Refocusing on the Remote Insider

By Claire Meyer, managing editor, Security Management

Insider threats have long been an issue of concern for security professionals. Whether they are acting unwittingly or maliciously, employees, contractors, and other insiders can put intellectual property, data, assets, and other people at risk. Now, with workforces worldwide shifting to remote work due to the coronavirus pandemic, security leaders are shifting gears to focus on how to monitor for threats when employees are out of sight.

For an update on this topic, Security Management magazine checked in with Val LeTellier, chair of the Insider Threat Committee at the ASIS Defense and Intelligence Council and author of How to Create an Insider Threat Early Warning System for a Remote Workforce from Security Management’s May 2020 issue. LeTellier will be presenting on this topic on Thursday, 24 September at GSX+, along with operational psychologist Dr. Malique Carr and corporate security senior strategist Scott Stewart.
Read more about the upcoming session here, and learn more about GSX+ here.

Security Management: How do remote workers create unique risk to the organization?

Val LeTellier: Put simply, remote workers create unique insider risk because an organization has far less control over the workplace environment and far less observation of employee behavior.

Control is important because insider risk countermeasures can be reinforced far more easily when workers are on-site. Within their own office, an organization can ensure that specific information technology infrastructures are used, that data and material is handled and stored in a certain way, and that the physical environment enables other security practices and policies. Outside their own office, the organization loses standardization and control and must take on the challenge of instituting, monitoring, and enforcing security measures within each employee’s different environment.

Beyond the physical reinforcement of security measures, the traditional workplace includes more nuanced value—in the form of social and group cohesion. This is important because in all workforces, the building of authentic relationships between workers creates a satisfying bond between employee, manager, and the organization. While beneficial to job satisfaction, morale, and productivity, this bond also strengthens organizational resiliency to insider attacks because cohesive groups have higher levels of trust and emotional unity and tend to look out for each other. Conversely, a lack of organizational cohesion can create or exacerbate negative issues, increase stress, and prevent timely responses to suspicious or disruptive behavior.

The second way in which remote workers create a unique risk is by the degraded level of organizational observation. This is important because independent behavioral assessment has traditionally been a leading way in which malicious behavior identified. Specifically, fellow employees and managers have played a large role in identifying threats.

With remote workers, this early warning resource is limited to email, conference calls, and occasional meetings, which can fail to provide enough exposure to for others to identify early indicators of problems. This is best illustrated in by the path an employee takes along the “insider kill chain.” With on-site employees, this process occurs is largely under a leader’s oversight, and those close to a potential attacker may recognize and report behavioral changes. With off-site employees, all bets are off.

The value of observation is even more relevant when the impetus for the accelerated remote work movement—the COVID-19 pandemic—is considered. Insiders are often driven forward by critical events, and the world is in the middle of a generational critical event. The related financial, emotional, health, and co-habitation anxiety brought on by the pandemic will naturally move some susceptible insider personalities to action either on their own or through outside manipulation. Without the daily in-person engagement of the traditional workplace, early indicators will be more difficult to spot.

Taken together, the expansive recent growth of remote work has created a new paradigm in which traditional insider risk countermeasures are degraded while the factors leading to insider action are simultaneously exacerbated.

Security Management: What else will security professionals learn about this topic in your GSX+ session?

Val LeTellier: By nature, insider risk programs for both on- and off-site workers are unique for each organization. They must be tailored to the organization’s risk profile, goals, strategy, resources, and culture.

Thus, the intention is not to provide participants a remote workplace insider threat checklist but to equip them with an understanding of the paradigm shift that is created by the remote work movement and highlight the window of opportunity they have to strengthen programs before temporary changes become permanent.

Using the remote workplace perspective, we then have an operational psychologist review the personality types known for different insider attacks, their common characteristics, and common precipitating events.

Based upon this, we together offer considerations for developing remote workplace strategy and tactics. Understanding that funding for insider threat programs is limited, these practical recommendations focus limited resources on the most relevant and impactful insider risk, with results that will not only improve insider resiliency but also overall morale and productivity.