Von Cédric Biedermann

Organizations face many different types of risks on a daily basis, which can lead to reputational and functional damage. Human risks affect the workforce and have adverse effects on the organization’s efficiency, productivity and reputation. Identifying these risks is essential for minimizing their negative impact.

The fact that risks originate from insiders is not new, however the evolution of technology, communications, socio-economic climate and geopolitical changes have increased the impact of these threats. Unlike attacks originating from outside of the company, insiders often have legitimate access to the premises and computer systems for genuine business reasons. They are also familiar with the company’s intellectual property and sensitive information, which makes it easier to hone in on areas that matter and to circumvent security controls.

Building agility into your insider risk strategy and anticipating change and disruption enables you to develop an environment that is secure by design. Implementing a robust strategy and governance to mitigate or prevent incidents caused by employees will keep your organization prevent harmful events from occurring.

Risk mapping human risk factors

Human risks encompass various factors including personality traits, life events, social factors and environmental factors. In order to help you identify these risks to protect your company and your employees, we have elaborated on the risks below.

Personality traits

There are certain personality traits that could predispose an individual to being a malicious insider. These traits are commonly referred to as the Dark Triad – narcissism, machiavellianism, and psychopathy. These personality types are known for their manipulative behavior, callousness, indifference to morality, pursuit of personal gratification, and impaired empathy. It is often difficult to detect these individuals, which is why we believe prevention is the key.

Implementing personality tests in pre-employment assessments and during the employee’s working lifecycle can identify the warning signs of these dark personality traits and avoid exposing your company to the risks mentioned above. Your company’s HR business partners play a key role in these procedures and should be actively involved in evaluating employees’ behavioral changes throughout their work experience. Alcohol and drug abuse are major personnel risks within the workforce and may lead to expensive problems, such as the loss of productivity, injury or increased insurance costs. Furthermore, it can lead to social problems such as workplace misconduct and conflicts. Substance abuse is highly correlated with perceived workplace stress factors and should not be underestimated in high-pressure working environments.

Life events

Major life events can impact the way we behave and our productivity at work. Having major changes in the health of a family member, a personal injury, financial issues, living conditions and relationship problems can significantly impact an employee’s performance. Therefore, it is important for your company to have a supportive system in place to enable employees to come forward with their problems so that they can be addressed in an effective and productive manner.

Social factors

Our society has become conditioned by the internet, especially social media, to openly share information, whether personal or professional. This can lead to unintentional disclosure of classified or proprietary information and make company workers more susceptible to approaches by adversaries.

Environmental factors

The fraud triangle hypothesis suggests that there are three key components that increase the risk of fraudulent behavior: opportunity, incentive and rationalization. Opportunity refers to the workplace’s internal control systems (or the lack thereof), and a corporate culture that seems to condone fraudulent activities. The incentive refers to an individual’s mindset towards fraudulent behavior, which is often influenced by the company’s structure. For instance, the pressure to meet and exceed organizational goals for a bonus could lead to dishonest acts. The rationalization aspect refers to an individual’s justification for committing deceitful acts.

It is essential that your corporate culture and values are founded on the basis of honesty, open communication and trust and that your code of conduct clearly instill these values. This will ensure employee satisfaction, respect and freedom to speak up, which will lead to a reduced risk of dishonest and fraudulent behavior and will promote positive workplace attitude. Additionally, employees will feel more comfortable reporting dissatisfaction at work and conflicts of interests. Coworkers are the first line of defense for fraudulent activities and workplace misconduct.

Identifying risk indicators

In order to identify human risks, which are usually invisible, we need to apply psychological methods, looking for destructive work habits and damaging behavioral tendencies. Preventive measures, such as compliance and security generally require technical and organizational approaches as well as register checks. Research suggests that insider agents, who are individuals within the organization that can maliciously cause harm, tend to be impulsive. This implies that trusted insiders could evolve into malicious insiders through an impactful event perceived as being untenable, such as a life crisis. When stress factors and individual problems aren’t dealt with in a healthy and adaptive manner, they can lead to work misconduct such as IP theft, information leaks.

The Swiss Federal Administrative Court and the Federal Supreme court have defined criteria for measuring risk indicators. These criteria, such as the integrity, reliability, credibility, propensity to blackmail both privately and professionally, corruptibility, and media value are assessed according to professional function. It is recommended to regularly measure these criteria during security interviews and to identify and mitigate potential risk indicators.

Monitoring risk factors

We believe that prevention is key, therefore it is essential to be both reactive and proactive. There are many systems and procedures that can be put in place to prevent risk factors mentioned above from escalating into security breaches. Protective mechanisms should be in place against targeted insider threats and to safeguard data. Individuals with access to sensitive data should be trained to identify security breaches as well as negligence. Finally, all analytics and procedures should be monitored and mapped to the individual for identification purposes. This may be done by monitoring all employees for leading threat indicators utilizing User Behavior Analytics (UBA) and User Activity Monitoring (UAM). Such processes should undergo a routine evaluation, and be monitored and tested to ensure maximum protection.

Conclusion

Insider threats pose a serious risk to your company. Preventive security measures, such as personality tests, data security, employee training, and corporate culture are important factors to consider, when defining your company’s risk profile. The measures put in place need to be monitored and evaluated in order to keep up data security and privacy.

Autor: Cédric Biedermann

Cédric Biedermann, KPMG’s head of the Corporate Intelligence team for the Forensic department has over ten years of forensic experience and is a Certified Insider Threat Program Manager and Fraud Examiner. He specializes in leading investigations regarding misconduct such as mobbing, psychological and sexual harassment, unfair treatment, extortion, exploitation, undisclosed conflicts of interest as well as corruption, bribery and fraud. As a Risk Profiler, he develops and implements effective and sustainable threat detection and prevention programs for a broad range of clients and institutions in order to assess the reliability, suitability and trustworthiness of the insider threat.

* Die meisten Blogbeiträge erscheinen in Deutsch. Ausnahmsweise erscheinen Beiträge auch in Englisch und Französisch, den Sprachen, in denen Schweizer Expertinnen und Experten in der Bekämpfung von Wirtschaftskriminalität häufig arbeiten.