How To Spot Malicious Insiders Before Data Theft

Psychologists identify warning signs that could tip you off that

Mathew J. Schwartz, Contributor

December 8, 2011

5 Min Read

According to a new research study, the majority of insider attacks are conducted by 37-year-old Caucasian men. Now, forget that data point, on which too many organizations fixate, misguiding their internal investigations.

"The problem with that is that it's just a demographic statistic, not a psychological profile. What if she is a 57-year-old African-American female?" said Harley Stock, a board-certified forensic psychologist who's managing partner of the Incident Management Group, in an interview. That's why, instead of focusing on demographics, he said that examining a suspected inside-attacker's behavior--including previous rule violations--is a far better way to investigate such cases.

Stock's warning is backed by a new, empirical study of existing research into insider attacks that he conducted with Eric Shaw, a clinical psychologist who helps companies and government agencies investigate insider cases, as well as conduct employee and organizational risk assessments. "We've tried to summarize the best available empirical research--not expert opinion," Shaw said in an interview.

Their resulting report, sponsored by Symantec, found that if companies truly want to prevent or trace insider attacks, especially involving intellectual property (IP), then they should be watching for a handful of warning signs--both when they interview employees, as well as during their employment. If those warning signs should arise, then organizations must follow them up, preferably by already having a workplace response team ready to investigate. Such teams are typically composed of human resources and information security representatives, attorneys or legal representatives from HR, as well as a forensic psychologist.

[ Torrent of attacks has made it a busy year for cybercrime investigators. Check out the 8 Most Notorious Cybercrime Busts Of 2011. ]

Warning signs will vary, but often involve employees with a grudge who are about to change jobs. "Termination, resignation, any exit planning, or rumors [of that] are grounds for an IP insider risk assessment, because it's such a strong finding that people take this stuff when they leave, even with IP agreements," Shaw said.

Watching for suspicious behavior, of course, won't help spot or prevent all inside attacks. But Shaw and Stock's own experience, as well as reviews of research into past insider attacks, has found that organizations often failed to heed obvious warnings signs--not just job changes, but also people displaying escalating levels of rule-breaking or misbehavior, signs of extreme stress, or employees with a grudge who were preparing to change jobs.

Take the case of WikiLeaks suspect Bradley Manning, who's accused of the largest breach of government documents in history. Before that alleged leak, however, Manning had exhibited numerous signs that should have led to his being denied access to top-secret information. "Manning was getting into physical fights, violating the dress code, he was clearly on people's radar, and psychologists had said, 'Don't deploy this guy.' And he was deployed anyway," said Stock. Indeed, according to a recent article in the Guardian, the legal team defending Manning plans to highlight in court how numerous warning signs about Manning's emotional and mental state were ignored. The defense plans to call multiple witnesses, including a psychologist who recommended Manning be removed from his duties, as well as a psychiatrist who "had concluded Manning was 'at risk to himself and others' and that he should be banned from carrying a useable weapon."

Similarly, one of Manning's supervisors had reported that "Manning had an angry outburst during a counseling session in which he flipped over a table and had to be restrained after he stepped towards a rack of weapons." None of these warnings, however, appeared to have been acted on, or passed up the chain of command.

Although Manning had access to a wealth of secret information, it's also emerged that none of his data access was ever logged. That gets to another recommendation from Shaw and Stock: surveillance, especially for creating a baseline of normal behavior and data-access patterns. "With surveillance, it's virtually impossible for these individuals to engage in IT theft without changing their normal behavior," said Stock. "Once we see changes in those behaviors, they can become a person of interest to us."

Another recommendation: screen employees properly before hiring them. "For example, if someone served in the military, looking at their military discharge record, called their DD214, is one of the best predictors of behavior," said Stock. "If they behaved badly in the military, they'll behave badly in the workplace."

Likewise, he said that in insider theft investigations, the culprit often turns out to be someone that had been hired in spite of obvious warning signs, as noted by hiring managers. When asked why they hired the person anyway, people at the company would respond that they were ramping up a project, and needed the person anyway.

Interestingly, not every insider who steals information has a grudge against their employer. While that was true in 67% of cases, Stock said that "26% who stole didn't have any bad feelings toward the company." In many of those cases, however, the employees displayed "Machiavellian" signs--combining ambition with job frustration, and often willing to devote considerable time and energy to taking intellectual property they've worked on to their next job.

Overall, 65% of people who stole IP already had a job lined up with a rival company, 20% were simply recruited by outsiders who wanted the data. In 25% of cases, data ended up with a foreign company or national entity.

Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenging, due to the proliferation of "big data," NoSQL databases, and cloud-based data storage. Download the report now. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights