Before building effective defences against insider risks and threats, organisations must understand why some employees are susceptible – as Nietzsche pithily put it ‘[w]hen you know your ‘why,’ you can endure any ‘how.’’ In this note, we mention factors and circumstances that may suggest heightened susceptibility. Individualised factors can include:

  • Personal vulnerability – Could include drug and alcohol misuse, unmanaged mental health problems, family turmoil, or out of control debt. Each element can also contribute to recklessness or carelessness in the workplace.
  • Workplace dissociation – Where resentment and a desire to retaliate supplant the duty of loyalty to the organisation. Dissociation may be driven by feelings of organisational injustice, or low morale driven by poor working conditions or culture. Dissociation can also arise from following an ideology which conflicts with the goals or activities of the organisation.

Contextual factors can include:

  • Ease of access to key assets – These include cash, confidential data, IP, or important equipment, which if stolen, disclosed, altered or damaged could undermine the organisation’s operation, worth or reputation. Employees with access to key assets, particularly where a high degree of trust and autonomy is vested in them, should sit in a higher category of insider risk, particularly if any of the other factors are evident.
  • Organisations of interest to external agents – External agents include business competitors, activist groups, organised crime, and nation states, which want to exploit insiders to achieve the external agent’s goals. Techniques used to compromise an employee are ‘honey traps’, blackmail, and bribery in its different forms. Susceptible employees like those described above will be attractive to malign external agents.

Assessing an employee to be an insider threat is significant and entails careful judgement. Organisations therefore need the best possible picture before being able to make an evaluation of threat and risk, balanced against respecting workers’ privacy and other rights.

Why do employees become insider threats?

In the above figure, the four personal and contextual factors are represented as intersecting continuums where an organisation would logically seek to achieve lower risk state ‘A’, whilst avoiding higher risk state ‘B’. In this way, an organisation can set about developing some goals for its IRM strategy.

What may be most noticeable in state A is that employees have fewer personal stressors and feel more loyal to their employer. It is likely that such employees are more resistant, and less susceptible, to becoming insider threats. From this perspective, an organisation that listens to, supports and helps its workers is more likely to operate in state A. Relevant activities would include employee assistance programmes, effective whistleblower/speak-up schemes, engaged and pro-active management, reasonable rewards, and fair working conditions.

However, let us not create the impression that effective IRM is only about the softer aspects of good management and leadership. Other technical and professional practice elements also apply, but state A organisations are more likely to work better as teams, to communicate effectively to create a better purview of risk, and to operate more decisively, efficiently, and in a coordinated way. Above all else, acceptance that insider risk can affect your business allows for early preparation of organisational defences that identify and address potential insider problems sooner rather than later.

If you are interested in understanding more about how well prepared your organisation is to address insider threat and risk, complete our IRM Snapshot; it’s free, only takes a few minutes to complete, and provides an immediate feedback report to you.