search menu icon-carat-right cmu-wordmark

Common Sense Guide to Mitigating Insider Threats - Best Practice 4 (of 19)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Carly Huth, Insider Threat Researcher for the CERT Program, with the fourth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The fourth of the 19 best practices follows:

Practice 4: Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.

A system administrator obtains confidential customer data. An executive implements a scheme to defraud his employer. A network administrator deletes crucial files. What is one thing these insiders have in common? The insiders in each of these cases had backgrounds or behaviors that should have increased the amount of scrutiny the organization placed on the insider.

However, in these cases the employers were either unaware of the background or behavior, or failed to take proper steps to address the risk. One protective measure that organizations should consider is performing background checks on their employees, including criminal background and credit checks, making sure to comply with all legal requirements. These checks should be performed for all employees, contractors, and trusted business partners. Organizations should consider updating this information throughout employment, especially for employees in positions requiring a great deal of trust.

Responding to suspicious behavior is another protective measure that organizations may want to implement. Suspicious behaviors include financial problems, unexplained financial gain, and boasts of malicious acts or capabilities. Organizations should define and consistently enforce security policies and procedures. Organizations may choose to establish an employee-reporting program so that co-workers can report suspicious behaviors. Once a suspicious behavior is reported, organizations should take steps to address the issue, including

  • investigating and documenting the behavior
  • evaluating the critical assets the employee can access
  • reviewing logs of recent activity
  • offering coping strategies to address the issues underlying the behavior

Implementing this practice may raise several challenges. Organizations must ensure that while monitoring communications and sharing information, they comply with laws, regulations, and company policies. They must also understand how monitoring may affect productivity by reducing morale. There are also challenges surrounding the use of arrest records, particularly given recent Equal Employment Opportunity Commission guidance on the subject. In addition, there is some indication that insiders may have arrest records in similar proportion to the overall working population, suggesting that the correlation between arrest history and insider crime may not be meaningful. However, while these challenges must be addressed, instituting protective measures will ensure that your organization is better informed about potential risks to your critical assets.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 5, Anticipate and manage negative issues in the work environment, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to

About the Author