Preventing employee risk from becoming an insider threat

What do UMass Memorial Medical Group, Harel Chiropractic & Massage, and Morgan Stanley have in common? They all lost valuable data this year due to an insider breach.

All organizations engage in some form of employee risk management when they screen potential new hires. Interviews, and background and reference checks are the first line of defense against insider threats and help mitigate risk before an individual is hired. However, a common mistake organizations make is that they stop there and do not take risk into account throughout the entire employee lifecycle.

The employee lifecycle consists of three phases, pre-hire/onboarding, hired, and the exit period.


The first phase consists of everything that happens during the pre-hire and onboarding process. This includes, but is not limited to, drafting a job’s requirements, bringing in team members to work with HR to fill the role, and interviewing candidates.

From an insider-threat perspective, prevention measures should begin at the point a job description is drafted. Use this opportunity to document what level of privilege and access each position requires and think about worst-case scenarios. Ask yourself, “What is the worst thing(s) someone in this position could do in relation to company confidentiality, key systems, finances, or reputation?” Then, translate that information into a “positional risk score.” A simple 1-10 scale will suffice. Once a risk score has been assigned, share that information with HR, the department manager, legal, and IT. Having a common designation for positional risk makes communication feasible in the later stages of the employee lifecycle.


When an employee is hired, a method for monitoring user activities and behaviors needs to be put in place. High-risk-level positions, should be actively monitored, which means collecting and retaining data on user activities and behaviors, receiving and reviewing reports that summarize that data, and, in the case of the highest-risk positions, spot-checking their activity. Lower-risk positions should be passively monitored. This requires collecting data on user activities and behaviors, scanning it for signs of insider risk/threat, and alerting based on company-defined parameters.

Beware of Employee Disgruntlement

Once a candidate has been hired, the line of communications established at the beginning of the employee lifecycle becomes critical, as disgruntled employees are one of the leading causes of insider breaches. Employees become disgruntled for a number of reasons, such as:

· A perception of unfair treatment by senior management

· Poor annual reviews

· Smaller-than-expected pay increases

· Failure to secure a promotion

· Being put on a performance plan

When it has been determined that an employee is at risk for disgruntlement, put the risk-level rating system to work. HR should notify IT whenever an elevated risk is associated with a person. While the risk level associated with a position might normally be at “4,” it might warrant bumping that to an “8” in the event of employee disgruntlement.

While factors beyond employee disgruntlement contribute to insider threat behaviors, employing a risk rating and aligning monitoring strategies to that risk rating give organizations a combination of tools and processes that improve their ability to deal with both positional risk and people risk.

Exit Period

Risk of an insider breach is greatest when an employee decides to leave (or believes that he or she is going to be made to leave) the organization. A Symantec-sponsored Ponemon report, “What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk,” revealed that one out of two employees surveyed stated they think it is okay to take corporate data with them when they leave a company.

In the last phase of the employee lifecycle, HR needs to work closely with IT to make sure that a review of the departing employee’s activity and behaviors for the 30-day period leading up to termination occurs. While that process may seem daunting, organizations that have employed tools that collect data on user activity and behavior can handle this critical security task. Whether the employee was being actively monitored or passively monitored, a record of all of that person’s activity exists for quick review.

Too often, Information Security is told an employee is leaving on or close to the date of departure. By the time it is able to complete the security review, the insider may be gone and the damage is done. When a departure is known or suspected, HR or the business manager should immediately let Information Security know that the risk level is now a “10” for that employee and trigger a review of the past 30 days of that employee’s activity. Simultaneously, HR can review confidentiality and IP agreements with the employee, reminding them of their obligations and asking them to confirm they have destroyed any corporate data they may have downloaded from the network. This discussion can have a powerful deterrent effect, and when combined with a review of departing user activity, can mitigate a serious insider threat.

Latest posts by Mike Tierney (see all)
Scroll to Top