In this whitepaper, I discuss the different warning signs of an Insider Threat that tend to manifest in non-technical form. These early warning signs are the indicators that you will need to carefully notice.
#1 • ARGUMENTATIVE AND ABUSIVE BEHAVIOUR
An individual with argumentative personality that causes disruption in the workplace may be exhibiting risky behaviour. These individuals may isolate themselves from others and reject social interaction with their co-workers. Of
greater concern, they may also reject supervisory direction or counselling aimed at addressing their disruptive behaviour.
Some people use aggressive behaviour and believe they are being assertive. This may be due to a lack of self-confidence or self-worth, or it could be due to conditioning in the way they were brought up. Some people are not aware that they are perceived as aggressive
INDICATORS TO WATCH
• Signs of temper and frustration;
• Excessive use of profanity, bad language
• Verbally complain about the organisation;
interested in voicing their opinion;
• Chronic blaming, others are always at fault;
• Closed to other opinions, rarely consider
anyone else’s view and may even feel
• Not concerned about how their actions may
• Controlling or interested in being the one in
charge, and interested in power over others;
• Hard on machinery and equipment, office
#2 • DISGRUNTLED BEHAVIOUR
Employees (or former employees) who feel unfairly treated, resentful or have a “chip on their shoulder” could seek revenge by acting out against their company, co-workers, partners, or customers.
The employee may have a grievance pending or a history of filing grievances. These employees tend to blame others for the results of their own actions and refuse to accept responsibility. Their perceived mistreatment or bias could ignite violent behaviour.
One in four full-time workers have been harassed, threatened or attacked. Of that group, co-workers were most often harassed, followed by customers.
An employee may express outrage and blame of others through direct or indirect threats. They use direct intimidation, verbal and written threats to
create fear, stress and anxiety in their targets.
Here are examples of direct and indirect threats:
INDICATORS TO WATCH
• General tardiness (late to work; making more
mistakes; constantly missing deadlines);
• Frequent conflicts with colleagues
• Verbal or physical abuse in the workforce;
• Unmanaged anger or stress; signs of
agitation, impulsiveness, physical and
manhandling their equipment; damaging
• Paranoia; they suspect that others are
conspiring against them. Look for signs that
they feel “unappreciated” by the organisation;
• Bullying behaviour; and
• Threats against colleagues and others.
This could be verbal and physical threats.
According to the Insider Threat Division of CERT, of those who committed Insider Threat Sabotage, 30% had a personal disposition of previous arrest, 18% for violent offenses, and 11% for alcohol-drug related offenses.
#3 • CHALLENGING AND VIOLATING CORPORATE POLICIES
Employee compliance with corporate policies is a major concern for an organisation. Violating corporate policies increases the vulnerability of
the organization, and weakens the viability of the organization to achieve its desired goals. Violating corporate policy significantly increases the chance
of security breaches.
Employees who are aware of their organisation’s corporate policies and deliberately choose to violate the policies are particularly problematic.
Even though an employee may have good reason to ignore policy (e.g., those who chose convenience and productivity over security), violating policy is “no doubt” challenging and dangerous for the organisation.
According to CEB, more than 90% of employees violate policies designed to prevent data breaches.
INDICATORS TO WATCH
• Overtly disagrees with the corporate policy
by deliberately disobeying;
• Falsifies statements and acts dishonestly;
• Steals unauthorised property from the
employer, fellow workers or customers
regardless of the value;
• Intimidates colleagues, verbally or physically;
• Excessive absenteeism;
• Continuous pushing against corporate
boundaries, for example, taking long lunches;
Wastes time and impacts productivity
• Makes discriminating remarks or sexual
• Commits violations of work safety rules;
• Works odd hours; and
• Tries to perform work outside their normal
#4 • DECLINE IN WORK PERFORMANCE
Every employee can expect to have a bad day occasionally, after all, who hasn’t? However, if that bad day continues and a negative pattern develops, this may indicate a larger problem that requires urgent attention.
Sometimes employees take the initiative to contact their employer for help addressing personal problems. If lucky, the employee may even seek their Employee Assistance Program if the organisation provides such resources.
Troubled workers can impact everyone around them, and this can lead to conflicts within team members. Conflict reduces team productivity, and simply put, places the organisation at risk.
INDICATORS TO WATCH
• Poor fit with organisation values.
For example, the insider dislikes their job;
• Poor fit with the organisation culture.
For example, the insider dislikes the
• Difficulty negotiating and reaching agreement;
• Complaints about job fairness;
• Complaints about job satisfaction;
• Complaints about inadequate compensation;
• Complaints about organisation opportunities;
• Complaints about the workload;
• Signs of frustrations, such as not wanting
to work with people;
• Signs of stress, such as emotional exhaustion;
• Apathy towards others, late on deliveries
and lack of timeliness;
• Large mood and emotional swings;
• Signs of poor physical conditions;
• Unable to manage time;
• Constant socialising;
• Unusually frequent trips and vacations; and
• Unexplained changes in financial circumstances.
A former employee administrator at a university institute deleted 18 months of cancer research after quitting because of personality and work ethics differences between himself and management. On numerous occasions, he had displayed aggressive and malicious behaviours (non-technical) before quitting his job. He was not liked. He was described as very lazy and constantly complained. A few days after quitting, he returned to the lab. Fortunately for the employer, his badge had been disabled. Unfortunately, he asked an employee who recognised him to let him in, and once inside the building, he used a key that had not been confiscated to enter the office and delete the
cancer research data.
In this case, the employee obviously exhibited concerning behaviours in the workplace well before the breach/deletion of data took place.
#5 • UNAUTHORISED ACCESS
Although we place a huge amount of trust in colleagues at work, insiders pose a substantial threat due to their knowledge of, and access to employer’s systems and information. They can bypass physical and electronic security measures through legitimate means every day.
And, if they are motivated to seek out an advantage, to benefit or even profit from an opportunity (personal gain), they will find ways to achieve their goal/s.
Here are some clues on what to watch:
INDICATORS TO WATCH
• Perform activities that are not part of their
current job role;
• Make decisions on behalf of colleagues without
being authorised to do so;
• Snoop at other individuals desks and work
• Interested in viewing confidential information
• Extensive and frequent phone conversations;
• Allow unauthorised external people into
sensitive work areas;
• Ask colleagues to obtain critical assets when
they do not have authorisation;
Ask colleagues to provide access to sensitive
areas for which they are not authorised access;
• Utilise the photocopier excessively above their
Try to use other people computer devices;
• Take organisation stationery for home use
• Take organisation IT devices for home use
• Take other people keys or access cards;
• Tailgating other people;
• Door propping;
• Use their phone to take pictures of people,
systems and information;
• Introduce their own devices into the system
without authorisation. For example, introducing
their own portable storage disk drive onto the
corporate network; and
• Run their own business within the employer
A programmer at a telecommunication company was angry when it was first
announced that there would be no bonuses. He then used the computer of the project lead (who sat in a cubicle and often left his computer logged in, in the unattended area), to modify the company’s premier product. Six months later,
the insider left the company for another job.
Six months after that, a “logic bomb” (malicious insertions) detonated preventing the software from working.
In this case, the employee obviously exhibited disgruntlement behaviour and also accessed unauthorised equipment that didn’t belong to him.
#6 • STRESS BEHAVIOUR
Who hasn’t gone through a major life event? Life events can literally shake up your world for better or for worse. Major life events can lead to a very high level of stress, and this stress combined with the additional level of stress that is within the organisation may cause major health issues such as loss of memory, immune deficiency, obesity, and more.
Stress has become a serious concern for organisations because it can cause lower productivity, higher rates of turnover, worker conflict, increased workers compensation claims, and legal expenses.
Stress reactions are unique to every individual and are the behavioural consequences of their environment.
Below is a small list of possible stress events
- Home relocation;
- Foreclosure of mortgage;
- Change in financial state, for example,
- Change in religion;
- Change in health of family members;
- Death of one or more close people;
- Midlife crisis;
- Downsizing or moving office;
- Merging with another organisation;
- Change in responsibilities;
- Major life changes;
- Legal challenges; and
- Being recruited by outside criminals.
INDICATORS TO WATCH
- Interpersonal conflicts;
- Personality clashes;
- Depression signs;
- Pessimistic and cynical;
- Complaints about sleep;
- Complaints about digestive problems;
- Skin conditions;
- Weight problems;
- Thinking and memory problems;
- Poor judgement; and
- Anxiety and constant worrying.
#7 • REGULAR STATE OF INTOXICATION OR SUBSTANCE ABUSE
Drug abuse affects people from all walks of life and socioeconomic statuses. Whatever the reason a person starts taking drugs, tolerance and dependency can develop quickly, before the user realises the pattern of addiction taking hold. When tolerance becomes full-blown addiction, it can be extremely difficult to stop the pattern of abuse.
Breaking free from the hold of addiction often requires outside help. Drug abuse wreaks havoc on the body and mind. Addiction can have severe repercussions for individuals, their families and possibly colleagues.
INDICATORS TO WATCH
• Smells of alcohol or other related substance;
• Dishevelled appearance;
• Difficulty controlling their body;
• Difficulty paying attention;
• Drowsy, dozes or sleeps;
• Brings alcohol or some other substance
• Abrupt weight changes;
• Argumentative attitude;
• Obnoxious and disorderly behaviour;
• Annoys colleagues;
• Change in personality – becomes bad
tempered or aggressive;
• Signs of depressive behaviour;
• Signs of lethargy;
• Financial problems that could lead
to criminal activities.
The above behaviour patterns should be considered as red flags and should be taken extremely seriously.
Although these behaviours may be unusual, (remember these behaviours are observable by someone, and they are non-technical behaviour indicators), they may not point to an insider threat situation, but may potentially identify a symptom of an emotional challenge (personal disposition).
Either way, such behaviours do require being noticed and need to be raised with management and the Insider Threat team.
In addition, I would recommend utilising tools at your disposal to collect other data from other sources whether they be technical or nontechnical to ascertain whether the observed behaviour is really an insider threat.
WHAT CAN BE DONE?
There are a number of areas where an organisation can start the task of reducing the potential risk of insider threats.
1. Insider Threat Awareness
The key to achieving success noticing and identifying insider threats is to diligently monitor these behaviour signals from the start. All this requires is to raise insider threat awareness organisation wide. When you “See Something”, you “Say Something” awareness.
Insider threat awareness training needs to be available for everybody including contractors and 3rd party organisations. It should be given during the onboarding process and refreshed at least yearly. Its primary aim is to keep insider threat at the forefront of employee minds as they go about
their day-to-day work lives.
Topics for employee insider threat awareness
should include some of the following:
• Types of insider threats;
• How an organisations staff may be targeted;
• Methods that adversaries use to recruit
• Acceptable user behaviour as an employee
and as a user on the network, including
• Consequences if acceptable user behaviours
• Organisation intellectual property (IP) policies
and employee responsibilities to protect
organisation data and IP;
• Unintentional insider threats: What they
are, how they happen and general security
• How to identify inappropriate behaviour,
• Employee responsibilities regarding
• The importance of engaging all employees
to prevent malicious insider activities;
• Consequences if insiders displaying risky
behaviours are caught; and
• An area for shared distribution of insider
threat awareness material – website; staff
board; promotional materials; regular
training; posters; login banners; discussion
groups; exercises that occur at random
and test an employee’s knowledge.
2. User Employee Assistance
Another positive intervention strategy is an employee assistance program. These programs should be offered by organisations as an employee benefit, to assist employees in dealing with personal or work-related issues that may affect job performance, health, and general well-being.
Employee Assistance Programs can include counselling services for employees and / or their families.
3. Employee Engagement Program
Effective mitigation against insider threats by insiders requires the adoption of two driving concepts/programs.
>> Negative Deterrence Programs; and
>> Positive Deterrence Programs
Deterrence focuses on making potential adversaries and even Insiders think twice about placing the organisation at risk (whether it be malicious or non-malicious actions).
Negative incentives attempt to force employees to act in the interest of the organisation and when relied on excessively, can result in negative unintended consequences.
Positive incentives can complement traditional practices by encouraging employees to act in the interest of the organisation either extrinsically (through reward & recognition) or intrinsically. Positive incentives create a work environment where employees are intently driven to contribute to the organisation in a positive way.
Organisation Support is the foundation of positive deterrence. With this in place, Connectedness with co-workers and Job Engagement serve to strengthen employee commitment to the organisation.
Employing the right mix and ratio of positive and negative incentives in an Employee Engagement Program can create a net positive for both employee and the organisation.
Are you experiencing an insider threat situation right now and not sure how to address it?
Are you interested in having an Insider Threat Training Awareness Program conducted for your organisation’s employees?
Are you looking to become proactive and more effective in managing insider threats?
If so, let’s schedule a time to discuss how we can help you.
You can either call us on +61 2 6282 5554 or alternately, visit our Naked Insider website www.nakedinsider.com and leave your details so that we can follow-up with you afterwards.