Skip to content

Illustration by Security Management; iStock

The Insider Threat and Extremist Rhetoric

The frequency of malicious insider threat incidents is on the rise—spiking by 47 percent between 2018 and 2020, according to the Ponemon Institute’s 2020 Cost of Insider Threats: Global Report. This growth has roughly coincided with the expansion of media transmissions of opinions and viewpoints from activists on both the right and the left, some of which may be appropriately described as extremist.

While the growth of polarizing and extremist rhetoric may be most commonly attributed to an advancing Internet, the traditional approaches to mitigating insider threat risks may also be effective in reducing the incendiary quality of extremist rhetoric before it results in harm or destruction.

American cybersecurity software company Code42 recently noted that the COVID-19 workplace environment has increased the presence of insider threats. The study, conducted by the Ponemon Institute, found that:

“Both business and security leaders are allowing massive insider risk problems to fester in the aftermath of the significant shift to remote work in the past year. During that same time, three-quarters (76 percent) of IT security leaders said that their organizations have experienced one or more data breaches involving the loss of sensitive files and 59 percent said insider threat will increase in the next two years primarily due to users having access to files they shouldn't, employees’ preference to work the way they want regardless of security protocols and the continuation of remote work. Despite these forces, more than half (54 percent) still don’t have a plan to respond to insider risks.”

Indicators of potential insider threat are drawn typically from the following categories: access attributes; career and performance records; foreign considerations; security and compliance incidents; technical or network activity; criminal, violent, or abusive conduct; financial considerations; substance abuse and addictive behaviors; and judgment, character, and psychological considerations.

A sincere and responsible effort to appraise a suspected insider threat leads to a number of particularly insightful questions. Does the individual demonstrate declining performance ratings? Have there been Human Resources complaints? Has there been a reprimand? Does the individual possess a high level of clearance? Does the individual engage in frequent foreign personal travel and fail to report foreign personal contacts? Have there been security violations or reports of working at off-hours? Has the individual violated information systems policies or introduced unauthorized software? Have there been signs of unexplained affluence? Has there been criminal violent behavior, weapon mishandling, signs of substance abuse or drug test failure, falsifying data in the workplace, or expression of extreme despair?

According to the National Insider Threat Task Force Mission Fact Sheet, a single indicator may say little. If taken in conjunction with other indicators, however, a pattern of concerning behavior may arise that can add up to someone who could pose a threat.

The fact sheet further notes:

“It is critically important to recognize that an individual may have no malicious intent, but is in need of help. We have invested a tremendous amount in our national security workforce, and it is in everyone’s interest to help someone who may feel he or she has no other option than to commit an egregious act—such as espionage, unauthorized disclosure, suicide, workplace violence, or sabotage. Intervention prior to the act can save an employee’s career, save lives, and protect national security information. There are also unwitting insiders who can be exploited by others.”

This process ultimately yields a personal profile of a suspected insider threat that allows for correction, as well a possible prosecution. The U.S. Department of State’s Insider Threat Program works to deter, detect, and mitigate insider threats to protect its organization’s people, facilities, information, and reputation, according to “Building a Culture of Trust” from State Magazine. The program strives to build a culture of trust and organizational wellness and emphasizes the aim of “turning a suspect around” rather than “turning a suspect in.”  

The program’s officers make available an extensive array of educational tools, including briefs, articles, charts, videos, and online and in-person training exercises, which, in addition to training, may also serve to establish a reassuring and congenial relationship with employees who participate.  Responses to reports of suspected insider threats—such as extremist rhetoric—are formed on a case-by-case basis. 

James T. Dunne, CPP, is a member of the ASIS Communities for Extremism and Political Instability and Information Technology Security. He is a senior analyst in the State Department’s Bureau of Diplomatic Security. The views expressed here are those of the reviewer, and do not necessarily reflect those of the U.S. Department of State or the U.S. Government.