Skip to Content

Returning to the workplace brings elevated insider risk


With employees returning to work following the pandemic shut down, now is an appropriate time to conduct an insider risk security control check-up. Many organizations were unprepared for the shift to work from home and scrambled to strengthen remote access as well as identity and access management (IAM) security controls to ensure business continuity. After addressing this critical concern (hopefully), and now with coworkers returning to work in the office, we can return to business as usual, right? Not so fast.

Refresh security awareness

In addition to switching from business casual on the top for video conferences, with “comfy” casual below the camera view, back to our more appropriate office attire, we need to consider and address how employees have relaxed their cyber and information security practices over the last couple of months. One of the best ways to renew security behavior awareness and practice is through messaging. Remind your co-workers about wearing their badges while inside your facilities but removing them when they leave the facility. Reinforce their understanding of your acceptable use and social media policies. Caution employees and others who are entrusted with access to company resources that circumventing security requirements to be more efficient and “get the job done” is unacceptable. Explain why security procedures are so important and provide a feedback process to be informed when controls are too burdensome. Make these messages enticing and interesting to attract and keep their attention, and keep in mind that these messages need to be short, simple, and to the point. Employees are more apt to gloss over anything more than a short paragraph, if they don’t delete them outright.

Behavioral indicators

While many organizations focus on technical indicators to identify insider risk concerns, don’t forget to look at human behavioral indicators, which are just as important. For many people, the shift from working in the relaxed home environment back to working in the office can increase stress, which may directly correlate to behavioral changes. Our co-workers may exhibit their increased stress levels, and even feel resentment at having to return to an office environment. This may be reflected in changes to their everyday behavior when compared to pre-pandemic norms, and carry-over into performance and disciplinary concerns. Co-workers, and especially managers need to be attuned to these changes, so they can evaluate and seek appropriate guidance on intervention, before the insider causes a security event or incident.

Technical indicators

We all use technical indicators to indicate and predict risk events and incidents. Email content, increased cadence, messages to external addresses, more emails messages with attachments, and larger attachments, when compared to pre-Covid-19 baselines, can indicate potential insider risk issues. Does the employee have a legitimate reason for these changes, or are they exfiltrating information in anticipation of job change, espionage, or sabotage? Is the employee attempting to access files that are outside the scope of their normal duties? Is the employee now attempting to access websites that contain inappropriate content, or that may employ drive-by, spoofing, or other techniques to compromise security and gain network or system access. Physical security indicators may also be informative. Logs from these sources are also relevant to insider risk evaluations. Is the employee attempting to access areas they did not access before and have no legitimate reason for doing so?

Contextual indicators

The Covid-19 placed a strain on individual finances, not just the organization’s financial outlook. Laid-off and furloughed employees, and employees whose pay was reduced to protect organizational budgets may have fallen behind in their mortgage, vehicle loan, and familial support payments. These concerns may be reflected in court orders requiring wage garnishment by finance. Does the employee have access to critical organization assets and resources? These situations may lead to the employee considering theft or embezzlement or make the employee more susceptible to espionage recruitment by a competitor or nation state.

Trusted business partners

Our definition of “insider” must also include contractors and trusted business partners, since they frequently have authorized access to our organization’s networks, systems, and facilities. Did they appropriately adjust their security posture and controls for their response to the pandemic? Is there a vulnerability that would allow someone to compromise their network or system, and then gain access to your organization’s resources? These are all good questions for inquiry when evaluating our security posture.

Business process improvement

As part of your re-boarding and business process improvement initiatives, consider using a questionnaire to allow returning employees to provide feedback regarding how your organization might be better prepared in the event something of this magnitude happens again. An appropriately worded questionnaire would also allow employees to express health concerns affecting security, such as leaving doors open so they don’t have to touch doorknobs, and their reluctance to use shared machines and resources. If your organization cannot reach an accommodation, a considered reply explaining the reason may be appropriate and increase transparency. From an insider risk perspective, allowing your workforce to provide this level of feedback and input, with appropriate, considered responses to acknowledge their concerns, have the added benefit of providing them a means of expressing their concerns, thereby lowering their stress levels and their insider risk potential.


While the abovementioned examples are certainly not exhaustive, they provide a glimpse at potential, elevated insider risk as our workforce returns to the workplace. We must also keep in mind that insider risk should be determined from an aggregation of indicators as single indicators taken out of context may lead to erroneous conclusions. The pandemic has changed all our lives. By considering resulting changes in behavioral, technical, and contextual risk indicators of our employees as well as in our trusted business partners’ security posture, reinforcing insider security practices through awareness messaging, and improving business processes through employee feedback, we can better position our organizations to prevent, detect, and mitigate insider risk.

To find out more about how we can help you visit our cybersecurity services page.

Follow Dan Leyman on LinkedIn.