Recognizing and dealing with insider risk

I came across an interesting white paper from the deep mists of the past (2011) which is as relevant today as it was back when it was written (probably on a steam powered word processor).

Published by Symantec, the paper talks about characteristics of employees at risk for insider IP theft, their motivation and psychology, and how organizations can detect them and react appropriately. Most definitely worth a read – understanding the psychology of attackers, whether inside the organization or outside is key to detecting and defeating them.

The paper has some great insights into the types of employees who may be more likely to be involved in insider incidents as well as how and why they steal information. It also provides a list of high risk factors to look out for – some of these can be integrated into routine security monitoring. It is informative reading for any security professional

Some thoughts… since this paper was written, there have been many advances in automated analysis of electronic communications using artificial intelligence to look for sentiment, intent, emotion and other indicators that might indicate a disgruntled employee. You can try examples of these types of programs on text of your choice here:

This kind of analysis raises questions – how accurate are the algorithms? Is doing this kind of analysis a legitimate way for companies to monitor employees? How will employees react to this kind of scrutiny? Answering these questions will take time (and probably court cases). I would be very wary of implementing this type of monitoring before these questions are answered.

Another way to address the differing levels of insider risk would be working with your HR department on an enhanced risk scale when there are problems that have been escalated. Factors which might boost an employee’s risk score:

  • Negative performance review
  • Getting a formal HR warning
  • Demotion
  • Pattern of policy violations
  • Giving notice

You don’t really need the details of the issue, just that there is an issue and its magnitude. Monitoring user behavior can be time consuming – you don’t want to waste your time on low risk employees if you have a list of higher risk employees who merit attention. Of course, this is a reactive control rather than a predictive control – it will not surface employees who may not have risen to the notice of HR yet,

Some final thoughts:

Not every organization is going to want to implement this type of program – it may not be compatible with your corporate culture or appropriate to the level of risk and regulation you face. The level of risk (and cultural acceptance) for this type of monitoring would be much higher in a defense contractor, financial, legal, healthcare, or other heavily regulated firm than in an ad agency or other services firm.

It may also not be something needed across the organization; it could be applied exclusively to people with high levels of systems and data access such as sysadmins, finance people, etc.

You also need to make sure that people know that their electronic communications are the property of the organization and are subject to monitoring and review.

Finally, in some jurisdictions, you may not be allowed to perform this type of analysis – always check with the lawyers and HR before implementing ANY type of employee behavior monitoring.

I hope that companies think carefully before implementing this kind of monitoring – there are a lot of questions that need to be answered before it can be implemented fairly.

Leave a Reply