security culture.

How can Human Behavior be aligned to an insider threat?

As previously discussed, “regular” insiders may turn malicious for a variety of reasons. Rarely, however, do these causes originate in cyberspace; instead, it’s often the physical world that produces the trigger. It is therefore essential to monitor employee behavior outside of the cyber domain to better inform threat mitigation. (Many insider threat programs refer to this portion as “continuous and persistent surveillance.”)

Technology lowers the barrier to malicious insider activity. Stealing files on a USB drive, for instance, is less intimidating than stealing folders from a filing cabinet just as posting credentials on a website is easier than breaking into a locked office. Our risk perceptions are also fundamentally skewed in the cyber domain; because we lack a cyber lexicon and a historical understanding of cyberspace, our ability to reason logically and rationally is seriously inhibited the moment we’re in front of a screen. Those already at risk for physical malicious behavior are at an even higher risk for its digital counterpart, and those who normally might not act out can now pose a threat.

Solutions to Prevent Insider Threats

Monitor for issues outside of the workplace, taking note of family and personal problems, medical issues, financial challenges, and social media posts that are outside the norm. Supervisors, HR professionals, and counterintelligence/security staff, in particular, should pay attention to gradual changes in home and life situations. When a change is noted, this behavior will put the subject into a higher risk category for additional monitoring.

Don’t forget: when it comes to insiders, it’s more often a slow shift towards malicious behavior than a sudden “snap.” Financial problems are particularly relevant, as they (obviously) affect an employee’s risk of accepting bribes or selling information online and tend to come on gradually. However, the same could be said for personal issues like divorce, medical issues like a sick family member, or workplace disciplinary issues like a poor performance review. Insider threats are motivated by a complex variety of reasons, but the causes are more observable than we might think.

Begin this monitoring as early as the hiring process. Job candidates with histories of impulsive or destructive behavior should immediately raise flags during the search process. Particularly when it comes to cyber, committers of malfeasance or misbehavior are quite likely to repeat their behavior. Similarly, pay attention to contractors, about which there may be less directly-available information.

Also, monitor for employee issues within the workplace. Are employees disgruntled? Do they argue with coworkers? Are they suddenly underperforming or missing deadlines? Are they inexplicably absent for prolonged periods of time? These are just some behavioral warning signs that something may be wrong.

The same diligence applies to changes in employment status. Demotions, transfers, pay deductions, and terminations all temporarily elevate a given employee’s risk. Remember that an insider doesn’t actually have to be getting fired for them to pose an active threat; the mere perception of termination, demotion, or the like is often enough for an employee to act out. It’s quite common for employees leaving a company to take destructive action before their last day (i.e. stealing proprietary information or trade secrets).

Of course, saying that you’ll “monitor insiders” without any clear feedback and reporting mechanisms is pointless, so clearly communicate and consistently enforce security policies and controls. Educate employees on cybersecurity, paying close attention to how you frame related issues. IT employees will understand secure cyber behavior quite differently than a marketing team. Similarly, employees’ understanding of security’s importance will be different – the former, from a technical or risk management perspective, and the latter, from a public relations angle, to give just one example.

Along with this framing, don’t focus too heavily on the risk posed by insiders. While you should educate employees on this issue, excessive repetition of this fact will only foster distrust and undermine attempts at a security culture. Instead, draw attention to how employees can fight this threat, positively frame the need for awareness and assistance, and actively involve them in your cyber defense. After all, it’s often one insider who will notice another’s strange behavior.

Make reporting protocols robust, well-known and confidential, and even consider the cost-benefit of anonymous reporting. As reports come in, ensure that technical and human security protocols quickly kick into gear. Meticulously document your investigations and evidence collection, paying special attention to corporate policies and relevant statutes and regulations. And react quickly and responsively to contain active threats. Integration is critical in this respect.

Reporting doesn’t just have to be of specific incidents like someone using another’s computer while they’re away from their desk. Employees should also be able to report unusual behavior in general. Ego and self-image issues are an important component of the insider threat profile, so arguing with coworkers or strange mood swings are also relevant to this facet of cybersecurity. Remind employees: what they might not think is relevant might, in fact, be very important.

Insider threats to the modern enterprise are a serious risk but are considerably overlooked. Modern enterprises must combine technical and human monitoring protocols with regular risk assessments, human-centered security education, and a strong corporate security culture if they are to effectively address this threat. When it comes to cybersecurity, situational awareness, change management, constant vigilance, and total adaptability are a must.


Justin ShermanAbout the Author: Justin Sherman is a student at Duke University double-majoring in Computer Science and Political Science, focusing on all things cyber. He conducts technical security research through Duke’s Computer Science Department; he conducts technology policy research through Duke’s Sanford School of Public Policy; and he’s a cybersecurity contributor for the Public Sector Digest. Justin is certified in cybersecurity policy, corporate cybersecurity management, social engineering, infrastructure protection, insider threat prevention, and homeland security planning from such organizations as FEMA, the National Institutes of Health, the U.S. Department of Homeland Security, and the U.S. Department of Defense.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.