Elsine Van Os, CEO of Signpost Six, is a clinical psychologist and intelligence and security expert. She recently shared insights about how psychology plays a role in insider risk, and how organizations can use these insights to detect and prevent employees from becoming insiders. Read our Q&A with Elsine:
Code42: Why is insider risk a more important area than ever for organizations to address?
Elsine: Every organization has data, people, processes and assets to protect. No organization is exempt from insider threats and risks. Although the attack methods vary, the primary types of insider acts — theft of intellectual property, sabotage, fraud, and espionage—continue to hold true and are exponentially increasing with the expanding use and reliance on digital technology. An increased focus on improving external defenses shifts the risk from an outsider to a trusted insider trajectory. Whether they are influenced by outsiders or not, insider risk is potentially much more damaging for an organization. The number of incidents — as well as the impacts — are increasing in recent years and organizations are starting to understand the need to address insider risks more proactively.
Code42: What predictions do you have regarding insider risk and how security will continue to adapt?
Elsine: Security will always have to adapt. When new defenses arise, there will be new ways in which these defenses will be circumvented. What I sincerely hope is that insider risk will not be just another security matter in the future, but a mindset that will be carried throughout an organization. By that I mean organizations give cross-functional attention to insider risks throughout the employee lifecycle, from the screening process to even after departure, and from HR to legal, business units, (information) security and all other relevant departments.
Code42: What’s one piece of advice for teams considering an insider threat program?
Elsine: Start with a quick scan that reviews the threats against and within your organization, the vulnerabilities of your sector and specific organization, and the level of maturity of your countermeasures. This will give you insights and direction to what you should focus on.
Code42: What is the most commonly overlooked insider risk “red flag” from a psychological perspective?
Elsine: Insider risks are often addressed reactively, only when management becomes aware of an incident, if they are even informed. In recent years, organizations have been taking good steps to improve detection capabilities within their organizations. However, research has pointed out that in 97% of the cases the insider was already under formal management and HR attention for concerning behaviors. This means there were red flags out there but not being picked up effectively.
Concerning behaviors like conflicts with coworkers are often the more visible result of the interplay between personal vulnerabilities and stressors. There is not one red flag that’s most often overlooked — I believe it’s the combination of factors that’s often overlooked. One such combination that is very relevant today is the impact of organizational change (a significant stressor) on individuals who already carry some vulnerability like serious mental health problems. It’s that combination of factors that increases insider risk and poses red flags.
Code42: What are some tips for assessing psychological insider risk factors digitally while keeping privacy in mind?
Elsine: The Critical Pathway model provides relevant risk indicators, both psychological and behavioral, that can be used as indicators as part of a digital system. Organizations should select specific factors based on their risk assessment and the additional value those factors bring to the overall monitoring system. These new factors must be signed off by legal and privacy. In addition, human intervention should be part of any digital assessment. This means the professionalism of the analyst involved is key as well as the follow up within the organization.
Signpost Six recently launched an online insider risk management training program! Learn more.