Recognizing and dealing with insider risk

I came across an interesting white paper from the deep mists of the past (2011) which is as relevant today as it was back when it was written (probably on a steam powered word processor).

Published by Symantec, the paper talks about characteristics of employees at risk for insider IP theft, their motivation and psychology, and how organizations can detect them and react appropriately. Most definitely worth a read – understanding the psychology of attackers, whether inside the organization or outside is key to detecting and defeating them.

The paper has some great insights into the types of employees who may be more likely to be involved in insider incidents as well as how and why they steal information. It also provides a list of high risk factors to look out for – some of these can be integrated into routine security monitoring. It is informative reading for any security professional

Some thoughts… now that sentiment analysis tools seem to be everywhere, wouldn’t it be nice to receive alerts when an employee’s electronic communications start showing a swing to negative emotions about the company and their work? This could be factored into a risk score to help focus scrutiny on people and issues of concern. Yes, this is a bit on the creepy side, but I think we are entering an era where people are more aware of all of the ways they are being scrutinized and categorized by AI. And for many companies, data and other IP are the crown jewels of their value proposition. I always advocate telling employees up front that their web use, email and other network activities at work are subject to monitoring and that anything they consider to be private should not be stored, transmitted or processed on company systems.

If you are not up for the automated way of doing this, what about working with your HR department to score employees on an enhanced risk scale when there are problems that have been escalated. Factors which might boost an employee’s risk score:

  • Negative performance review
  • Getting a formal HR warning
  • Demotion
  • Pattern of policy violations
  • Giving notice

You don’t really need the details of the issue, just that there is an issue and its magnitude. Monitoring user behavior can be time consuming – you don’t want to waste your time on low risk employees if you have a list of higher risk employees who merit attention.

Some final thoughts:

Not every organization is going to want to implement this type of program – it may not be compatible with your corporate culture or appropriate to the level of risk and regulation you face. The level of risk (and cultural acceptance) for this type of monitoring would be much higher in a defense contractor, financial, legal, healthcare, or other heavily regulated firm than in an ad agency or other services firm.

It may also not be something needed across the organization; it could be applied exclusively to people with high levels of systems and data access such as sysadmins, finance people, etc.

You also need to make sure that people know that their electronic communications are the property of the organization and are subject to monitoring and review.

Finally, in some jurisdictions, you may not be allowed to perform this type of analysis – always check with the lawyers and HR before implementing ANY type of employee behavior monitoring.

*** This is a Security Bloggers Network syndicated blog from Al Berg's Paranoid Prose authored by Al Berg. Read the original post at: