27-29 September 2021
Orlando, FL, USA | Online

The Insider Threat: What Hath COVID-19 Wrought?

By Michael Gips, CPP, principal, Global Insights in Professional Security

The COVID-19 pandemic may well be the most consequential phenomenon that the security profession has had to deal with. One slice of that consequence, albeit a big slice—has come in the form of increased insider incidents and threats. Having presented last month on a GSX panel on that topic, I offer some context and recommendations.

Let’s look first at what COVID hath wrought. Phase 1 covers the first few months after the pandemic set in. I call it “The Great Dislocation.” This phase was characterized by (1) rapid transition to work-from-home, (2) quick dispatch (or purchase) of devices that may not have been updated or configured correctly to (3) workers who were not used to using network resources from home and (4) had little security training. This resulted in (5) basic security protocols being ignored. Capping it off, (6) security was bombarded with new duties, including health screening, access control, and social-distance monitoring.

Phase 2 I refer to as “The Great Hibernation.” People realized that the pandemic would not be fleeting, and their lives filled with Zoom meetings, cabin fever, and the blurring of lines between home and work life. Children might play games on Mom’s work computer or use apps on her smartphone. In one case, a child took and posted a photo that happened to capture a parent’s computer monitor that displayed highly sensitive proprietary information.

As the pandemic dragged on, fears rose—what I call “The Great Trepidation.” Staff worried that their jobs, benefits, or even employers wouldn’t last. Many became distraught, depressed, and emotionally unstable. An American Psychology Association survey shows that half of all adults have exhibited negative behavior due to the pandemic, such as lashing out at loved ones. These feelings sometimes engendered resentment of their employer and a desire to get what they thought they deserved, perhaps through theft, sabotage, or corporate espionage. Security, HR, and management had to address concerns such as abusive staff behavior or violence committed at home.

Then we pivot to what has been commonly called “The Great Resignation,” in which millions shed their employment. Factors were many: fear of contagion at work, shifting life priorities, caring for children not physically attending school, the dread of commuting, vaccine mandates, and so on. More than 11 million U.S. workers quit their jobs from April to June 2021 alone. Another 4.3 million quit in August. Almost 50 percent of employees are actively seeking new opportunities. Another 41 percent of workers are considering quitting, including 54 percent of the youngest cohort, Generation Z.

It’s become common for companies to poach workers and for interviewees to ghost prospective employers. Human resource departments have become so desperate for talent that they might lower standards or sacrifice background checks—thus introducing further insider risk.

Overlapping The Great Resignation is a phase I’ve dubbed “The Great Reallocation.” Organizations are figuring out what constitutes the new normal, such as staggered schedules, hybrid office and work from home, and social distancing. Companies are finding that staff have forgotten basic policies and procedures, requiring re-onboarding much of the workforce. Meanwhile, returning workers who have built new lifestyles worry whether their employers have revisited their policies on maternity/paternity leave, elder care responsibilities, working with unvaccinated people, and creating a hybrid workstyle that is fair to all staff. This web of issues potentially creates a toxic and volatile workplace.

If that wasn’t enough of a perfect storm of insider threat, add the following: (1) political, economic, and social turmoil involving social justice groups, antigovernment agitators, anarchists, QAnon, antimaskers, anti-police protesters, and so on; (2) distrust of basic institutions such as health authorities (COVID denial, etc.), the voting system (a “stolen” presidential election, etc.), and anti-corporate activists (China targeting large Western brands such as Nike and H&M, etc.); and (3) ransomware actors reaching out to alienated staff, offering life-changing paydays.

So how do you navigate this treacherous landscape? Here are my top 10 considerations.

  1. It all begins with people. Listening to, showing empathy for, regularly engaging with, and providing meaningful work and growth opportunities to your staff are all imperative. A fulfilled and respected worker is a loyal and happy worker.
    • Regular check-ins (at least weekly) with remote workers
    • Periodic in-person check-ins with direct reports
    • Revisiting policies and procedures in the new WFH environment
    • If you will be using productivity-monitoring tools, be transparent about it and explain the rationale
    • That culture must permeate the enterprise, including sponsorship, support, and commitment from the very top and across departments and divisions.
  2. Likewise, an insider-threat program must have the commitment of leadership and buy-in across the enterprise
  3. The best time to address insider threats is before hire; conduct background checks, etc. accordingly
  4. Most insider activities are identified through worker tips. Maintain an easy-to-use anonymous reporting system
  5. Inventory measures that you already have
  6. Consider pilot activities and iterative short-term tasking
  7. Institute regular security awareness training and refreshers, with positive incentives; consider gaming approaches to training
  8. Don’t forget to consider the full range of insider threat beyond espionage, fraud, etc. and identify who will have responsibility (e.g. drug trafficking, smuggling, sabotage, harassment)
  9. Also don’t forget to include contractors, business partners, clients, visitors, and staff family members among potential insiders
  10. Consider an insider-threat working group to implement strategy, collect metrics, adjust policies, and track goals and milestones

Thanks to Randy Trzeciak, my GSX copresenter, for his contribution to this list.