A time of significant disruption and change like the COVID-19 crisis can heighten organisational risk. Handled well, disruption can also build resilience and bring opportunity for growth. COVID-19 sees people and their individual behaviours at the core of the relationship between risk and opportunity. Managing that relationship demands emotional intelligence and prudent action. As businesses begin to resume operations and target recovery, the consequences of failing to address insider risk will layer on reputational and financial loss to an already perilous economic situation.
Chaos and uncertainty change people’s behaviour. Be it from worry or desperation, actions and reactions change; malice can also enter the picture. The logistical, financial and emotional circumstances surrounding the response to the pandemic have created the potential for a sharp increase in insider risk, including fraud, cyber exploitation, and violence. Control Risks is already seeing evidence of these conditions being exploited.
Several risk and security disciplines have similar versions of a simple concept: for any incident perpetrated by a person to occur, three factors must be present at the same time: means, motive and opportunity. For many organisations, COVID-19 and the resulting economic downturn have unleashed a potent combination of these insider risk factors, which are likely to persist for months to come.
Means: In many cases, measures to ensure business continuity and remote operations have also eased security controls, introduced ad-hoc process workarounds, and justified policy exceptions. Although the changes are necessary, under these circumstances almost all employees have the capacity to negatively impact the company through improper behaviour such as poor information security, lax approval for financial transactions, or making threats against fellow employees.
Motive: Employees are unusually stressed professionally and personally, which can increase their motivation to take—and to rationalise—harmful actions. Stress can also obscure often subtle indicators of concerning behaviour. More stressors with fewer coping options may compromise individual resilience, amplify grievances, and heighten boredom, frustration, anger and depression. Some common stressors that have emerged include:
- Health concerns
- The logistics of isolation, blurred work-life balance and childcare
- The business and personal pressures of financial austerity
- Performance burnout by essential employees
Opportunity: Remote work at scale has significantly reduced organisations’ visibility into the digital and interpersonal behaviour of their workforces; it has also hampered their ability to detect, investigate and resolve potential issues. For employees under stress or predisposed to acting in ways that are harmful to the business, this provides the time, space, and tacit licence to do things they otherwise would or could not.
Further, the workforce is one of the most reliable channels for reporting troubling employee behaviour, so the current absence of workplace interaction has made it far less likely that leads will be reported.
Insider scenarios
The causes and impacts of harmful insider activity manifest in ways that are as diverse as the individuals who perpetrate them. Below are some examples of how means, motive and opportunity have featured in practice recently.
Fraud: With businesses facing significant financial challenges, managers are under huge pressure to protect jobs, meet business targets, satisfy investor expectations, and ensure business survival. Given the circumstances, a manager may rationalise, “This business and these employees are my responsibility, I have to do what it takes” or “These investors have loads of cash and don’t understand my business, we need the cash more than them, I’ll pay them back in the end”. This thinking may encourage management to take advantage of staff absence, limited oversight, outdated controls, and obsolete data to misrepresent the financial health of the business.
Cyber extortion: Policies and processes around information and technology have, out of necessity, been adjusted to facilitate greater remote functionality at scale; at the same time, centralised security monitoring and analysis teams have had to pivot to maintain their visibility into user and network activity. Under such circumstances, user behaviour issues and “shadow IT” have emerged at many organisations. For example, a software developer or database administrator may think, "I am an essential employee in this business and my work can't afford to be affected by these restrictions" and download an unvetted application. This could trigger a widespread ransomware infection that takes the business offline for days and leads to the company paying millions in extortion money.
Threat of violence: As businesses strive to resume operations, they must consider the critical pressures on employees who are in fear of losing their job, those who have already been furloughed or laid off, and employees who are experiencing other significant life stressors and may also have a predisposition towards violent reactions. Employers should adapt their existing workplace violence protocols and be vigilant for indicators of possible violence during this time, which can often include threats of retaliation ("You'll see me again!”), references to firearms, or other expressions of hopelessness, persecution or revenge.
Managing insider risk at enterprise scale is a complicated task fraught with pitfalls. The human factor is complex and ambiguous, and the consequences of getting it wrong can quickly corrode corporate culture. Although insiders can present a broad range of risk types, effective organisational responses can be commonly applied and should be collaborative.
Mitigating the risks
- Define and recognise key behavioural indicators—human and digital—and how they may surface under these extraordinary operating conditions.
- Use all available resources and work across teams on prevention, detection, investigation, and response. Trade information, share tools and collaborate on potential cases with input from multiple departments including corporate investigations, IT, cyber security, HR, legal and business unit managers.
- Take a risk-first approach. Define criteria for high-risk groups and focus investigations on priority cases based on likelihood, potential impact, and imminence.
- Look for ways to proactively reduce impact, such as reviewing and reducing access permissions, reinforcing segregation of duties, and ensuring review and monitoring capabilities reflect changing business circumstances, for example, be sure all process exceptions are documented and approved.
- Consider resilience from the beginning. If the organisation makes resource changes, do so purposefully in a way that can be incorporated into the business for the long term and will help the organisation emerge from this crisis more capable.
As organisations focus on resilience – and this applies always, but especially during COVID-19 and the economic downturn - managing insider risk deserves a coordinated multi-disciplinary approach that is based on risk, led by professional staff, and enhanced by technology. But above all else, the approach must be emotionally intelligent. Regardless of sector or size, an organisation’s most valuable asset—and its most vulnerable—is its human capital.