To do so, you need a method for monitoring user activities and behaviors. High-risk level positions should be actively
monitored. This means collecting and retaining data on user activities and behaviors, receiving and reviewing reports
that summarize that data, and, in the case of the highest risk positions (highly privileged users) spot-checking their
activity from time to time.
Lower risk positions are not without risk. They may be without known risk. Did you know that 77% of employee fraud
occurs in one of the following 6 departments: Accounting, Operations, Sales, Senior Management, Customer Service,
and Purchasing. Not many companies assign high-risk ratings to Customer Service. But there is still risk.
These lower risk positions should be passively monitored. This means collecting data on user activities and behaviors,
scanning it for signs of insider risk / threat, and alerting when those signs are detected.
Assessing positional risk, assigning risk levels, and aligning appropriate levels of scrutiny are 3 keys steps to improving
security against insider threat that should be taken at the beginning of the employee life cycle.
We’ve talked about the beginning of the employee life cycle. For simplicity, we break the life cycle into 3 main parts –
beginning, middle, and end. Now let’s look at what is typically the longest portion of the life cycle – the middle.
Continuous Risk Requires Continuous Mitigation
To this point, we have been focused on positional risk. Because people occupy positions, we need to look at “people
risk” and how that has the potential to alter your risk levels.
Facts are still stubborn things. And the fact is, Insider Risk does turn into Insider Threat. Not always and not
everywhere, but enough that steps have to be taken to protect your organization. “They didn’t get through the
perimeter” is no consolation when an organization suffers financial or reputational losses stemming from an insider
One of the leading causes of Insider Threat is the disgruntled employee. Employees become disgruntled for many
reasons. This can range from a perception that they are being treated unfairly by their boss, through poor annual
reviews, smaller than expected pay increases, failure to secure a promotion, and being put on a performance plan.
A co-worker being let go, or rumors circulating about potential staffing changes, are also known triggers of employee
Key Questions to answer about your insider risk level
Do you alter your internal security during periods of elevated risk? Are you aware of all of the factors that may
contribute to elevated risk?
While surveys have shown that as many as 50% of organizations are taking steps to increase internal security at times,
that leaves fully ½ of organizations without a plan or process to effectively deal with elevated insider risk. And very
few organizations have the information sharing in place to insure that the people directly charged with keeping the
organization secure have the knowledge they need to do their jobs.
Enhance monitoring of employees when they are involved in personnel issues, during times of corporate uncertainty,
and when “outside factors” exist that are known to drive insider threat behaviors. Put your risk level rating system to
Earlier in the paper we discussed how taking the time to install a risk level rating system would pay dividends down
the road. This is one of those times. Human Resources, or business line managers, are privy to information that
Information Security folks do not have access to. For example, when 1 employee is promoted, how many people know
who else from within the company applied for the promotion and are now potentially disgruntled because they did
not get it? How does Information Security know that a sales rep is on performance plan? They don’t, and shouldn’t
know. They should, however, know that there is elevated risk associated with the person in a position. This information
is easily transmitted from HR or the business manager to Information Security by using the risk level system.
“Please elevate the risk level associated with “Joe” from “4” to “8.”
Because Information Security knows that they monitor risk level “8” differently, and likely more actively, than risk
level “4,” they know exactly what to do. After a period, when it’s clear that elevated risk is not translating into threat,
a simple “revert to ‘4’” is all that’s needed.
This system allows for Human Resources to elevate the risk level when outside factors exist as well. It’s been proven
that personal financial difficulties are a precursor to employee fraud and theft. HR sees things like hardship 401k
withdrawals, mandatory payroll deductions caused by unpaid debts, etc. Giving HR a way to communicate elevated
risk, without breaching employee privacy, is a powerful tool in improving security against insider threats.
There are certainly factors beyond employee disgruntlement that contribute to insider threat behaviors. By employing
a risk rating, and aligning monitoring strategies to that risk rating, you are putting in place a combination of tools and
process that improve the ability to deal with both positional risk and people risk.
While the middle segment of the employee life cycle is typically the longest, it is not the highest risk.
The High Risk Exit Period
When an insider decides to leave an organization, or believes that they are going to be made to leave the organization
– that’s when risk is the highest.
1 out of 2 employees surveyed stated they think it is OK to take corporate data with them when they leave.
18% of employees admitted to stealing corporate intelligence. If 18% admit it ...
IT sabotage by outgoing administrators is a recurring theme in the news.
Bad things happen when people leave. Especially if they are being forced out, or suspect they may be forced out.
Here again, the risk level system and aligned monitoring strategy pay dividends.
Key Questions to answer during the High Risk Exit Period
Are you reviewing the activities of existing employees for IP Theft or other insider threats? Is your Information Security
team in the loop about impending departures early enough?
If your answer to either of these questions is “No” or “I don’t know,” you may have a problem. IP Theft is one of the most
damaging. Most costly forms of Insider Threat, and it occurs most frequently during the high risk exit period.
Review the online and communications activity and behaviors of all departing employees for the 30-day period
leading up to their notice of resignation, or their date of termination.
There is simply too much at stake not to take this simple step. While the effort may be daunting if you have not
prepared for it, organizations that employ tools that collect user activity and behavior data are well positioned to
handle this critical security task. Whether the employee was being actively monitored or passively monitored,
a record of all of their activity exists for quick review.
Inform Information Security as soon as you become aware of a resignation, or prior to a termination decision
being acted on.
Tools and processes are maximally effective when the experts who use them have adequate time to react. Often,
Information Security is told an employee is leaving on, or close to, the date of departure. By the time they are able
to complete their security review, the insider may be gone and the damage may be done. Here again, the risk rating
system comes in to play. We’ve used a simple 1-10 scale to represent a risk rating system in this paper, with 10
being the highest risk designation. When a departure is known or suspected, HR or the business manager should
immediately communicate to Information Security that the risk level is “10” for that employee. That should trigger an
immediate review of the past 30-days of activity. While this is occurring, HR can review confidentiality agreements
and IP agreements with the departing employee, reminding them of their obligations and asking them to confirm
that they have destroyed any corporate data they may have taken off the network. This discussion can have a powerful
deterrent effect, and when conducted in conjunction with a review of departing user activity, goes along way towards
mitigating a serious insider threat.