A narcissistic co-worker who seeks constant validation could just be a high-performing, trustworthy, valuable employee or she could be an “insider threat” — a rogue employee with inside knowledge or access who might deliberately or inadvertently cause harm to the whole organization.
While almost two-thirds of Canadian organizations believe they can handle most forms of insider threat, only one in seven has a specific internal definition of the threats it faces, according to a Conference Board of Canada report.
Understanding what drives insiders to take destructive action is a crucial step in preventing harm to the organization, said Preventing, Mitigating and Managing Insider Threats, based on a survey of 115 employers.
Organizations often run into two barriers that impede their ability to deal with insider threats. First, organizational leaders can perceive incidents as largely unpredictable and obvious only after the fact. Second, many believe that because their organization’s business, assets or vulnerabilities are unique, they cannot learn and apply best practices from other organizations, said the Conference Board.
“Malicious actions or unintended mistakes on the part of employees, contractors and other insiders will always represent potential threats to organizations. Managing insider threats begins with understanding the common characteristics of people who could represent a threat,” said Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board.
“The key to prevention lies in determining whether the desire for validation is so strong that individuals will resort to inappropriate acts if they believe that they are not receiving the recognition or entitlement they expect.”
Key findings of the survey include:
•Few organizations (14 per cent) have a specific internal working definition of “insider threat” and those that do define it very broadly.
•Privacy and information breaches are seen as the most significant threats (by 94 per cent of respondents), followed by workplace violence (67 per cent), fraud (58 per cent) and theft, loss or damage (53 per cent).
•Two-thirds of respondents (65 per cent) said they felt their organizations could successfully manage most insider threats; 27 per cent said they could handle some cases; four per cent said their organization could not handle a threat.
•Almost one-fifth of organizations (19 per cent) provide no employee training on how to handle insider threats.
A focus on prevention should be an organization’s first and strongest line of defence, said the Conference Board. To prevent insider threats, organizations should do the following:
•Determine their risk tolerance for loss, damage, or disruption.
•Determine how the insider threat is defined across different internal management areas and departments.
•Change their focus from responding to insider threat incidents to preventing insider threat incidents.
•Provide employees with regular training on insider threats.
•Place more emphasis on identifying insider threat behaviours.
•Encourage ongoing communication between the organization and its employees.
•Develop clear policies around employee surveillance strategies.
•Clearly articulate roles and responsibilities for identifying and managing insider threats across the organization.
•Conduct more interdepartmental outreach to capture the insights of managers from different disciplines on responding to insider threat issues.
•Require interdepartmental insider threat teams to establish formal meeting times, practices, and procedures.