Understanding the insider threat

This campaign summary will help you explain and discuss insider threat in your organisation and teams, including the high-level issues and opportunities for mitigating the risks.

This is a summary of the main highlights from the guide developed by the Protective Security Requirements Team. We encourage you to share the full version of the guide at your workplace:

It happens here: Managing the insider threat to your organisation.

What is insider threat?

‘Insider threat’ describes the potential for employees to use their authorised access to your organisation’s work locations, people, information, and systems to cause harm.

Main types of insider threat and examples of harm they can cause

  • Theft, fraud, and corruption — Financial losses
  • Information leaks — Reputational damage, loss of intellectual property
  • Privacy breaches — Compromised customer or client information
  • Sabotaged systems or equipment — Disruptions to operations
  • Violent acts or threats — Safety and wellbeing at risk.

Types of insiders: intentional and unintentional

Insiders who cause harm fall into two broad groups — those who act intentionally and those who act unintentionally.

Intentional insiders

‘Intentional insiders’ aim to cause harm. They’re either recruited by an external party or self-motivated.

An intentional insider who is recruited usually responds to external pressure. That pressure could come from people who share their ideology, or an external party with leverage over them. For example, a gang could apply pressure to repay a debt, or a foreign intelligence agent could apply pressure to get access to information

An intentional insider who is self-motivated is usually motivated by ideology, or driven by financial gain. Possible influences on their behaviour are financial difficulties, greed, wanting to be perceived as wealthy, or being deeply opposed to a decision or stance your organisation has taken.

Unintentional insiders

‘Unintentional insiders’ cause harm accidentally and the most likely cause is poor security behaviour.

An unintentional insider might not know the correct security processes or might ignore security them thinking they are irrelevant. Some might just choose to bypass the proper procedures because they’re in a hurry. Other factors such as stress, high workload, and poor communication can also be behind some unintentional insider acts.

Poor security awareness could mean an employee:

  • has a genuine gap in their knowledge about the security behaviour expected of them
  • hasn’t paid attention to induction materials or other training about security
  • doesn’t understand the potential impacts of failing to follow security processes.

What to watch for

Security intelligence communities around the world recommend you make everyone in your organisation aware of the following common signs of insider threat.

Remember that the presence of any of these common signs doesn’t automatically mean you have an insider threat. However, you should tell your security team what you’ve noticed.

Changes in behaviour / significant life changes

  • Being more nervous and anxious than normal
  • Receiving calls from outside work that cause stress
  • Becoming wealthy suddenly without any explanation

Concerning or unusual behaviour

  • Being under the influence of drugs or alcohol
  • Making extreme statements that show bitterness or anger — especially towards your organisation and its work, or more senior colleagues
  • Not wanting to take leave and being nervous about others acting in their position — being possessive about certain pieces of work
  • Having an unusual interest in choosing new employees

Changes in work performance or habits

  • Poor work performance
  • Unusual working hours — especially repeated after-hours access
  • Unexplained absences or travel

Security violations

  • Breaching security repeatedly, or deliberately not following security policies
  • Asking others to overlook security breaches, such as not wearing an ID tag or carrying a security pass

Attempts to access sensitive information or restricted areas

  • Being more interested than normal in sensitive information (especially information they wouldn’t ordinarily have access to)
  • Attempting to access (or successfully accessing) restricted areas outside their normal responsibility
  • Taking videos or photos or making notes and diagrams of sensitive information.

Why do people do it?

Although financial gain is the most common reason for an insider turning against their organisation, there’s often a combination of factors at play.

The following list gives the most common reasons for insider acts. Remember that there may be other factors and that the presence of one of the behaviours below doesn’t automatically mean you have an insider threat.

Being disgruntled or angry

  • Outwardly displaying signs of anger or resentment with their employer, manager, or colleagues
  • Seeking revenge

Seeking recognition, admiration, or thrills

  • Having a desire for recognition (notoriety)
  • Attempting to boost their self-esteem or image
  • Thrill-seeking, risk-taking

Having relationship or personal problems

  • Having relationship problems with family, friends, or a partner
  • Having health or personal issues that cause compulsive or destructive behaviour

Being influenced by others or an ideology

  • Having divided loyalties or a conflict of interest (for example, between their employer and someone they have a personal or work relationship with)
  • Believing in or developing a belief in an ideology or cause (especially one that opposes their employer and its work)
  • Succumbing to external pressure, such as blackmail or pressure to repay a debt

Not caring about security

  • Not following security processes despite knowing them 
  • Failing to act when a security concern is raised

The Big Five: simple security behaviours

Encourage the following simple security behaviours to help your organisation reduce the threats from both intentional and unintentional insiders.

1. Watch out for tailgaters

In restricted access buildings where you need a swipe card to get in, watch out for tailgaters — people following you in lifts or through restricted access doors.

Don’t use your card to allow other people access, no matter how nicely they ask, how senior they are, or how closely you work with them.

2. Question people who aren’t wearing ID

If someone should be wearing ID and they are not, don’t be afraid to ask them where it is. There is no harm in simply saying, “Hey, where’s your ID card?” or ‘Excuse me, do you have your ID card?’

If questioning someone is difficult for you or the person concerned is senior to you, it’s completely fine to report what you saw to your security team in confidence.

3. Lock your devices

Lock your devices when you get up from your desk or have finished using them — even if you only plan to be away a few minutes. This simple practice prevents unauthorised access to information and systems.

PC – Ctrl + Alt + Del (or Windows + L)

Mac – Command + Control + Q

You should also take extra care when you’re out and about to prevent people from seeing what you’re reading or viewing on a work device.

4. Protect documents

Collect your printing as soon as it’s done rather than leaving it sitting in the paper tray for anyone to grab. If the content is protectively marked, use your organisation’s secure printing method.

Lock documents away in drawers or cabinets and operate a clear-desk policy (keep work-related information out of view).

When you’re travelling for work, follow your organisation’s security policy for protecting any documents you have with you.

5. Speak up

If you notice something concerning, speak up. Tell your manager or someone in your security team straight away.

Page last modified: 10/08/2020