Organizations around the world have moved quickly to deal with COVID-19, sending users to work from home, reducing staff, and taking other cost-control actions. While these steps are necessary, they combine to create ideal conditions for insider threat.

Motivations that compel employees to become malicious insiders include financial distress, disgruntlement, and announcement or fear of layoffs. As companies move to deal with the economic reality brought on by pandemic response, each of these factors are coming into play.

Users may act in their own financial self-interest, to get revenge on the company, or to prepare them for future employment. Your data — PII, PCI, PHI, and IP — is valuable both inside and outside your organization. Now is not the time to let your guard down.

The rapid move to remote work may leave some users outside the typical security controls organizations employ, leaving systems and data vulnerable. Strained security staffs may struggle to detect malicious activities, as the behavioral baselines used by many of their monitoring tools are thrown off by new patterns of work brought on by remote working and irregular work times.

To combat the potential threat, security teams need to:

  • Use connectivity like VPNs or Zero Trust Network Access (ZTNA) solutions to ensure that corporate security controls are enabled for user devices, including personal devices being used for work.
  • Apply Zero Trust controls to sensitive data and systems in order to control and monitor access.
  • Not rely entirely on user behavior monitoring tools that no longer reflect the actual environment users are working in.
  • Educate users about safe and appropriate data handling in a remote setting.
  • Be forewarned of job actions so they can tighten monitoring on the affected users and remove privileges from those users prior to job actions.

Have a plan for remote wiping or locking out systems for users (employees and contractors) who are working remotely and may be part of a layoff or furlough. Leaving these active may enable affected employees to retrieve sensitive information after they are notified. Also, make retrieving these systems from the affected user population part of the plan. Alternatively, plan to remote-wipe the data and allow the user to keep the device as part of their severance. That will help to build goodwill and prepare that user for their career journey.

Above all, organizations must do their best to reassure employees and treat them respectfully. Your users are scared — both of getting sick and losing their jobs. How these concerns are addressed has tremendous impact on the likelihood of users turning malicious.

For more on protecting against insider threats, see Forrester’s “Best Practices: Mitigating Insider Threats” report.