• United States




The 24/7 insider threat – Managing risk in a changing environment

Nov 05, 20197 mins
Advanced Persistent ThreatsRisk ManagementSecurity

A new model for managing insider risk in the "always-on” and “on-demand” workplace.

A new perimeter-less insider risk management approach to security is needed that shifts the priority to the insiders’ interaction with data or the information object itself; in addition to the logical protection of devices or networks to safeguard data and monitor, audit and manage people.

Managing insider risk in the context of a physical corporate environment is difficult in itself, but the shift to a remote workforce and a “perimeter-less” workplace compounds these inherent challenges. There are four primary objectives of an insider risk management program – awareness, understanding, visibility and protection. A perimeter-less workplace requires an adaptation and tailoring of traditional risk management methods.


Awareness means developing a clear picture of your insider population, providing insiders with resources to properly protect assets, creating a culture of transparency and responsibility and developing workflows that foster the identification and mitigation of aberrant behaviors.

In the traditional workplace, training is focused on best practices for operating in an office environment and how to spot aberrant behavior from coworkers and how to protect against common email attacks. Good workplace hygiene is emphasized (not leaving documents on printers, locking screens, badging into secure areas, etc.) and how to report information to managers. Insider populations are defined by those that have physical access to corporate offices and workflows are focused on identifying aberrant behaviors in the workplace.

By contrast, in the perimeter-less workplace, training must focus on the remote workplace and the unique environments involved. Here, proper hygiene for accessing corporate information (fake hot spots, spoofing, shoulder surfing in public spaces, etc.) must be emphasized as well as properly handling information outside of office (printing, storage, transmitting). Use of file sharing sites, USBs, email security and device management (personal and corporate) are of particular importance in this environment. Reporting workflows must also adapt and utilize more hotlines to report suspicious activity to security. Here, insider populations must be understood from a virtual access standpoint since many employees may never step foot in the physical corporate facility. Lastly, workflows must incorporate methods and means to identify aberrant behavior outside of the workplace.


Understanding involves focusing on what is important to the company by identifying and defining critical assets, developing granularity about those assets, prioritizing them based on impact, and developing processes and procedures that foster knowledge of asset workflows and incorporating this knowledge into a risk management framework.

In the traditional workplace, the focus is on the corporation as “asset holder” (on corporate devices, networks, physical locations). Workflows are mapped, if at all, to intra-office collaborations. Risk is therefore understood within the confines of the traditional corporate environment. Once critical assets are identified, an understanding is required of who has access to those assets and how they are handled, stored and moved. For traditional workplaces, this is often an eye-opening exercise, with access to their critical resources often far wider than imagined.

By contrast, in the perimeter-less workplace, the insider is often the “asset holder” (storage on personal devices, USBs, file sharing sites, home office) and the spread of critical assets is even more pronounced. Working remotely, staff have a wide variety of mechanisms to handle and store assets. Risk models now must include threats and vulnerabilities concomitant with operating outside of the corporate environment. Classification of possible “asset holders” is therefore broadened to whatever is available in home offices. This can include – personal computers, tablets, phones and removable media. The ever-growing use of IoT devices further complicates this process. Moreover, when considering critical data in transit, remote workers are far more likely to use alternate means and devices in transmitting organizational data. As such, inter-office workflows must be catalogued as an elemental part of identifying the threats and vulnerabilities outside of the traditional corporate environment.


Visibility involves monitoring insider behaviors that are indicative of a threat to corporate assets (network and off-network), monitoring interactions of insiders with identified assets, logging asset accesses and movements, and analyzing behaviors, interactions and logs to identify risk.

In the traditional workplace, visibility is limited to corporate-owned devices and networks and behaviors at the corporate facility. By contrast, the perimeter-less workplace must include visibility on personal devices, behavior outside of the corporate facility (open source data sources) and understand how data assets are moved, transferred and stored outside of corporate networks.

To counter the loss of visibility into the ways that staff store, transmit and work on data, organizations need governance and workflows that enable the tracking of the flow of data and assets outside of the corporate network and domains. These policies and procedures may restrict remote staff to the use of specific devices or enterprise mobility management tools that compel a standardized process that can be comprehensively monitored. Such tools allow an organization to integrate all mobile devices into a management framework that includes security, identity, application and content management.

To counter the loss of visibility into staff behavior, alternate means for the early identification of employee warning signs are required. Such mechanisms will allow the organization to respond with the right degree of engagement, assistance, support and discipline. Open source data* can provide insight into individuals’ behavioral stressors and actions and can help employers continuously examine an employee’s potential threat to an organization. Continuous evaluation of open source data can help assess employees working at customer locations or home, whose changes in behavior are less visible to colleagues and managers. Used properly, this data can help recognize behaviors unobservable by technical monitoring and provide early warnings to possible risk.

*Open source information includes financial data (bankruptcies, credit reports, liens, etc.). These may indicate unexplained affluence and financial difficulties. Law enforcement data (arrests, convictions, protective orders, etc.) may indicate unpredictability, volatility and an inability to follow laws. Social media postings may reflect unusually negative (and even violent) sentiments toward an employer, colleagues, public personas, family members and former partners.


Security controls must be applied to both digital and physical assets (including information and personnel) to ensure the ability to safeguard assets wherever they are accessed, used, transmitted, stored, or located.

In the traditional workplace, the focus is on the device and human endpoint. Controls are designed to alert on events (post-action) and are limited to the corporate perimeter (network and physical). By contrast, in the perimeter-less workplace, data is the new endpoint. The focus must be on the digital asset itself as the new perimeter. Controls must be designed to manage access (pre-event) and invoke object-level end-to-end encryption.

The perimeter-less workplace requires persistent, data-centric encryption that goes beyond the end point and traditional authentication approaches. To properly manage insider risk in the perimeter-less workplace, security teams need to augment protection mechanisms with additional security layers that focus on data in a more granular, persistent and dynamic fashion. This means being able to encrypt any digital asset regardless of source application, format or device OS. There are three primary “protection” requirements for the new perimeter-less workplace:

  • Persistent. Encryption needs to be enforced persistently. If a sensitive file is emailed, saved to a flash drive, stored in a cloud-based application, or transported anywhere else, security policies will remain in effect and data is protected.
  • Top-down policy enforcement. Administrators need to enforce policies in a top-down manner, so corporate-wide policies can be applied consistently and cohesively across the enterprise, and down to the specific digital asset, device and user level.
  • To maximize data separation efficiency, enterprises need to employ encryption in a way that provides protection and insight at the lowest level possible, ensuring optimal security, data governance compliance and productivity.

The new perimeter-less workplace requires a new insider risk management paradigm. By adapting and redefining models for risk awareness, understanding, visibility and data-centric persistent asset protection, organizations can develop effective programs to confidently manage insider risk both inside and outside the traditional corporate environment.


Shawn M. Thompson is the founder and director of the Insider Threat Training Academy and founder and president of the Insider Threat Management Group, LLC, which provides strategic cyber security and insider risk management advisory services and training to the private sector. He possesses over 15 years’ investigating, prosecuting, and managing insider threats and cyber intrusions and is widely sought-after for his unique expertise.

Mr. Thompson is a former federal prosecutor and senior government official who held executive positions with several agencies including the DOJ, FBI, DoD and DNI. As a seasoned risk management professional, author, experienced prosecutor, credentialed Special Agent, and trained analyst, his cyber security acumen is second to none. He is a pioneer in the field of cyber security and insider risk management, serving as a frequent guest speaker and thought leader on a variety of security topics.

Mr. Thompson serves as a trusted advisor for the highest levels of government as well as private sector C-suite and Board of Directors alike. He is a member of the Maryland Bar.

The opinions expressed in this blog are those of Shawn M. Thompson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.