Loss prevention executives are keenly aware of the threat from insiders. After all, weโre many decades removed from when industry data revealed that employeesโnot shopliftersโwere a greater cause of shrink. Weโve set up delivery controls, auditing systems, and background check protocols. We create exception reports to bubble-up workers associated with anomalous transactions. We zoom in on cashiers who issue an inordinate number of discounts to see if theyโre pocketing proceeds. We do trust, but we are big on verify.
The insider threat, however, has evolved beyond the reach of employee bag checks and point-of-sale (POS) cameras. For all organizations, retailers included, the threat surface that employees can attack has grown, and so have the types of assets that they can exploit, misuse, or mistakenly expose. Never has so much of value been this accessible to a companyโs workforce. Never have companies been so vulnerable to their dishonesty, mistakes, or retribution.

โThere are threats posed by insiders at retail organizations that go unaddressed,โ warned Florindo Gallicchio, managing director at NetSPI, a penetration testing firm out of Minneapolis. โOftentimes, only the most obvious threats are considered, such as stealing money from the cash drawer,โ he told LP Magazine.
The insider problem is not particularly acute in retail, but it is not less serious, according to Mario Paez, director of cyber and technology errors and omissions at Marsh & McLennan Agency. From his vantage pointโdealing with incidents handled by insurance companiesโhe is witness to events and the full range of potential harms.

โIn the retail environment, we certainly are seeing issues like in any other organization,โ he said. โYou might have line-level employees who gain access to a corporate database through an in-store network; vendors and supply chain providers that might have access to your sensitive information; a rogue employee in the IT department with unchecked access; and intellectual property available to numerous employees in different functions in retail organizations.โ
The volume of transactional data that the retail industry produces is second to none, but there is more than customersโ payment information. There are marketing plans, and contracts, and financial reports, and strategy papers, and legal agreements, and store and distribution center blueprints, and much more.
So what should retailers do about todayโs exposure? A theme emerges after listening to experts speak on the insider threat. Just as the insider threat has broadened, retail organizations may need to broaden their perception and management of the insider threat to stay ahead of it.
One Problem, Many Avenues
The annual GSX+ security conference was forced to go virtual in September, so it was no surprise that discussions of the pandemic dominated the event. How security professionals can navigate the risks it has catalyzed, the way it has reshaped the threat environment, and how organizations can build resilience against future seismic events were all frequent points of discussion. But while the pandemic was an ever-present backdrop, specific security topics were also in focusโand none more so than the insider threat. Discussions on the harm that employees and other trusted parties can do dominated the proceedings.
The frequency of events is undoubtedly one force driving attention. A significant majority of organizations, 70 percent, say theyโve suffered an increase in insider attacks over the last twelve months, according to Haystaxโs Insider Threat Report. Insiders pose the biggest cyber-security problem because they can cause the most damage and are harder to detect and prevent, say experts.
The expanding threat surface is surely another. Trade secrets, innovation, brand reputation, intellectual propertyโthese now tend to be an organizationโs most vital assets, not just for technology companies but also in manufacturing, services, and even industries like retail. The effectiveness of corporate security today depends significantly on how well organizations manage this shift from securing hard assets to protecting intangible aspects of company value. โItโs easier to be mindful of insiders related to technology and the payment process, but it goes beyond that to all sensitive information that needs safeguarding,โ said Paez. It is within context of the dishonest worker that companies have an opportunity to improve both the protection of customer data and trade secrets/proprietary information, say experts. The same protective measures that retail organizations should adopt to guard the privacy of customer data can safeguard companiesโ own secrets as well.
Speed is another complicating factor. In todayโs warp-speed business cycle, there is less time than ever to mull over the possible security implications of every business move. Companies must change, adapt, and dive into new opportunities just to stay alive, including embracing new communications technologies. At the same time, companies are engaging in a greater exchange of information with more constituencies to drive innovation and become more efficient. Sharing and integrating information across the global retail enterpriseโand with customers, partners, and suppliersโis seen as critical to survival. โAs more processes are performed by suppliers, the integrity of those suppliers is becoming ever more important,โ warned Paez.
Consider the wide range of insiders that organizations think pose significant security risk, according to the Haystack survey: privileged IT users/administrators, 59 percent; contractors/service providers/temporary workers, 52 percent; privileged business users, 49 percent; regular employees, 49 percent; other IT staff, 25 percent; executive managers, 24 percent; business partners, 16 percent; and customers/clients, 15 percent.
An independent study by Ponemon Institute, sponsored by IBM, examined actual insider-related data breach events impacting organizational costs over the past twelve months. Financial firms were the greatest victims. Retailers landed near the middle of the thirteen industry sectors examined, suffering less than hospitality companies but more than consumer products firms. But while some other industries may lose more, the amount lost by the retailers in the survey was not significantly less than the annualized total losses suffered by firms in the most affected industries.
Generally, the insider threat seems well appreciated, but data show organizations are paying a growing price for them. Why? Paez thinks there is a need for companies to address the risk more comprehensively. It can be strictly seen as a chief information security officer function, or as a security systems technology issue, but success relies on a wide range of activities by many players, starting with whom the retail organization employs. โIt is important to understand the integrity and character of the people being hired. HR should be involved on the hiring front and for handling the disciplinary process,โ said Paez.
Because of the diffuse nature of the threat, Paez said that the organizations he sees managing the insider threat most effectively typically address it with a committee rather than making it the responsibility of a single function. He said itโs important to have a realistic view of how the many different puzzle pieces of an organizationโs controls come togetherโor donโt.
The benefit of a holistic strategy may seem obvious, but many businesses compartmentalize data security issues and unknowingly play right into the hands of dishonest employees, warn experts. At the heart of the problem is the tendency of businesses to exclusively focus security efforts on their primary risk. Consumer-facing companies like retailers and others that fall under privacy protection laws often do a better job of auditing their handling of private information, but they may neglect to protect their business secrets.
By leaving it to each department to protect the information they deem it necessary to protect, blind spots often develop, experts warn. Instead, an organization might benefit from an enterprise approach, one that starts with an internal audit to identify all the information it needs to protect. Such an endeavor is best done by a comprehensive cross-functional team or data security task force with members that might include: operational employees with knowledge of the companyโs technical and trade secret information; marketing employees with knowledge of the consumer information maintained by the company; human resources employees who know what private information, including protected health information, the company maintains about employees; security or facility managers who understand the companyโs physical security; IT personnel who have knowledge of how to secure the companyโs computer and technology resources; and legal advisors who can articulate the requirements that apply to the company.
Armed with a full accounting of what needs protection, an insider threat team can analyze the risks insiders pose to it, the controls in place to protect it, and seek to answer the critical question: can we do more to maximize our ability to prevent insider events without inhibiting innovation and work performance?
Experts warn it can be a rabbit hole: the more deeply security leaders examine the insider threat, the more gaps they are likely to find. But they insist that loss preventionโif it is to be comprehensive and responsive to the assets that need protecting todayโmust look deeply at many aspects of the insider threat.
Who, When, and Why?

All organizationsโregardless of size, industry, or regionโmust recognize the scale of harm they might experience from an insider attack, warned consultant Tommy Hansen, CPP, Hansen Security Risk Management, in a presentation at the GSX+ security conference. โThe frequency of incidents has spiked. Itโs truly a global challenge on the rise,โ he said.
But too many companies treat insider threat security as purely a hiring issue, said Hansen. โIn my experience, when organizations are confronted with questions of how they approach insider risk, โbackground checksโ is their answer,โ he said. โThis is not to say theyโre not effective, but they are not effective against people who enter an organization intent on goodwill only to later reveal themselves as an insider.โ
Hansen worked as project manager on the development of an insider threat self-assessment tool for the petroleum industry, which he has since translated and encourages any organization to use and adapt (see sidebar). Its fifty questions intend to push organizations to address the life cycle of insider risk and to broaden their approach to prevention. โThere is a clear link between an insider act taking place and exploitable weaknesses in an employerโs protective security and management process,โ said Hansen. โThe point is that we do not rely on one category of measures, for example technological measures, and instead have a holistic approach to insider risk.โ
Most employees join an organization in good faith, but a bad performance review, getting passed over for promotion, or a perceived threat of their employment status can change all that, warned Lina Tsakiris, CPP, director of global corporate security programs at the Canadian Imperial Bank of Commerce, in the 2020 GSX+ presentation, โInsider Threats: Understanding the Threat Landscape.โ So, too, can outside stressors, such as loss of income, marital issues, or losing a loved oneโall more likely in the current global health crisis.
Tsakiris said that in studies of hundreds of insider casesโfrom theft and fraud, to network sabotage, to the Fort Hood shooterโthe insider displayed some sort of indicator in advance and often even told another employee of their intention to harm the organization. โInsider threat is very much a people problem,โ she said. โThere is a good chance, in fact almost always, that someone was aware of the intended threat before the event occurred.โ
Triggering events can light the spark in cases of insider fraud and are almost certainly behind cases of insider system sabotage or hacking, according to studies by Carnegie Mellon (CM) of insider cases. It finds that โinsider disgruntlement contributes directly to the rate of inappropriate technical actions taken by the insider, especially actions that facilitate the attack.โ
On a hopeful note, CMโs Management and Education of the Risk of Insider Threat (MERIT) project finds that insiders who hack or sabotage IT systems usually tip their hand that they might do it. In 80 percent of cases, before committing cyber crimes against current or former employers, perpetrators appeared disgruntled, showed up late, argued with coworkers, and/or exhibited other performance problems. In studying sabotage incidents, researchers found worker disgruntlement fell into three familiar categories:
- The insider expected certain technical freedoms using the organizationโs computer and network systems but was reprimanded by management for exercising those freedoms.
- The insider expected to have control over the organizationโs computer and network system, but control was revoked or never given.
- The insider expected recognition or prestige from management but suffered some sort of rebuke instead, such as being passed over for a promotion.
The issue of rogue behavior among technology systems workers is not abstract. Carnegie Mellon studies of insider cyber-security breaches have found that people in technical positions are the primary culprits, and most of them had system administrator or privileged system access.
In 2018, for example, the FBIโs Las Vegas Division announced it had busted an information technology professional whose job gave him access to the personal information for thousands of employees and customers. He methodically copied that information, took it home, and opened about 8,000 fraudulent and unauthorized PayPal accounts. He then applied for linked credit accounts using the stolen identities and engaged in a series of complex web transactions that ended with him at bank ATMs extracting cash from debit cards. He had eight computers running an automatic script to open online accounts using the names and identifying information heโd stolen from work.
Other data presented at the GSX+ conference suggests that corporations remain preoccupied with staff who, even if dishonest, are generally incapable of doing an organization extensive damage, while often turning a blind eye to workers who can do real harm, such as IT workers. Workers who have access to the purse strings have always presented an obvious insider threat, but in a technology-driven world, it is system operators and specialists who may be able to cause more damage than any single employee could manage to steal.
In addition to being able to cause greater damage, a worker in information systems may not actually deserve the high level of trust they typically enjoy. Some cleaning staff are dishonest, to be sure, but one in three IT employees admit to snooping through confidential information at their workplaces, like wage data and personal emails. Additionally, insider threat research shows it is rare for dishonest workers to go outside of their normal scope of work in the commission of a workplace crime. So while companies should be mindful that unscrupulous cleaning staff might steal someoneโs personal property, it should appreciate that the IT department may have an equal percentage of dishonest workersโand that they have far more valuable assets at their disposal. The same company that locks file cabinets to prevent late-night staff from poking where they shouldnโt often gives IT workers the run of the network even when they donโt need it, noted one cyber-security expert.
Organizational change needs to start in the hiring process. Prospective loss prevention and cleaning staff are typically examined with an eye toward โcan I trust this guy?โ IT workers shouldnโtโbut often doโescape the same scrutiny. โIdentify where your organizationโs risks are. Who in your environment has keys to the kingdom or are in higher risk roles? How capable are they of causing harm to the organization? And then how does that compare to the risk controls in place?โ said Tsakiris. โInsider prevention requires good hiring practices and applying life-cycle personnel management to rescreen and conduct enhanced monitoring for employees in higher-risk roles or who are starting to display concerning behaviors,โ she added.
Life-Cycle Personnel Management
Knowing that insiders are disgruntled first and strike later, experts focus on the connection between them. Within the gap, they suggest opportunity. If managers, who supervise technical workers and others in unique positions to do harm, recognize performance and behavioral problems as a possible security issueโand communicate it as suchโthen retail organizations can better prevent incidents.
Several experts advised security leaders to push their organizations to pay greater attention to concerning behavior by an employee following a negative work-related event, to possibly include greater monitoring of the employeeโs network activity. A company may not have the capacity to watch everyoneโs online activity all the time, in which case itโs valuable to maintain awareness of employee dissatisfaction and troublesome behavior to target proactive system monitoring. Targeted monitoring of online activity by employees of concern can prevent insider theft and sabotage by immediately detecting technical precursor activity, they advise.
The reason behind insider activity is typically complex, according to Hansen. There is often more than one motivation, perhaps a toxic mix of financial troubles, a lack of loyalty, and perceived insufficient recognition. He suggested security needs to be equally layered to match it, by taking a โdefense in depthโ approach. It starts with looking for indicators of trouble during the hiring processโfor financial, personality, and other red flagsโbut must extend to controls throughout the employeeโs lifetime.

One often overlooked risk is when employees temporarily take on roles during job vacancies. Too often, temporary privileges extended to an employee while companies fill positions are never revoked, according to Sherri Ireland, CISSP, president of Security Exclusive, a cyber and physical security consulting firm. โItโs happened to me when I would oversee another department while they were looking for a new hire,โ she noted. โItโs really important to audit to make sure your employees have access they require to do their jobs and nothing more than that.โ Organizations tend to do a good job advocating for the concept of โleast privilege,โ but they often do an incomplete job of auditing whether they follow it, she warned.
Security controls also tend to grow lax around long-time employees, which runs counter to the actual threat. โMajor employee fraud typically occurs by employees with at least five years tenure,โ said Ireland. Case in point: the eye-popping case a decade ago when a Fryโs Electronics employee of twenty years was found guilty of embezzling $66 million over four years. Or the arrest a few years ago of a wireless retailerโs veteran chief operation officer who, for several years, held a secret consulting agreement with a financial services firm to provide it with confidential information regarding sales, compensation, and product launches at the retailerโs 400 locations.
Ireland warned that insider theft is often committed with security controls in mind, citing an example of a retail employee who stole just under its investigation threshold of $50 every day for fifteen years before being caught.

Malique Carr, PhD, a psychologist and vice president for TorchStone Global, a global risk mitigation and security firm, similarly warned that organizations must review their theft prevention posture against both insiders that opt for the โlow-and-slow approach and skim a little off the topโ and those that go for the big score.
โEmployees need privileges to perform their roles effectively and responsibly, but privileges should be accompanied by controls, with segregation of duties for example,โ said Hansen. As such, employee monitoring and recognizing threat indicators are key elements in safeguarding a company against the insider threat, along with educating nonsecurity managers about threat indicators. Often, activity a security professional would recognize as a threat, nonsecurity personnel donโt, noted one asset protection professional. โYou need cyber-awareness training all the way up to the C-level,โ added Ireland.
Once triggered, an insiderโs behavior will often reveal their activities if an organization has positioned itself to notice it. Carr said common indicators may include failing to follow security protocols, questionable downloads or data transfers, changes in computer and phone use, and printing off large amounts of material. Data security tools, improved by AI, are a necessary layer of protection against rogue insiders, said Ireland. โIT activity needs to monitor for anomalous activity. Why is she coming in and downloading documents at 3 a.m.?โ

Continuous evaluation by technology is hugely valuable, but not as a standalone, according to Scott Stewart, vice president at TorchStone Global. โThe AI tools are helpful, but they do require effective and constant analysis from a human being, a human being that is going to look at those records and put their arms around it,โ he told the GSX+ audience. โHumans are quite good at spotting insider threat actors. And even better if they are trained. And if there is a good program in place and they know where to report that information, and they know that the information they report is going to be examined professionally and handled confidentially, then insider threat patterns can be disrupted.โ Tsakiris made a similar point in her conference presentation: โAwareness of technical and behavior-based indicators that exist is the key to early course correction.โ
Itโs critical that the life-cycle approach to insider threat security extends to the end of employment, stressed several experts. โIf an employee resigns, IT needs to know, and there needs to be monitoring for any unusual activity in the weeks before they leave,โ advised Ireland. Some studies suggest that nearly half of insider attacks on company systems are by ex-employees whose access to company systems are not revoked. Disabling access following termination is criticalโand to do it effectively, organizations must have full awareness of all access paths available to each of their employees, conference presenters noted.
An access path that is unknown to management is not necessarily illegitimate, but organizations should reduce unknown access paths by identifying them, reviewing each for validity, and disabling those without a justified business need. In investigations of actual incidents, several cases have involved system administrators who created backdoor accounts with system administrator privileges, knowing that because account audits were not conducted the account would not be detected, and they could conduct an attack following the end of employment. Other insiders have configured malicious code logic bombs to go off after getting fired, knowing that their employer didnโt have configuration management procedures to detect it. Finally, other technical insiders used passwords for shared accounts to get in because there was no formal tracking mechanism for access to those accounts, so they were overlooked when the worker was fired. In short, itโs critical that companies donโt perceive removing network access as a procedure to follow when a worker is terminated; rather, as an ongoing process that ensures the performance of proactive, ongoing, rigorous access management practices that make it possible to remove access when a worker is fired.
An insider threat can take many forms: employees, former employees, trusted thirdโparty suppliers, and contractors and subcontractors. While nefarious motives are certainly behind many insider incidents, Tsakiris said organizations also need to examine how simple mistakes can lead to data leakage, exposure of sensitive materials, or unwittingly cause loss. As the cause of 44 percent of data loss incidents, the unintentional employee insiderโeither negligent or unwittingโis the single greatest source.
โThey are actually the biggest risk,โ said Tsakiris. โThis is the employee who simply didnโt follow policy and isnโt even aware of what they did.โ She said it underscores the importance of building an insider risk program around a holistic approach that includes providing education to workers and creating a workforce culture of security and data protection. โThat figure also tells us that we need to be keenly aware of what both malicious and nonmalicious threat indicators look like and to not wait for a threat event to occur for a first point of contact with the insider.โ
Mario Paez said retailers should be particularly mindful of the risk from the inadvertent or negligent practices of vendors and suppliers. He cited a case last month when an electronics manufacturer was hit by ransomware, potentially posing a risk to large retail partners, but that they were quick to identify it. โThe retailers had some very good vendor risk management and auditing processes in place to react to the incident to make sure their systems were not affected and to assess if their supply chain was going to be impacted,โ he said. โIdeally, this is an exposure where retailers should train more eyes and ears. Currently, there is probably not enough attention on that aspect of the insider risk.โ
NetSPIโs Florindo Gallicchio agreed, telling LP Magazine that heโs found vendor/employee collusion to be an underrecognized threat by retail organizations. โShoplifting by customers and employees and underpaying at self-serve checkout lines [are recognized]. Not enough consideration is given to insiders leveraging external/third-party sources to perpetrate a crime,โ he said. Risk is present whenever a retailer uses a third-party for generating or supporting their business, he warned. โRetailers must strengthen their procedures and apply accounting checks to every transaction to stop this theft.โ
Both Stewart and Hansen stressed the importance of organizational culture in either preventing or promoting insider activity. Security and loss prevention leaders need to be honest about the culture they have if they are to align security controls with the insider threat level. Warning signs accompany insider threat activity, but whether they will be identified, reported, and addressed depends a lot on a retail organizationโs existing culture.
โIf you develop a good workplace culture, one that cares for people and shows that care, then issues or experiences that might otherwise be triggering events can be a chance to help employees,โ said Stewart. โPeople are more willing to discuss and report issues when there is a sense that the company is interested in helping employees and when itโs not a death sentence for reporting someoneโs issues or troubles.โ Early intervention not only helps prevent insider threat but also results in greater productivity and employee retention.
โA good security culture is vital, and trust is an important issue,โ agreed Hansen, noting that line management plays a particularly important role. โResearch indicates that when employees are happy, they thrive. And if they are treated fairly, they are less likely to become insiders. Tell insiders that the organization trusts them but be clear when people join and when rules change that the organization expects them to protect the information and the systems to which they have access. Impress upon them that they have a personal responsibility to uphold the trust and then make trustworthiness concrete for them by describing what are acceptable and unacceptable behaviors.โ
Under a New Normal
โDuring this time of pandemic, major real-world stressors like financial strains from family members losing work, health crises, family deaths, relationship strain leading to breakups, coupled with people not having access to normal coping strategies and support systems, have really created this perfect storm for insiders to act out in ways they wouldnโt normally,โ said Dr. Malique Carr.
Experts note that, in some ways, remote work and workforce changes make the insider threat more manageable, in other ways more complicated. A malicious insider may not have the necessary physical access to commit some actsโto an office, or network, or company printer, for exampleโbut they also may be harder to identify as they move through that insider threat kill chain. Regardless, they say, all retail organizations need to review how insider risk may have changed during the pandemic.

The COVID-19 pandemic has brought immeasurable financial, physical, and emotional stress to the world, explains Val LeTellier, an insider risk consultant, former counterintelligence officer, and chair of the Insider Threat Committee on the ASIS International Defense and Intelligence Council. โAnd make no mistake. Just as ordinary stress levels push insiders to action, extraordinary stress levels push more insiders to greater action.โ
In the store environment, the impacts could be profound, thinks Ian Kelly, vice president of operations at NuLeaf Naturals. โI think it is important to remember that employee theft occurs under some specific circumstances: feeling like they are โowedโ something and desperation,โ he told LP Magazine. โIf, as a company, you have been unable to provide enough hours or are cutting corners when it comes to employee support and safety, you will see an increase in employee theft.โ
A lack of resources could compound retailersโ troubles. โCOVID-19 has certainly changed the nature of the insider threat for retail organizations, and given the reduced workforce retailers are employing, there is reduced monitoring,โ warned Gallicchio. Reduced capacity at retail stores to combat attacks could lead to more opportunities for attackers to steal, he suggested.

In the current environment, loss prevention and employee relations are more intertwined than ever, suggests Kelly. โThis is a time when employees need to be shown they have value as well as humanity. Doing anything less than this will inspire them to retaliate,โ he said. โEven if you are unable to retain all of your employees or give hazard pay, try to give support in other ways.โ These include being transparent in communications, extra perks, perhaps steeper employee discounts, and being supportive of employees when they must deal with confrontational customers who put their safety at risk. โYou must give employees reasons to be loyal, especially during difficult times when everyone is struggling,โ said Kelly.
LeTellier said many companiesโ temporary remote work programs are drifting toward permanence. Expect remote work to continue to grow, he said. โWith more employees working from home, plus those already working from client sites on the road, the result is an amorphous digital fence, with insiders having greater responsibility but far less direct oversight.โ

Alex Sharpe, principal at Sharpe Management Consulting, characterized COVID-19 as the ultimate accelerator for remote work. โDining room tables became desks. Bedrooms became home offices. Suddenly 42 percent of people were working from home,โ he said during his GSX+ presentation, โSecuring the Remote Worker and the Cloud.โ In-store retail and grocery operations remain familiar, but corporate office models are changing as they are in just about every industry, he said. It complicates conventional insider risk prevention and degrades traditional early warning resources.
โEverything is hybrid, not completely in the cloud and not completely on-premises. The question becomes, then, how do we ensure access control across all applications no matter where the user is located?โ said Sharpe. โWeโre going to rely more on the remote worker to have good cyber hygiene, and since remote workers very rarely work exclusively from home, usually working in multiple locations and often coming back to the office, weโre going to have to have security processes and policies that transfer across the different environments.โ
When the perimeter is porous, identity is critical, as it provides the basis for access control and user permissions. But identity management is all based on a โsource of truth,โ warned Sharpe. โWho are the employees? Who are the contractors? Are they still employed? Whatโs the location? Whatโs the contact information? And then privileges are formed around that. Unfortunately, most sources of truth are out of date,โ he said.
Where organizations tend to have a problem, said Sharpe, is failing to update permissions to align with employees as their status and duties change. โA lot of breaches occur because a terminated employeeโs account is compromised, and thatโs only going to increase.โ
Threat indicators are also different for employees of retail organization who are now working from homeโmany for the first time.
With respect to the unintentional insider risk, there is the potential for sleep issues, greater substance use, or additional stress from multitasking with extra issues at homeโand it can be hard to see workersโ level of distraction or disengagement remotely, said Dr. Carr. โThis could also be the person who is just not very tech savvy, who might have outdated protection on their home networks, or just someone who is very trusting and open.โ Managers should be mindful to watch for an increase in mistakes, late-night emails, alerts that they click on potentially malicious links, oversharing on social media, or poor boundary issues when it comes to work information. โThese are employees who now may unwittingly become insiders.โ
โSince COVID-19 there has been an explosion in accidental sharing,โ according to Sharpe, referring to nonmalicious accidental leaks of company information. As a percentage of information breaches, this has seen a 30 percent increase, he said. โIn general, this kind of thing is fairly easy to take care of with awareness training, but as we get into the new normal, itโs something we clearly have to watch.โ
The malicious insider risk in work-from-home arrangements is also evolving with COVID, warns TorchStone Globalโs Scott Stewart. โItโs easier for employees to fall into insider threat patterns because of stressors, and the two big tools weโve had to stop it in the past are observation and cohesion. Cohesion leads to loyalty and feelings of responsibility, and thatโs been lost in many organizations,โ he said, along with less direct observation. Because of fewer โhuman sensors,โ organizations may have to rely more on technical monitoring for insider threat activity.
Training can also help, and many companies have stepped up their training, according to State of Cybersecurity, a study by CompTIA released in September. Along with more advanced technology, and greater use of cyber insurance, they are three ways that organizations are responding to enhanced cyber threats during COVID-19.
Culture Matters
Malique Carr cited a case from May in which a customer service rep was bribed by an external party to provide information on 164 million active users of an online gaming platform. โIt was suggested that the worker felt they werenโt being adequately compensated,โ she said, noting that such grievances can be harder to pick up on in remote work. The role employees play in systems vulnerability is clear when examining threats by the numbers. Data show 38 percent of system penetrations involve a cooperating insider, Sharpe said. โThis number has remained basically stable over the past ten years, roughly two in five.โ
Customer service representatives (CSRs) are currently a particular area of concern, said Sharpe: โBy the nature of their duties, to resolve customer issues, they need to have more access and capabilities than most system users. And recruitment of CSRs appears to be on the rise. One development thatโs been reported anecdotally is that the number of CSRs being approached to sell corporate information has gone through the roof.โ
Workers now could be more susceptible to the pitch. Without the peer review from working alongside other employees, natural checks and balances are missing, Sharpe noted. And when it comes to stealing and selling sensitive or proprietary data, the timeline of the insider threat kill chain accelerates when an individual is recruited, warned Stewart.
A recent study by RedOwl and Intsights found front-line retail employees to be frequent targets of sophisticated criminal actors. โOur research showed continued recruiting of retail workers that have access to consumer credit card information,โ according to Monetizing the Insider: The Growing Symbiosis of Insiders and the Dark Web.
Employees may be more drawn to commit large insider fraud in the current climate, warns Carr. โThose engaged in insider fraud are likely to have financial stressors, and it may be much easier for someone to engage in fraud if theyโre working remotely and donโt feel a sense of attachment and loyalty to a company or their coworkers.โ Tip-offs may also be harder to spot, which Carr said may include violations of company financial policy, possible data manipulation, getting a bit too chummy with suppliers, suspicious expenses, or demonstrating excessive control over financial duties. โThe insider might also show signs of living large, or larger than you would expect given their position, but when it comes to remote work, you might have to look for more of these signs on social media,โ she said.
The malicious ex-worker also demands additional attention in todayโs changing work environment. โEspecially with remote employees, there needs to be a plan in place to eliminate all access points, retrieve all sensitive data, materials, equipment, and credentials ahead of termination, as it could be really hard to retrieve equipment after the fact,โ said Carr.
Sharpe agrees. โEmployee termination is the hardest one,โ he said. When remote terminations replace those done in-person, traditional catalysts for cutting off credentials are absent. โThe moment someone is terminated, shut off everything: their devices, access to applications, their VPN, their MFA. Just have a policy and procedureโautomated as much as possible with checksโto terminate it,โ he said. โI cannot tell you how many times I have run into situations where something didnโt happen because a termination wasnโt handled personally.โ The potential loss from a major incident is substantial, but even minor casesโa terminated employee using a company credit card for months afterwardโare still costly.
Even the risk of insider workplace violence may be impacted from todayโs world of work. โThe remote work environment can be a backdrop to workplace violence, like when delivery personnel use their position to sexually assault a customer, or the recent case in which a man was arrested for a string of interstate shootings while working for a major shipping company,โ said Carr.
Compounding the risk from both intentional and unintentional data leakage is that organizations are increasingly making sensitive data available to workers at โend points,โ which in the case of a remote worker means their home. Security consultant Alex Sharpe said data show a 41 percent increase in such end-point data since COVID-19, accelerating an existing trend. โWith COVID and remote workers, that end point is now outside of our castle. Theyโre not on our network, and we donโt physically control the space.โ
And, often, it means sensitive data resides in insecure devices. Some 90 percent of laptops, for example, are running two versions behind, which include patch levels, according to Sharpe, adding that is the vulnerability through which 60 percent of data breaches occur. โHackers know that there is now a window, where all the basic blocking and tackling that we have inside the castle is not in place in a remote office, and they try to take advantage of that,โ said Sharpe. โThey also know that many corporations have spent a lot of time focused on physical and technical controls, but they havenโt instilled a true cyber-security culture, at least not a cyber culture that is appropriate to a home office, so theyโre trying to exploit that before that changes.โ
Peer pressure tends to reinforce good security practice, and out of view of colleagues, unsafe cyber practices can go unnoticed, Sharpe noted. He said a colleague who runs compliance for a major insurance company said, since COVID-19, that reports to their security hotline went to nearly zero as watchful eyes are removed from the equation. Remote work does make some threats less likely, such as someone exploiting sensitive information they find in a printer, but it changes the threat rather than eliminating it, requiring security to retool to fit.
Sharpe noted that remote work also tends to make workers feel less connected to the enterprise andโbecause they donโt get that routine feedback natural to in-person environmentsโare often less secure in their employment prospects. Both are triggers for turning a loyal LP team member or other employee into a potential threat to the organization.
In short, insider threat prevention is getting more complicated. As such, it becomes even more important for organizations to be intentional in getting to know employees, according to Carr. โTo be aware of which employees may be more susceptible to becoming an insider, to watch for precipitating events, and to always be screening for possible indicators of insider threat with every online and offline interaction,โ she said. โWe need to ensure it stays top of mind even while employees are out of sight and to work really hard to create and maintain community and connection.โ
Additional Resources
There are many different aspects to the insider threat. The following LP Magazine resources delve deeper into some of them. Each of these articles are linked to the magazine website, LossPreventionMedia.com.
โThe โWhyโ Behind Intellectual Property Theft Casesโ
โHow to Keep Data Secure from Insider Threatsโ
โSupply-Chain Security Issues: Reducing the Risk of Data Breachโ
In addition, download the PDF โInsider Risk Self-Assessment Toolโ available to help security departments benchmark their internal policies and procedures against global standards.
25 Tips for Preventing, Detecting, and Responding to Todayโs Insider Threat
Below are quotes compiled from interviews with security consultants, technology officers, LP executives, and expert presenters at the 2020 ISC and GSX+ conferences.
- A governance model is a key foundation of an insider risk program.
- Retailers that segregate systems and are compliant with all required data security and privacy safeguards already greatly reduce insider risk, but you need to be compliant and auditing.
- Use tabletop exercises to examine how your organization would respond to different changes in employee behavior and in a range of different insider threat events.
- Educate senior people about insider threats to prevent an overly โtrustingโ attitude to flow from the top down.
- To avoid a conflict of interest, incidents captured by an employee hotline or โethics lineโ should be accessible by more than one department: HR, legal, security, internal audit, or others.
- Create an insider incident response plan.
- Review controls for time and attendance fraud: it is both exceedingly common and more costly to organizations than most realize.
- Whenever you hire a contractor or consultant, you need to confirm that the individual is not a former employee who was fired for cause.
- Business partner access to computer networks should be accompanied by a formal permission request and an internal business case for why network access is needed.
- Any manager who supervises tech workers that can sabotage company systems should be trained on relevant risk markers, including emotional outbursts, black-and-white thinking, inability to take constructive criticism, and disengagement.
- Social media is an excellent early warning source of potential insider threat activity.
- Insider threat programs can harm morale if operated carelessly. Run all insider threat program activity through a prism of employee privacy and morale issues. Ask, โDoes it bring true value to your strategy?โ
- Bring a whole-threat approach to an insider threat program.
- Be mindful that money is probably in short supply for company insider risk programs and use that to guide how you advocate for reducing insider threats. A key issue is how you are going to measure and show a return for effort spent to reduce the insider threat.
- Company risk managers are valuable but often underutilized assets for preventing insider threat activity.
- Rotating roles is an excellent practice to ensure redundancy in an organization, improve morale, and deter employee fraud. Separation of duties is an internal business control that helps prevent fraud and identify errors.
- Whether or not you have an established insider threat program, you are probably dealing with insider incidents. Itโs important to step back to view how they are being handled and see if there are ways that coordinating the effort might provide efficiencies or reduce risk.
- Including security in new employee orientations can help build a security culture and foster a culture of trust around security issues that makes insider threat activity less likely.
- Top executives can be unintentional insiders. By posting pictures of a family vacation in Spain on Instagram, for example, they create opportunities for spoofing attacks.
- Training the team that is going to be doing an internal investigation is critical. You want to make sure they understand what the process, procedures, and protocols are and that they donโt do their own thingโnot only because privacy and employee relations are on the line in insider investigations, but also to avoid overlooking something or missing part of the process.
- Evaluate contracts for whether they prohibit files to be transferred across unprotected networks/systems, which home/personal systems wonโt meet.
- Background checks for store employees need to be particularly rigorous for individuals who are going to have access to critical or sensitive data. Especially at middle market retailers, these checks are frequently too cursory.
- Data breach detection, investigation, and response protocols are critical because too often retail organizations have problems detecting and dissecting breaches. Itโs why some surveys report external hacking is the source of most incidents while others say itโs insiders.
- Companies allocate resources to protect customer, medical, and payment card information, as they should, but more emphasis needs to be placed on protecting the intellectual property and data that has intrinsic value. If IP is lost, it can cause long-term competitive harm.
- If the issue is solely data leakage, then IT pros can carry the heavy load. But when motives are more sinister, security leaders need to step in.