Spotting and, perhaps, stopping the malicious insider

Brian Musthaler
By | January 24, 2012

Posted in: Network Security Trends

Do you know this person? He is currently employed, between the age of 35 and 40, holds a technical position, and has a new job offer at a competing company. He very well could be working next to you right now. And he’s someone every company should be concerned about.

Who is this person? It’s is the “malicious insider,” as profiled in a recent white paper from Symantec: Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall authored by Dr. Eric Shaw and Dr. Harley Stock, experts in the fields of psychological profiling and employee risk management. Their work is based on a review of empirical research on security breaches and identifies several key behaviors and indicators that contribute to intellectual property (IP) theft by malicious insiders.

The report discusses warning patterns and common problems which may portend insider IP theft. These warning signs include perceived professional setbacks, dissatisfaction and unmet expectations which can trigger a person to steal IP. "A perceived injustice sends them along the critical pathway. They move from a psychological sense of not being treated fairly to developing justification responses, giving themselves excuses to do bad behavior," according to Stock.

Occasionally the breach of trust by an insider makes the news. The case of Bradley Manning, charged with giving secret documents to WikiLeaks is a prime example. The question arises, why are these leaks and thefts not detected, and ideally, prevented? The simple answer is that information security practices have generally not been geared to look for activity that is perpetrated by a trusted insider. For the most part, they focus on activity outside the firewall.

Solutions such as data loss prevention and SIEM technologies exist to help identify and potentially prevent this malicious insider activity, but they must be implemented to do the job. What’s more, there are the patterns of malicious activity that must be learned and encoded as policies within those technologies.

Through the work of doctors Shaw and Stock, Symantec’s report offers this additional insight and recommendations to help mitigate the risk of the malicious insider:

  • Build a team:  To fully address insider theft, organizations need to have a dedicated team made up of HR, security, and legal professionals that create policies, drive training and monitor problem employees.

  • Organizational issues:  Organizations need to evaluate whether they are at greater risk due to inherent factors — employee morale, competitive risk, adversary operations, local overseas, use of local contractors, etc.

  • Pre-employment screening:  The information collected during this process will help hiring managers make informed decisions and mitigate the risk of hiring a “problem” employee.

  • Policies and practices:  This is a checklist of specific policy and practice areas that should be covered within an organization’s basic governance structures.

  • Training and education:  These are essential to policy effectiveness since policies and practices that are not recognized, understood and adhered to may be of limited effectiveness. For instance, most IP thieves have signed IP agreements. Organizations should have more direct discussions with employees about what data is and is not transferrable upon their departure and the consequences for violating these contracts.

  • Continuing evaluation:  Without effective monitoring and enforcement, compliance will lapse and insider risk will escalate.


Technical and procedural recommendations from the report include preempting IP theft by flagging high-risk insider behavior with a security technology such as data loss prevention. Use a file monitoring technology and alert managers, HR, and security staff when exiting or terminated employees access and download IP in unusual patterns. Implement a data protection policy that monitors both appropriate and inappropriate use of IP and provides alerts of violations. Such processes can increase security awareness and deter insider theft.

Is the malicious insider in the office next to you? With the right policies, processes and technologies, it’s possible to know before his damage is done.

You May Also Be Interested In: