“ You can speak with spiritual eloquence,
pray in public, and maintain a holy appearance…
But it is your behaviour that will reveal your true character. ”
– STEVE MARABOLI –
When it comes to cybercrime, incidents caused by external actors dominate the news headlines. Yet, rarely is news divulged when the threat comes from “trusted” insiders and more often than not, these incidents tend to be more damaging. Furthermore, the majority of organisations are unprepared for these insider threats.
For starters, identifying and mitigating insider threats is not an easy task. On the contrary, it’ s extremely challenging. Why?… Because we are dealing with people – not machines. People are human beings who come with emotions, values, beliefs, goals and aspirations. Clearly human beings are not machines! No technology can pinpoint with definite certainty, that a person is a threat to an organisation. Think about it, no person walks into the office with a red jacket and a sign stuck to their forehead claiming that they are an insider threat.
Organisations are a collection of people who share a common purpose. People within organisations unite to focus their various capabilities and skills toward achieving personal as well as business goals.
What makes a person with a “good background” behave appallingly towards their colleagues, while another employee with “little resource” is extremely helpful and accommodating? One thing is clear, humans are not random creatures. All actions that people take, they take for a specific reason. Why do I use the word “take” instead of “do”? Because what we do is driven by a choice
that is made…to do one thing or another, which leads to an action being taken. These actions are based on the “pain-pleasure” model. People avoid
pain and seek out pleasure. This is, for certain, how humans are wired.
Look around your office and ask yourself, how many people do I really know? Isn’t it difficult to say you know co-workers when they come and go? Who is to say that the temperament you see at work is the same temperament shown at home? Isn’t it true that all you know is when they access your corporate network, they become a user and sometimes the user and person are two
Some people carry “personal and sensitive emotional luggage with them”. The organisation and their colleagues are unaware of these items, which makes sense, right? Why?… Because colleagues do not make it their business to know
every co-workers business. Colleagues generally focus on getting the job they are supposed to do, done. However, colleagues do share, and it can
be important to note when someone is carrying “personal and sensitive emotional luggage.” This is referred to as “personal disposition” and this disposition can be important to an organisation.
Would you know whether a colleague has an alcohol or drug addiction problem? Would you know whether a co-worker is financially challenged? Would you know whether a colleague has an addiction to gambling, or whether they are involved with criminals or criminal activities?
According to the Insider Threat division of CERT, there is a strong link between negative behaviour (personal disposition) and malicious activity. In fact, those that had committed some form of IT sabotage also exhibited personal disposition.
On 24 March 2015, an Airbus A320-211 crashed 100 kilometres north-west of Nice in the French Alps after a constant descent that began one minute after the last routine contact with air traffic control. All 144 passengers and six crew members were killed.
WHY DID IT HAPPEN? The crash was deliberately caused by the co-pilot Andreas Lubitz, who had previously been treated for suicidal tendencies and been declared “unfit to work” by a doctor. However, Lubitz kept this information from his employer and reported for duty. During the flight, he locked the pilot out of the cockpit before initiating a descent that caused the aircraft to crash into a mountain.
Personal disposition can be recognised by certain types of observable characteristics. Observable characteristics is what this article is all about.
Before we delve into personal disposition and related behaviours, what they look like and how you can spot them, let’s briefly identify what an Insider is.
WHAT IS AN INSIDER?
An Insider is any user whether they are a trusted employee, a contractor, a business partner, or a former employee, that has an authorised access to organisation assets. The key critical aspect of such a user is that they may still have access to organisation assets and applications, which may include confidential data.
A malicious insider is a trusted insider who abuses their trust to disrupt operations, corrupt data, ex-filtrate sensitive information, or compromise an IT (information technology) system. This causes loss or damage and negatively affects the confidentiality, integrity or availability of the organisation’s information and systems.
NON- MALICIOUS INSIDER
A non-malicious insider is an insider that through their actions/inactions, absent malicious intent, cause harm or substantially increase the probability of future serious harm to the organisation’s information and systems.
SO, WHAT ARE YOUR EMPLOYEES UP TO?
Detecting insider threats can be extremely difficult, particularly when you are dealing with a calculated attacker or disgruntled employee that knows all the ins and outs of your company.
So, it may come as a surprise to you that the most common indicator of an insider threat usually takes place well before it is spotted by any security system, or detection prevention system.
The following diagram illustrates a timeline showing different points of behaviour anomaly indicators that can be used to help detect potential threats prior to experiencing a breach.
• NON-TECHNICAL BEHAVIOUR ANOMALIES
Indicators that the behaviour of the person has changed or flipped, for example, an otherwise nonaggressive individual becoming aggressive in conversations.
• USER & POLICY BEHAVIOUR ANOMALIES
Indicators of anomalies when connected to the corporate network, for example, spending lots of time accessing social media sites, or actions
contrary to corporate policies
• SYSTEM & DATA BEHAVIOUR ANOMALIES
Indicators of unusual system and data behaviour, for example, using analysis of metadata and other data sources such as network logs, travel reporting, network access times, etc.
The malicious insider threat is hard to detect because employers trust their employees. To complicate matters, it is difficult to determine if employees are doing something malicious when they are the ones responsible for accessing
and using sensitive data. It is very difficult to determine if something malicious is occurring when the very individuals accessing and using the data have the authority to access it.
Further, if an employer suspects malicious intent, it is easy for an employee to claim they made a mistake and get away with it. This puts the trusting employer in a precarious situation. Let’s face it… it is almost impossible to prove guilt in such cases, and it is pretty easy for employees, especially tech-savvy ones, to cover their tracks.
The majority of organisations approaching the Insider Threat challenge use technologies such as Security Information and Event Management (SIEM), User Behaviour Analytics (UBA), or User Activity Monitoring to enable successful detection and prevention of malicious activities. There is no doubt that technology is an important part of the strategy to mitigate the insider threat. However, these technologies do not focus on identifying the physical behaviours and the “non-technical” behaviours, and as a result, even when combined they are not a complete solution.
A vice president of engineering who was responsible for oversight of all software development in the organisation was engaged in long running disputes with upper management. The disputes were characterised as verbal attacks by the insider and statements to colleagues about how much he had upset management. He engaged in personal attacks and in a restaurant, screamed abuse at the CEO. A final explosive disagreement prompted
him to quit. When no severance package was offered, he copied a portion of the organisation software to removable media, deleted it from the organisation server, and removed the recent backup tapes. He then offered to
restore the software in exchange for $50,000. He was charged and convicted of extortion, misappropriation of trade secrets, and grand theft. However, the most recent version of the software was never recovered.
If the organisation in this case had recognised the disruptive behaviour as a warning sign, the organization would have recognized the potential insider threat. The organization could have secured assets and prevented substantial loss. It is important and critical that organisations recognise and realise the potential consequence of negative behaviour in the workplace.
Unfortunately, many organisations do not have any practice, procedure, or method to apply to help them identify risky behaviour within their environment.
In addition, managers and executives tend to downplay the threats posed to their organisation by their own colleagues, even when the behaviour is risky.
Of equal importance, individuals managing security operations often have very limited understanding about human behaviour; they are either unaware of what to look for, or perhaps they do not consider it part of their job.
Did you know that insiders are usually known entities? They are the familiar and trusted few, AND who could imagine that these few employees who have worked their way through the corporate high security vetting process could pose a threat? Doesn’t this formal process of review and official approval deem them as trustworthy, and remove them of suspicion? After all, they are deeply integrated employees who are designated as individuals in the fold.
In this whitepaper, I discuss the different warning signs of an Insider Threat that tend to manifest in non-technical form. These early warning signs are the indicators that you will need to carefully notice.
An individual with argumentative personality that causes disruption in the workplace may be exhibiting risky behaviour. These individuals may isolate themselves from others and reject social interaction with their co-workers. Of
greater concern, they may also reject supervisory direction or counselling aimed at addressing their disruptive behaviour.
Some people use aggressive behaviour and believe they are being assertive. This may be due to a lack of self-confidence or self-worth, or it could be due to conditioning in the way they were brought up. Some people are not aware that they are perceived as aggressive
INDICATORS TO WATCH
• Signs of temper and frustration;
• Excessive use of profanity, bad language
• Verbally complain about the organisation;
interested in voicing their opinion;
• Chronic blaming, others are always at fault;
• Closed to other opinions, rarely consider
anyone else’s view and may even feel
• Not concerned about how their actions may
• Controlling or interested in being the one in
charge, and interested in power over others;
• Hard on machinery and equipment, office
Employees (or former employees) who feel unfairly treated, resentful or have a “chip on their shoulder” could seek revenge by acting out against their company, co-workers, partners, or customers.
The employee may have a grievance pending or a history of filing grievances. These employees tend to blame others for the results of their own actions and refuse to accept responsibility. Their perceived mistreatment or bias could ignite violent behaviour.
One in four full-time workers have been harassed, threatened or attacked. Of that group, co-workers were most often harassed, followed by customers.
An employee may express outrage and blame of others through direct or indirect threats. They use direct intimidation, verbal and written threats to
create fear, stress and anxiety in their targets.
Here are examples of direct and indirect threats:
INDICATORS TO WATCH
• General tardiness (late to work; making more
mistakes; constantly missing deadlines);
• Frequent conflicts with colleagues
• Verbal or physical abuse in the workforce;
• Unmanaged anger or stress; signs of
agitation, impulsiveness, physical and
manhandling their equipment; damaging
• Paranoia; they suspect that others are
conspiring against them. Look for signs that
they feel “unappreciated” by the organisation;
• Bullying behaviour; and
• Threats against colleagues and others.
This could be verbal and physical threats.
According to the Insider Threat Division of CERT, of those who committed Insider Threat Sabotage, 30% had a personal disposition of previous arrest, 18% for violent offenses, and 11% for alcohol-drug related offenses.
Employee compliance with corporate policies is a major concern for an organisation. Violating corporate policies increases the vulnerability of
the organization, and weakens the viability of the organization to achieve its desired goals. Violating corporate policy significantly increases the chance
of security breaches.
Employees who are aware of their organisation’s corporate policies and deliberately choose to violate the policies are particularly problematic.
Even though an employee may have good reason to ignore policy (e.g., those who chose convenience and productivity over security), violating policy is “no doubt” challenging and dangerous for the organisation.
According to CEB, more than 90% of employees violate policies designed to prevent data breaches.
INDICATORS TO WATCH
• Overtly disagrees with the corporate policy
by deliberately disobeying;
• Falsifies statements and acts dishonestly;
• Steals unauthorised property from the
employer, fellow workers or customers
regardless of the value;
• Intimidates colleagues, verbally or physically;
• Excessive absenteeism;
• Continuous pushing against corporate
boundaries, for example, taking long lunches;
Wastes time and impacts productivity
• Makes discriminating remarks or sexual
• Commits violations of work safety rules;
• Works odd hours; and
• Tries to perform work outside their normal
Every employee can expect to have a bad day occasionally, after all, who hasn’t? However, if that bad day continues and a negative pattern develops, this may indicate a larger problem that requires urgent attention.
Sometimes employees take the initiative to contact their employer for help addressing personal problems. If lucky, the employee may even seek their Employee Assistance Program if the organisation provides such resources.
Troubled workers can impact everyone around them, and this can lead to conflicts within team members. Conflict reduces team productivity, and simply put, places the organisation at risk.
INDICATORS TO WATCH
• Poor fit with organisation values.
For example, the insider dislikes their job;
• Poor fit with the organisation culture.
For example, the insider dislikes the
• Difficulty negotiating and reaching agreement;
• Complaints about job fairness;
• Complaints about job satisfaction;
• Complaints about inadequate compensation;
• Complaints about organisation opportunities;
• Complaints about the workload;
• Signs of frustrations, such as not wanting
to work with people;
• Signs of stress, such as emotional exhaustion;
• Apathy towards others, late on deliveries
and lack of timeliness;
• Large mood and emotional swings;
• Signs of poor physical conditions;
• Unable to manage time;
• Constant socialising;
• Unusually frequent trips and vacations; and
• Unexplained changes in financial circumstances.
A former employee administrator at a university institute deleted 18 months of cancer research after quitting because of personality and work ethics differences between himself and management. On numerous occasions, he had displayed aggressive and malicious behaviours (non-technical) before quitting his job. He was not liked. He was described as very lazy and constantly complained. A few days after quitting, he returned to the lab. Fortunately for the employer, his badge had been disabled. Unfortunately, he asked an employee who recognised him to let him in, and once inside the building, he used a key that had not been confiscated to enter the office and delete the
cancer research data.
In this case, the employee obviously exhibited concerning behaviours in the workplace well before the breach/deletion of data took place.
Although we place a huge amount of trust in colleagues at work, insiders pose a substantial threat due to their knowledge of, and access to employer’s systems and information. They can bypass physical and electronic security measures through legitimate means every day.
And, if they are motivated to seek out an advantage, to benefit or even profit from an opportunity (personal gain), they will find ways to achieve their goal/s.
Here are some clues on what to watch:
INDICATORS TO WATCH
• Perform activities that are not part of their
current job role;
• Make decisions on behalf of colleagues without
being authorised to do so;
• Snoop at other individuals desks and work
• Interested in viewing confidential information
• Extensive and frequent phone conversations;
• Allow unauthorised external people into
sensitive work areas;
• Ask colleagues to obtain critical assets when
they do not have authorisation;
Ask colleagues to provide access to sensitive
areas for which they are not authorised access;
• Utilise the photocopier excessively above their
Try to use other people computer devices;
• Take organisation stationery for home use
• Take organisation IT devices for home use
• Take other people keys or access cards;
• Tailgating other people;
• Door propping;
• Use their phone to take pictures of people,
systems and information;
• Introduce their own devices into the system
without authorisation. For example, introducing
their own portable storage disk drive onto the
corporate network; and
• Run their own business within the employer
A programmer at a telecommunication company was angry when it was first
announced that there would be no bonuses. He then used the computer of the project lead (who sat in a cubicle and often left his computer logged in, in the unattended area), to modify the company’s premier product. Six months later,
the insider left the company for another job.
Six months after that, a “logic bomb” (malicious insertions) detonated preventing the software from working.
In this case, the employee obviously exhibited disgruntlement behaviour and also accessed unauthorised equipment that didn’t belong to him.
Who hasn’t gone through a major life event? Life events can literally shake up your world for better or for worse. Major life events can lead to a very high level of stress, and this stress combined with the additional level of stress that is within the organisation may cause major health issues such as loss of memory, immune deficiency, obesity, and more.
Stress has become a serious concern for organisations because it can cause lower productivity, higher rates of turnover, worker conflict, increased workers compensation claims, and legal expenses.
Stress reactions are unique to every individual and are the behavioural consequences of their environment.
Below is a small list of possible stress events
INDICATORS TO WATCH
Drug abuse affects people from all walks of life and socioeconomic statuses. Whatever the reason a person starts taking drugs, tolerance and dependency can develop quickly, before the user realises the pattern of addiction taking hold. When tolerance becomes full-blown addiction, it can be extremely difficult to stop the pattern of abuse.
Breaking free from the hold of addiction often requires outside help. Drug abuse wreaks havoc on the body and mind. Addiction can have severe repercussions for individuals, their families and possibly colleagues.
INDICATORS TO WATCH
• Smells of alcohol or other related substance;
• Dishevelled appearance;
• Difficulty controlling their body;
• Difficulty paying attention;
• Drowsy, dozes or sleeps;
• Brings alcohol or some other substance
• Abrupt weight changes;
• Argumentative attitude;
• Obnoxious and disorderly behaviour;
• Annoys colleagues;
• Change in personality – becomes bad
tempered or aggressive;
• Signs of depressive behaviour;
• Signs of lethargy;
• Financial problems that could lead
to criminal activities.
The above behaviour patterns should be considered as red flags and should be taken extremely seriously.
Although these behaviours may be unusual, (remember these behaviours are observable by someone, and they are non-technical behaviour indicators), they may not point to an insider threat situation, but may potentially identify a symptom of an emotional challenge (personal disposition).
Either way, such behaviours do require being noticed and need to be raised with management and the Insider Threat team.
In addition, I would recommend utilising tools at your disposal to collect other data from other sources whether they be technical or nontechnical to ascertain whether the observed behaviour is really an insider threat.
WHAT CAN BE DONE?
There are a number of areas where an organisation can start the task of reducing the potential risk of insider threats.
1. Insider Threat Awareness
The key to achieving success noticing and identifying insider threats is to diligently monitor these behaviour signals from the start. All this requires is to raise insider threat awareness organisation wide. When you “See Something”, you “Say Something” awareness.
Insider threat awareness training needs to be available for everybody including contractors and 3rd party organisations. It should be given during the onboarding process and refreshed at least yearly. Its primary aim is to keep insider threat at the forefront of employee minds as they go about
their day-to-day work lives.
Topics for employee insider threat awareness
should include some of the following:
• Types of insider threats;
• How an organisations staff may be targeted;
• Methods that adversaries use to recruit
• Acceptable user behaviour as an employee
and as a user on the network, including
• Consequences if acceptable user behaviours
• Organisation intellectual property (IP) policies
and employee responsibilities to protect
organisation data and IP;
• Unintentional insider threats: What they
are, how they happen and general security
• How to identify inappropriate behaviour,
• Employee responsibilities regarding
• The importance of engaging all employees
to prevent malicious insider activities;
• Consequences if insiders displaying risky
behaviours are caught; and
• An area for shared distribution of insider
threat awareness material – website; staff
board; promotional materials; regular
training; posters; login banners; discussion
groups; exercises that occur at random
and test an employee’s knowledge.
2. User Employee Assistance
Another positive intervention strategy is an employee assistance program. These programs should be offered by organisations as an employee benefit, to assist employees in dealing with personal or work-related issues that may affect job performance, health, and general well-being.
Employee Assistance Programs can include counselling services for employees and / or their families.
3. Employee Engagement Program
Effective mitigation against insider threats by insiders requires the adoption of two driving concepts/programs.
>> Negative Deterrence Programs; and
>> Positive Deterrence Programs
Deterrence focuses on making potential adversaries and even Insiders think twice about placing the organisation at risk (whether it be malicious or non-malicious actions).
Negative incentives attempt to force employees to act in the interest of the organisation and when relied on excessively, can result in negative unintended consequences.
Positive incentives can complement traditional practices by encouraging employees to act in the interest of the organisation either extrinsically (through reward & recognition) or intrinsically. Positive incentives create a work environment where employees are intently driven to contribute to the organisation in a positive way.
Organisation Support is the foundation of positive deterrence. With this in place, Connectedness with co-workers and Job Engagement serve to strengthen employee commitment to the organisation.
Employing the right mix and ratio of positive and negative incentives in an Employee Engagement Program can create a net positive for both employee and the organisation.
Are you experiencing an insider threat situation right now and not sure how to address it?
Are you interested in having an Insider Threat Training Awareness Program conducted for your organisation’s employees?
Are you looking to become proactive and more effective in managing insider threats?
If so, let’s schedule a time to discuss how we can help you.
You can either call us on +61 2 6282 5554 or alternately, visit our Naked Insider website www.nakedinsider.com and leave your details so that we can follow-up with you afterwards.