How Can Security Address Today’s Insider Threat? by Michael Gips

Consider what Covid-19—and its ruthless 2020 colleagues, economic recession and social dissension—have wrought:

Last September, agents from Her Majesty’s Revenue and Customs arrested a company director and an accountant for an alleged £70,000 Coronavirus Job Retention Scheme fraud. HMRC is investigating another 27,000 “high risk” claims. That’s just the beginning. The National Audit Office has estimated that British companies may have claimed up to £3.9 billion in furlough funds without actually furloughing their workers.

According to the UK’s Office of National Statistics, crime data show an increase in domestic abuse-related cases during the Coronavirus pandemic, as well as an increase in demand for domestic abuse victim services during the pandemic.

And in July, the U.S. FBI arrested three teenage hackers for taking over 130 Twitter accounts, including those of Barack Obama, Joe Biden, Bill Gates, Elon Musk, and Kanye West. The thieves tweeted from 45 of the accounts and pocketed U.S.$118,000 in a Bitcoin scam. They accessed the accounts through social engineering of Twitter staff. The situational awareness and defences of Twitter employees were low because they were working at home during the pandemic, dealing with new modes of work, balancing their personal and professional lives, and otherwise trying to cope with rapidly shifting and unfamiliar demands.

Three types of insider cases—fraud, violence against staff, and manipulation of workers to receive network access privileges—each taking advantage of the circumstances caused by Covid-19 and its follow-on effects.

How are front-line security personnel supposed to respond? In the first case, fraud was committed at the highest levels, and officers do not have access to corporate finances. In the second example, security is not physically present at employees’ houses to prevent or stop violence. Nor can they enforce clean-desk policies, watch for unusual behavior, or surveil the work environment when offices are empty.

First, an overview of the evolving insider threat as 2020 gives way to 2021 is in order.

Working from Home Cyber Risks

The Corona virus’s spread from China around the world led to cascading closures of physical facilities, and a massive shift to telework, when possible. Many staff were hastily issued laptops that may have been mothballed for months without having been updated, or were given freshly purchased devices with few security features enabled.

But even when security protocols were enabled, savvy workers figured out how to dodge them for the sake of convenience or to obscure online network activity. DTEX Systems reports that in the first 8 months of 2020, 56 percent of the Global Fortune 5000 had workers actively bypassed security controls to hide online activity, behaviour that might constitute an insider threat. That’s a 450% increase in that type of suspicious behaviour from the same time period a year before.

It’s too early to tell exactly how Covid-19 has affected the insider threat. But a recent survey by the Ponemon Institute says that 59 percent of respondents believe the insider threats will increase over the next two years mainly because workers, due to remote work, have access to materials they shouldn’t have.

A Terrorist Playbook?

Threats to information and systems are acute. But the Covid-19 insider problem extends well beyond internal fraud, theft, and data exfiltration. Last May, the Council of Europe warned that the global Covid-19 response might “offer a play-book for terrorists with access to biological weapons.” The threat isn’t merely theoretical. The 2001 anthrax attacks in the United States, which killed 5 people and infected 17 others, was orchestrated by Bruce Edwards Ivins, a biodefense scientist at a U.S. lab who had access to the deadly spores.

A Wobbly Economy

Insider security issues extend beyond the pandemic. As politicians are wont to say, “It’s the economy, stupid.” In the second quarter of 2020 alone, according to the International Labour Organization, the world lost the equivalent of 400 million jobs. And hundreds of millions of those still clinging to employment fear for their livelihoods, amping up the threat of fraud and embezzlement and increasing stress levels that may lead to violence. Given the new reality of telework—where infosec protocols and measures may not be as robust or scrupulously applied—the risk of insider incidents has ballooned.

For example, KPMG’s latest Fraud Barometer predicts a “tsunami” of fraud cases in Scotland. According to Annette Barker, Head of Forensic Regions for KPMG, “it’s reasonable to assume the true extent of fraud committed across the country has been masked—not least as previous crises tell us that increased financial pressures on individuals can often driver increased criminal behaviour.” And the situation will get worse: “Looking ahead, we certainly expect the fallout from the uncertainty caused by the pandemic to dramatically accelerate the levels of fraud hitting businesses, government, and individuals,” Barker warned.


Brexit poses another threat. Barclays has warned UK businesses about the likelihood of cyberscams related to confusion over changing rules as the Brexit transition ends. Staff who are unwittingly duped by these ploys pose an insider threat, as do those who conspire with external fraud artists.

Social Divisions

Finally, the breakdown in civil discourse and the rampant spread of disinformation represent potential insider threats to global organizations. Witness hostility between pro- and anti-Brexit advocates, the competing polarized political narratives in the United States, and the normalization of conspiracy theories and hateful rhetoric online.

Neo-Nazis, white supremacists, hate groups, militias, and hooligans lurk in virtually every large organization, leading to potential liability and grave reputational risk were those individuals to strike out. For example, in 2018 defence contractor Northrop Grumman admitted that it employed an engineer who was caught on camera pushing a Black man to the ground during the “Unite the Right” white supremacist rally in Charlottesville, Virginia. That’s a clear threat to the company’s brand, as well as a potential threat to staff and customers and possible source of liability.

The U.K is far from immune. The UK’s top counterterrorism officer has said that right-wing extremism is the UK’s fastest-growing threat. For instance, in 2105, a former Tesco worker from Plymouth was dubbed “the Tesco Terrorist” for his plans to recruit a posse to address immigrant issues in Calais, France. The grocery chain had to publicly announce that it had broken ties with the worker and disavow his beliefs and actions.

Other extremists, who are embedded in our most trusted institutions, will seize on our social strife. According to Louis R. Mizell, Jr., a former U.S. intelligence officer who maintains a database of millions of crimes and terrorist incidents, those extremists are everywhere. As just one example, al Qaeda members have worked in airports, nuclear plants, laboratories, and in many other prominent roles and for brand name companies. They have even infiltrated U.S. intelligence agencies. Once they activate, it’s too late for the employer.


Despite the wide variety and depth of insider threats, security forces have solid options at their disposal.

Companies would be wise to conduct a thorough assessment looking at intentional and unintentional insider risk. Identify key assets, processes, and people, and work with risk owners on an effective holistic approach that contemplates each element separately and collectively. Then establish processes and procedures that can be readily followed and create KPIs to measure compliance.

Security personnel should determine whether the right cybersecurity protocols are in place for remote work, including VPNs, patch management, antivirus and anti malware updates, and regular staff refresher training. Then, staff access should be limited to specific files and systems.

Creating a strong culture of security is paramount. It is critical to enlist the support of staff and engender their goodwill by making security a collective endeavour across all departments. That starts by treating staff well. Many insider incidents are carried out by unwitting staff who have good intentions and want to exhibit excellent customer service, such as by expediting an invoice that may actually be counterfeit. Training should focus on telltale schemes and suspicious behaviours specific to each job role. Tactics repeat regularly, and staff should be aware of them. Some organizations reward staff for identifying staged phishing attacks or social engineering attempts.

Regularly check in with staff who may be having mental or emotional issues, and encourage department managers to connect with their reports via Zoom or another videoconferencing tool. Make sure that they feel safe in their own home—the extreme pressures of isolation and helplessness might trigger physical violence by a spouse or another occupant. Depending on the jurisdiction and the situation, an organization may even have a duty to physically protect a staff member from physical danger.

Identifying potential extremists on staff requires keeping an eye and ear out for concerning behaviour or comments. In many cases, extremists have signalled their frustration or even intended attacks to their work colleagues. Organizations should have an anonymous reporting system that encourages such information. Good options include phone hotlines and web-based systems. Finally, security may wish to monitor social media for staff statements encouraging violence or espousing hate, though they should do so only after conferring with legal counsel due to privacy concerns.

As the curtain opens on 2021, security practitioners will continue to deal with new iterations of insider threats brought about by the pandemic as well as a trying set of political, social, economic, and environmental developments. By consistently using good practices and adapting to the quickly changing environment, security personnel can help manage the metastasizing insider threat.

Michael Gips, JD, CPP, CSyP, CAE

U.S. based Mike is quite simply a legend in the international security industry, and a new entry on the TPSO International Security Industry Champions list…..

His clients rank among the smartest and most talented corporate security professionals and security service and technology providers. They want the knowledge and insight to see what’s coming next, and they seek to rise above the masses in a crowded marketplace. With Mike’s assistance, they assert thought leadership and develop top-notch programs.

A collaborative physical/cyber security adviser with a history of developing leading-edge security content and developing relationships with corporate security executives, service & technology partners. Mike leverages his expertise and relationships to advance the vision and mission of premiere global organizations.