Edward Snowden, who has leaked classified information about intelligence collection activities of the National Security Agency (NSA), reportedly told the South China Morning Post that he sought a job as a contractor at government consulting firm Booz Allen Hamilton with a goal: to collect proof about the NSA’s domestic surveillance programs and alert the public to the programs. However, Snowden is not the typical insider threat. Most insiders who later betray their employer’s trust don’t start out with that intent. The change from benign employee to malicious insider can be spurred by anything from home-life stress to frustration at being passed over for a promotion to the thought that the company does not appreciate one’s contributions.
Though the risk is great, it is not possible to deny insiders the access to data that they will need to do their jobs. So what can a company do?
The company must have clear policies regarding how corporate data is to be handled and safeguarded, and confidential data should be clearly labeled, with access as restricted as feasible. Additionally, the company should secure the data itself and use software to track access and seek signs of suspicious activity, especially with regard to what information leaves the system or is copied. This article focuses, however, on the human factor—what companies can do in the hiring process and throughout employment to detect signs that a person is likely to become, or has become, an insider threat.
Individuals who end up becoming an insider threat exhibit some common traits. That doesn’t mean all insider threats have these traits or that all people with these traits will become a threat. But it can be useful to know what these traits are.
One possible worrisome trait is narcissism, according to Satyamoorthy Kabilan, director of National Security and Strategic Foresight at the Conference Board of Canada: “It’s about people who perceive that they’re far more valuable than they actually are; they have an exaggerated value or view of the value that they bring to the organization, an exaggerated view of their abilities and achievements, and [they] are usually very intolerant of criticism. They minimize the significance of the contributions of others.”