In the latest Rose Partners blog, our CEO Adam Honor explains the dangers of insider threats with an example we can all recognise.

Many of us have fond childhood memories of reading Roald Dahl’s Charlie and the Chocolate Factory. There is a particular passage in one of the preliminary chapters that bears relevance today in how we manage the risks posed by the insider threat within our companies:

Grandpa Joe – ‘You see, Charlie,’ he said, ‘not so very long ago there used to be thousands of people working in Mr Willy Wonka’s factory. Then one day, all of a sudden, Mr Wonka had to ask every single one of them to leave, to go home, never to come back.’

 ‘But why?’ asked Charlie. ‘Because of spies.’ ‘Spies?’

‘Yes. All the other chocolate makers, you see, had begun to grow jealous of the wonderful sweets that Mr Wonka was making, and they started sending in spies to steal his secret recipes. The spies took jobs in the Wonka factory, pretending that they were ordinary workers, and while they were there, each one of them found out exactly how a certain special thing was made.’

In short, Mr Wonka was being ripped off by an aggressive insider threat agenda driven by the competition. His tradecraft, trade secrets and IP were walking out the door and being replicated by the unscrupulous competition. In response, Wonka sacked everyone, closed the gates and employed an army of Oompa Loompas.

Wonka was clearly not running a robust Operational Resilience / Security function that had a controls-based framework to secure his assets, ideas and intellectual value. Nor did he recognise the talent of the staff, a business’s most valuable asset, and the role they can play in managing an insider threat program.

What is an insider threat?

The CERT definition of an insider threat is ‘the potential for an individual who has or had authorised access to an organisation’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organisation. This definition covers:

  • Malicious and non-malicious (unintentional) insider threats
  • Cyber and physical impacts

From this definition, it is clear that even employees and contractors with the best of intentions can become an insider threat, simply by clicking on a hyperlink that injects malware into the OT or enterprise network. According to the Ponemon Institute’s 2018 Cost of Insider Threats report the average cost of insider-caused incidents was $8.76 million in 2017 – more than twice the %3.86m average cost of all breaches during the same year across the globe.

Oliver Wyman’s The Increasing Threat from Inside report states that nearly 75% of companies believe they have appropriate controls in place to mitigate insider threats, yet more than 50% of companies had a confirmed insider attack in the past 12 months.

Why would someone seek to carry out an insider attack?

There is no straightforward answer to this question with there being numerous and complex potential motives. However, there are some indicators of potential insider threats:

  • Ethical flexibility
  • Reduced loyalty
  • Entitlement – narcissism – ego
  • Introversion
  • Greed / financial need
  • Intolerance of criticism
  • Self-perceived value exceeds performance
  • Vulnerability to blackmail
  • Pattern of frustration and disappointment

How can we prevent the loss of trade secrets?

Managing insider threat is a complex, multifaceted and cross-functional exercise that will reach into most, if not all, functions within your company. Having a ‘policy and standards stack’ is not enough. There is difficulty in spotting the threat, which is why there is a premium placed on process and education, over that of technology.

Implementing an effective insider risk program requires a design tailored to the specific culture, processes, and risks of your organisation. It starts with the identification of the risk exposure and the business impact of the risk. Once the “crown jewels”, the most important assets (physical and/or virtual) and associated insider risks are identified, a pilot can be designed to mitigate these risks. It is important to start small and focus on a clearly defined high-risk employee sub-group to work through the organisational issues that need to be solved.

The Common Sense Guide to Mitigating Insider Threats (fifth edition published by the CERT Insider Threat Centre) offers a guide to best practice. Some of the key practices from the document include the following points, and the first point is arguably the most important:

  • Know and protect your critical assets
  • Create a culture of awareness throughout the company. Develop training from the Board level down. Create focused leadership sessions that enable leaders to identify the insider behaviours
  • Develop the governance framework to formalise an insider threat program
  • Develop repeatable and reportable processes that capture suspicious behaviours from the point of hire to fire
  • Have a social media monitoring program
  • Create a culture of ‘it’s OK to say’
  • Create a robust access rights management process for data and systems
  • Close the doors to unauthorised data ex-filtration
  • Monitor and control remote access
  • Extend your controls and awareness to third parties
  • Enforce separation of duties and least privilege

In addition to the above, there are key success factors for an effective insider threat program. Understanding what contributes and supports success is fundamental in measuring and reporting progress. Whilst these factors are numerous, the five listed below highlight why success is not just about controls:

  1. Governance and organisation: Clear articulation of the oversight and agreed operating model
  2. Execution and program management: Processes and controls that cover the end-to-end lifecycle of insider risk management in line with the organisation’s risk appetite
  3. Data, technology and tools: Foundational capabilities that support the management of insider risk
  4. Information sharing: Effective cross-functional interaction model to address legal, ethical, cultural and privacy concerns, and understand what is required to “get to agreement”
  5. Continuous improvement: Mechanisms to integrate learnings from past events and to evolve the program in line with the changing risk exposure


An insider threat program is crucial for any organisation. Designing and implementing an effective solution is vital to securing a business’s most valuable assets. There is an upward trend of insider threat occurrence and its prominence and relevance mean it simply cannot be ignored. Implementing the right program will yield clear benefits and positive results. Take a proactive approach to managing insider risk – start small, but start now. Create a program based on a culture of honesty, integrity and ethics. Employees will identify with these values and as a result, will embrace the insider threat program and its ultimate aims and objectives.

In the real world, the management and mitigation of insider threats are as pertinent now as they were then. However, we now have the benefit of well -processes, training and awareness tools and ‘surgical technology’ that can reduce the accidental or deliberate loss of value from our companies.

Remember: it’s OK to say. It’s something I encourage my colleagues to do every day. I’ll leave you with that ‘ear-worm. You’re welcome!

en_GBEnglish (UK)