How to Identify and Mitigate Insider Threats
What Is an Insider Threat and Why Should You Care?
External threats like ransomware may get a lot of publicity, but the biggest risks to your organization could actually come from inside. An employee, contractor or business partner with authorized access to your data may present a more significant threat to the organization’s assets, intellectual property or operations than any external perpetrator. Worse, because these insiders may have your trust, their activities may escape detection for months or even years.
Individuals with access to sensitive information and knowledge of the corresponding processes may intentionally or accidentally cause harm to the organization’s data, systems or reputation. These are just a few of the risks your organization could face:
Financial loss including financial crimes, theft of intellectual property or loss of revenue due to system downtime.
Reputational damage if sensitive information or customer data is leaked or compromised.
Regulatory noncompliance, which may involve steep fines or legal penalties, from failing to adequately protect personally identifiable information (PII) or protected health information (PHI)
Steps to Protect Your Organization
Fortunately, there are steps you can take to protect your organization. A comprehensive, holistic insider threat mitigation program will provide the tools to help you identify, monitor and mitigate insider threats.
Indicators exist that can raise red flags and help you identify insider threats: indicators such as behaviorial changes, evidence of financial pressures, attempts to bypass established controls, unethical activities, and accessing buildings or applications outside normal business hours, to name a few.
You can combine these indicators with systematic controls to deter financial crimes, attacks and security breaches from people within your organization. Recommended preventive actions include implementing proper corporate governance, establishing robust internal controls, monitoring critical metrics, training employees and establishing incident response plans that include inquiries or internal investigations, if warranted.
Types of Insider Threats
This overview offers a starting point to help your organization identify and mitigate insider threats. Effective management of these risks first requires analyzing the specific risks your teams face, identifying potential gaps and tailoring a program to the threats most relevant to your organization. Insider threats can take several forms:
1) Financial Crimes and Theft of Intellectual Property
When speaking of insider threats, a financial crime is the unauthorized or illicit use of an organization’s money or other property with the intent to improperly benefit from it. Examples include identity theft, money laundering, forgery, tax evasion, bribery, embezzlement and fraud.
Theft of intellectual property refers to the appropriation through illegal means of an organization’s ideas, inventions, trade secrets, customer lists, secret recipes, proprietary methods or proprietary products. Such crimes can be more damaging than financial theft due to the potential high value of these assets stored in electronic data files. This information is readily available to an insider with the proper level of access.
2) IT and Cyber Threats
These threats can include theft of information or anything related to technology, computers or a broad range of electronic devices, especially those that are readily accessible by personnel with the proper access rights. They include any kind of malicious activity that attempts to collect, disrupt, deny, degrade or destroy information system resources or the data itself. Threats can be perpetrated with techniques such as viruses, data breaches, malware, unpatched software vulnerabilities or ransomware. (Ransomware is a form of malware designed to encrypt files on a device, rendering systems and files unusable. Malicious actors then demand ransom in exchange for decryption.)
3) Violence
Violence includes any threatening behavior in the workplace that creates a hostile environment. It could start with threats followed by a physical attack intended to damage an organization’s infrastructure, equipment, buildings, inventory or other resources, and could also involve physical harm to other employees or visitors.
4) Espionage
Not just a problem for governments, espionage involves spying on a competitor, organization, foreign government or person to covertly or illicitly obtain confidential information, trade secrets or proprietary information for financial, military, political or strategic advantage. The targets of espionage often include offices of governments or organizations with access to valuable information such as scientific, technical, economic or engineering methods or techniques. Espionage could also involve private entities with similar information that could be monetized or leveraged by competitors or other entities.
5) Sabotage
Sabotage includes actions perpetrated by insiders to damage an organization’s physical infrastructure, contaminate spaces or cause an equipment failure. Such actions could result in delayed product roll-outs, expensive repairs, lawsuits from affected parties or reputational damage.
Manage Insider Threats with a Risk Management Framework and Culture of Compliance
The COSO Framework as a Starting Point
The Treadway Commission’s Committee of Sponsoring Organizations (COSO) created a framework for designing and managing internal controls. Organizations can take advantage of the COSO framework to design and implement internal controls that suit your evolving operations, technologies and risks.
While the COSO framework is a good starting point to identify, mitigate and monitor some of the risks associated with insider threats, it cannot replace a robust corporate compliance program designed specifically to address financial crimes, theft of intellectual property and cybersecurity attacks.
Recent DOJ Guidance on Corporate Compliance and Risk Assessments
Consider using the 2023 guidance from the U.S. Department of Justice (DOJ) on corporate compliance, which places risk assessments in the spotlight. The DOJ asks three overarching essential questions:
Is the compliance program well designed? Risk assessments are key to answering this first question.
- Be able to articulate resource allocation decisions based on actual risk faced by the organization
- Provide measures to show effectiveness of training and communications efforts
- Show real actions and consequences for third-party due diligence and investigations
Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Be able to demonstrate concrete actions by management showing adherence to the program
- Be able to provide evidence of consistent program application “earnestly and in good faith”
- Show reasonable commitment of resources to monitor implementation
Does the corporation’s compliance program work in practice?
- Be able to show thoughtful and honest root-cause analysis for violations
- Be able to defend decision-making rationales
- Demonstrate self-evaluation and programmatic changes following misconduct
In summary, you need to have a sound framework in place and a robust corporate compliance program tailored specifically to the risks that matter most to your organization. Review your compliance program and update it on a recurring basis to ensure it addresses evolving risks.
Examples of General Mitigation Activities
Identifying and mitigating insider threats require a comprehensive approach that involves multiple controls and strategies. These are some examples of activities you could implement to reduce the risk of improper activities committed by insiders:
Employee Screening: Conduct background checks — including criminal history checks, credit checks, employment history checks, and analysis of social media — before hiring new employees and regularly after they are employed. Such checks can help identify past or current behavior that could indicate a potential risk such as financial pressures, evidence of conflicts or anger over the workplace, and personal issues. Consider running background checks at least once a year for employees with access to sensitive information (financial data, personally identifiable information, trade secrets, etc.). The checks should be performed in consultation with qualified legal counsel to ensure compliance with applicable laws and regulations.
Segregation of Duties: By separating duties, you make it harder for an employee to commit fraud or other damaging acts. While proper segregation of duties is more difficult to accomplish in smaller organizations, there are ways to accomplish the goal, such as additional supervision or sign-offs.
Regular Monitoring: Implement a system of regular monitoring and evaluation of your internal controls and surveillance procedures to ensure they are effective at mitigating evolving threats Monitoring helps detect anomalies or inconsistencies that may indicate financial crimes or other potential threats. The appropriate frequency of the evaluations of your internal controls should be determined based on your facts and circumstances.
Security Measures: Install security measures such as access controls, alarms and surveillance cameras to protect physical assets and sensitive information.
Code of Conduct: Establish a code of conduct that outlines the expected behavior of employees and the consequences of violations. Make sure all employees are aware of the code of conduct and understand it. Taking proper disciplinary actions against employees regardless of level or seniority and “tone at the top” (i.e., leaders who do not tolerate dishonesty or poor ethics) are examples of critical elements in the code of conduct.
Training and Awareness: Provide regular training to employees on fraud prevention, cybersecurity and other topics such as preventing a hostile work environment. Consider providing training and support resources to treat anger management, depression and other mental health issues. Training and ongoing communications will help ensure that employees are aware of the risks and the supports available to them.
Reporting Mechanisms: Establish a system for employees to report suspicious activity, such as a fraud hotline or whistleblower program. Provide appropriate protections to whistleblowers. This will increase the probability that issues are identified and addressed promptly.
By implementing these activities, organizations can reduce the risk of financial crimes and other insider threats, while also promoting a culture of integrity and accountability.
Indicators of Financial Crimes and Theft of Intellectual Property
A robust insider threat mitigation program, as recommended by CISA, requires a combined effort on several fronts, including improvements to physical security, training and monitoring of employees’ activities (particularly of those with access to highly sensitive information).
This holistic approach is consistent with the overall COSO principles and the DOJ Guidance on Corporate Compliance; all three programs are based on a principle that risk management works best as a comprehensive, organization-wide program, rather than spotty, isolated efforts.
The following red flags are examples of behaviors or events that could be associated with financial crimes and theft of intellectual property. The list below shows common indicators; however, you should consider any risks or circumstances unique to your organization. We also provide examples of threat indicators at the overall organizational level.
Examples of Red Flags Indicating Pressures to Commit Financial Crimes
Personal:
- Financial need
- Addiction (drugs, alcohol, gambling, etc.)
- Break-up or divorce
- Unmet expectations relating to role, responsibility, recognition or compensation (i.e., employee dissatisfaction)
- Legal problems
- Termination
- Not taking days off
- Personal spending or living standards inconsistent with compensation
- Close association with vendors, customers, distributors, agents or other third parties
- Changes in work habits (e.g., dress, personal hygiene, attitude with co-workers)
- Unexplained sources of sudden wealth
- Pressure to others to circumvent internal controls or not to comply with code of conduct
- Retaliation against employees who report misconduct of others in the workplace
- Unnecessary lack of transparency or defensiveness when auditors or other appropriate parties inquire about job functions
Background:
- Engagement in activities that may represent a conflict of interest with the organization
- Multiple short-term employments
- Spending exceeds income
- Criminal record
- Concerning business relationships
- Social/professional network concerns
Examples of Red Flags for Theft of Intellectual Property
- Unwillingness to comply with established rules, procedures or organizational policies
- Excessive or unexplained use of copy equipment (scanner, copy machine, cameras)
- Making unapproved contacts with competitors or business partners
- Discussions of new opportunities or resigning from current position
- Excessive overtime work, or working odd or late hours without reason or authorization
- Bringing personal equipment (e.g., phone, camera) into high-security areas
- Repeated breaches of rules, procedures or organizational policies
- Exploitable behavior (including excessive gambling, sexual misconduct, drug and alcohol use, or criminal activity)
- Excessive volunteering that elevates access to sensitive systems, networks, facilities, people or data
- Financial difficulties or unexplained financial gains
- Taking multiple, short, unexplained trips outside the U.S.
- Efforts to conceal foreign travel and contacts
Examples of General Organizational Threat Indicators
- High-stress environment
- Toxic leadership
- Inconsistent enforcement of policies
- Inaction following notification of grievance, threat, or increased risk
- Overly aggressive reaction following notification of threat
- Inappropriate disciplinary action
- Bureaucratic compartmentalization of information
- Lack of understanding or awareness regarding insider threat risk
- Heightened uncertainty — financial or contractual
- Recent merger/acquisition
- Lack of risk assessment process
- Apparent indifference to complaints of corporate misconduct
Indicators of IT and Cybersecurity Attacks
Following are some ideas for monitoring insider activity and detecting IT and cybersecurity attacks. Specialized software tools can store data sets such as access logs, user permissions, network activity, etc., for subsequent analysis to detect behaviors indicative of insider threats. The best cybersecurity approach combines automated software with human oversight and evaluation.
Examples of activities to identify high-risk indicators of IT and cyber security attacks include:
- Mapping user privileges against their actual access to identify potential gaps (e.g., unneeded permissions or borrowing user credentials)
- Identifying when sensitive data is accessed and by whom
- Flagging large downloads, file transfers or other forms of data extraction
- Identifying users who access or manipulate information outside the scope of their permissions, authority, portfolio or need-to-know
- Discovering malware or compromised accounts
- Monitoring of e-mails and other methods of communication and flagging for certain keywords
- Direct correspondence with competitors
- Email messages with abnormally large attachments or amounts of data
- Domain Name System (DNS) queries associated with Dark Web activities
- Use of activity-masking tools (e.g., virtual private networks [VPN] or the Onion Router [Tor])
- Downloading or installing prohibited software
- Unexpected activity outside of normal working hours
- Attempts to bypass or disable malware protection tools or security controls
- Unauthorized attempts to escalate permissions or privileges
- Insider attempts to access resources not associated with that person’s normal role
- Attempting to print or copy protected or restricted documents
- Abnormally large number of software or operating system errors
- Connecting an unauthorized device to the network or attaching an unidentified device to a workstation (USB, external hard drive)
- Copying large numbers of documents to a local drive
- Maintaining access to sensitive data after termination notice
- Different users attempting to log in from the same workstation or device
- User account used from multiple devices
- Multiple accounts identified for a single user
- Lack of log messages or monitoring data
- Unauthorized modification of centrally stored files
- Authentication failures or failed login attempts
- Unauthorized configuration file changes or permission changes
- Unauthorized database content changes
- Irresponsible social media habits
- Undertrained staff (particularly in cybersecurity, audit or other corporate compliance function)
Metrics to Monitor
As your internal threats mitigation program evolves, consider implementing technology and repeatable processes to track the identification and the disposition of activity (focusing on individuals with access to sensitive data) related to the following metrics:
Data Source | Frequency of Reporting | Metric |
---|---|---|
Remote access logs | Exception Basis | High-risk patterns in network activity such as access from locations where the organization does not conduct business or authentication failures |
Background check data | Exception Basis | Red flags in pre-employment screening data |
External storage device exceptions | Exception Basis | Trend report and specific exceptions granted to connected external storage devices, including the rationale of the business need |
Building access | Exception Basis | Employees’ or contractors’ access to the building outside business hours, holidays or other unexpected times |
E-mail communications | Weekly | Volume and matches with high-risk behavior keywords |
File downloads | Weekly | File downloads to detect high frequency or high volume of data |
Intranet traffic | Weekly | High-risk behavior such as high level of internet use or traffic |
Activity logs | Weekly | Anomalous activity in proprietary business applications or platforms |
Database activity logs from critical applications | Weekly | Results of scanning of logs from critical applications (e.g., HR, Accounting, Sales) |
Disciplinary actions | Monthly | Statistics of disciplinary actions or policy violations; determine if there is a pattern to the nature of the complaints |
Employee performance evaluations | Monthly | Employee performance reports (e.g., poor performance, unethical activities, hostile behavior) |
Travel expenses and travel records | Monthly | Summary stats by employee (e.g., travel records, travel locations, expense reimbursements, number of rejected expense reimbursements) |
Printing and scanning activity | Monthly | Trend analysis highlighting spikes in volume of printing and scanning by individual employees or contractors |
You can either build dashboards in-house or look for existing commercial software designed to track insider threats activity.
Conclusion
Preventing financial crimes, theft of intellectual property, cybersecurity attacks and other IT threats requires a comprehensive approach using multiple controls and strategies. This overview and the downloadable tool explained below are just a starting point.
An effective strategy to identify and mitigate risk requires a holistic analysis of the current environment to determine potential weaknesses, then updating your policies and procedures to close any gaps. This process should be repeated regularly to ensure your organization is prepared to address constantly changing threats.
Several sources of information are publicly available to expand on the information provided herein. A few of these sources are:
- Committee of Sponsoring Organizations of the Treadway Commission
- Corporate Enforcement, Compliance, and Policy Unit (Corporate Enforcement Updates)
- Cybersecurity & Infrastructure Security Agency (CISA) Insider Threat Mitigation
- Association of Certified Fraud Examiners (ACFE) Fraud Resources Library
A Tool to Help You Identify and Mitigate Insider Threats
Weaver has provided a downloadable tool to help you begin addressing insider threats. This Excel template will help you identify and mitigate threats such as:
- Financial crimes (personal and background indicators)
- Theft of intellectual property
- Organization-level indicators
- IT and cybersecurity attacks
The first tab, “Insider Threat Matrix,” provides a list of insider threat indicators and examples of activities to mitigate the threat.
Detailed descriptions of each “Organizational Level Activity” are provided in Tab 2, and explanations of the recommended data analytics techniques in Tab 3. You can use these activities and data analytics techniques to improve your processes, mitigate threats and close gaps.
©2023