Blog- Part 2: COVID-19: A Field Day for Insider Threats?

Photo by Dylan Nolte

In our first blog of this two-part series, we described how the COVID-19 crisis is having a permanent impact on the world, geopolitics, and the way we work together. This requires a new focus on appropriate measures to take to conduct safe, secure and lasting business. This post will highlight how organizations can improve their prevent, detect, respond and recover capabilities to combat the threats detailed in our first blog.


  • More than ever, European institutions should strengthen the security posture of all European organizations by aligning their counter-espionage approach.
  • Six key organizational measures can be effective in reducing the risk of insider threats.
  • A holistic approach to insider risk management is necessary to close remaining gaps within insider risk management programmes.

Supranational organizations are encouraged to unify their responses to escalating espionage operations.

Numerous intelligence and national security agencies have noticed the elevated threat posed by the current environment and have increased their responses. This is especially true in the US and UK. Those two countries, united by ongoing tension with China, have increased their collaboration across their operations. An aligned European response would realize similar benefits. A combined effort to combat espionage is what overwhelmed organisations need now and will help ensure the continent’s competitiveness in a rapidly changing world. Providing clear and practical guidance and advice on protecting sensitive and critical data, including under the current COVID-19 challenges, is an important first step.

Organisations should focus on these six countermeasures to lower the risks of insider threats.

The current work-from-home environment has increased the value of measures to decrease insider risks, both unintentional and malicious. Organizations find themselves trying to balance caring for employees during organizational change with protecting the organization from insider acts like data theft. Signpost Six recommends that organisations place special emphasis on the following key countermeasures:

  1. Organizational support to employees. Start with care for your employees during these exceptionally trying times. Managers and co-workers often neglect to notice the warning signs before it is too late. This is likely more true in a lockdown world. Organizations are encouraged to provide specific guidance on how to reduce stress and to maintain a hotline for those having difficulty. Be cognizant that productivity levels can differ from the ‘normal’ situation and adjust your expectations to this as an employer. The result will be more involved employees and fewer unintentional leaks.
  2. Effective communication. Effective communication supports an employee’s feelings of organizational support, especially during times of uncertainty around them. Organize regular check-ins with the team and not only for business delivery purposes but also as a social call. Be consistent, fair and transparent.
  3. Working conditions. Enable employees with the right working conditions and provide equipment, tools and guidance to work from home. Remote working environments and communication tools are now a necessity. Unfortunately, not all vendors take security seriously, and organisations need to conduct privacy and security assessments on the tools in use. They should provide users with guidance on preferred and non-preferred options, along with easy-to-follow guidelines on the secure use of the toolsets.
  4. Training and development. Continue training and developing your employees in a virtual manner as much as possible. Insider threat training for bespoke personnel groups is essential in periods of elevated risk. Many insider training courses focus only on what signs indicate a potential for insider acts but knowing how to respond appropriately is critical. A poor approach to case management can effectively negate an organization’s investment in insider threat detection. This is evidenced by many case studies that highlight how damaging attacks could have been prevented with proper intervention. 
  5. Oversight. Ensure oversight of your users through identity and access management and detect anomalous behaviours on the network. User Behaviour Analytics (UBA) is a technical endpoint control that develops user behaviour profiles and can alert security staff when anomalous behaviour is detected. UBA tools are especially useful in the absence of coworkers that might notice unusual activity. In addition, it helps stretched security personnel prioritize their investigations by combining data from multiple sources and self-learning. This differs from SIEMs, whose rules-based detection methods must be manually updated.
  6. Enhanced due diligence. Many expect an increase in M&A activity as the valuation of many companies has fallen drastically in the first quarter. State-controlled companies will be active buyers in this environment, exposing companies to elevated espionage risk. Enhanced due diligence of an acquiring company’s ownership and connections is essential to ensure the long-term competitiveness of the company and the economic region.

The benefits of a holistic approach to insider risk management

As organizations have to adjust rapidly to the new working environment, they should not lose sight of what a complete programme to insider threats provides. A comprehensive approach provides the basis for oversight of your critical assets and countermeasures to address insider risks holistically. It provides context to interpret concerning behaviour by combining the signals from numerous technical tools with human observations, thereby reducing false-positive rates. Perhaps more important, a staff that has been trained to be alert to insider risk indicators can prevent co-workers from doing damage to their organizations and themselves. 

Many organizations have started the process of setting up such programmes but those that haven’t should not delay. COVID-19 has changed the threat landscape, and the elevated insider threat it has created will be relevant for a long time. Maintaining oversight of your key risks to protect your people, assets and reputation is critical during this time. Don’t lose sight of risks when they are actually increasing.

At Signpost Six, we have deep experience evaluating and implementing holistic insider threat programmes at global corporates and public sector organizations and have specialists in each of the countermeasures listed above. Have a question about a specific countermeasure, the changing threat landscape or our insider risk e-learning and webinars? Please reach out to us. We want to help.

Related Blogs