In this blog post, I will discuss substance abuse as a potential precursor to increased insider threat and share statistics from the CERT National Insider Threat Center's (NITC) Insider Incident Corpus on incidents that involved some type of substance use or abuse by the insider. In relation to insider threats, I will discuss the prevalence of substance abuse and discuss some of its impacts on organizations. Finally, I will outline some technical means of detecting employee substance abuse and share some best practices from the CERT Common Sense Guide for Mitigating Insider Threats.

"Substance use disorders (SUDs) represent clinically significant impairment caused by the recurrent use of alcohol or other drugs (or both), including health problems, disability, and failure to meet major responsibilities at work, school, or home."

-Substance Abuse and Mental Health Services Administration, 2016

Substance use and abuse are potential precursors to insider threat. They could lead to concerning behaviors and both criminal and non-criminal acts against an organization. Insider incidents may include theft of intellectual property, sabotage, espionage, fraud, workplace violence, and non-malicious, accidental incidents. In these instances, insiders may commit malicious acts in order to procure money to support their habits or addictions or, due to the effects of the substances on their behavior, may commit acts of workplace violence. Substance use and abuse may also impact an insider's cognitive abilities, leading to unintentional insider threats. These unintentional acts might include being more likely to click on phishing emails or misplace company equipment.

An example of how substance abuse can play a part in an insider incident can be seen in the following true story from the CERT National Insider Threat Center's (NITC) Insider Incident Corpus:

The insider was a full-time branch manager for the victim organization, a bank. Over the course of approximately nine months, the insider removed over $270,000 from customer accounts and converted those funds for their personal use. The insider had developed a severe drug addiction to prescription pain medication and heroin over the course of their employment. Their financial gain was utilized to support their drug habit.

The CERT NITC Insider Incident Corpus contains records of over 1,600 actual insider incidents. A subset of 1,046 of these cases found in our Management and Education of Risk of Insider Threat (MERIT) database focuses on theft of intellectual property, fraud, and sabotage and contains detailed information regarding substances used and/or abused by an insider. Five percent of these insider incidents involved known substance use and/or abuse. Information regarding an insider's substance use or abuse is not always readily available and is frequently not known unless it is disclosed in court proceedings. The incidence of insiders using or abusing substances has risen since 2010. According to the CERT NITC's Insider Incident Corpus, there has been an increase from 1.1 insider cases involving substance abuse per year in the 20 years leading up to 2009 to an average of 4.4 cases per year from 2010 to 2016. The chart below shows that alcohol abuse was predominant in the subset of insider incidents analyzed.

Figure 1. Chart showing the prevalence of substance use and abuse in the MERIT subset of CERT NITC's Insider Incident Corpus from 1999 to 2016.

There has been an increase of insiders committing fraud either to support their own opioid or other substance addiction or to profit from the addiction of others. The healthcare industry is seeing an influx of the latter types of fraud cases, particularly from doctors who are writing out prescriptions for opioid "painkillers" and defrauding the health insurance system by illegally billing for office visits that are only occurring to write out opioid prescriptions in exchange for cash. The FBI and other law enforcement organizations refer to this as a "pill mill." This type of health care fraud will be explored in a future blog post, along with case examples from the CERT NITC Insider Incident Corpus.

Substance abuse and dependence is rampant in the U.S. today, with the opioid crisis considered to be an epidemic. This epidemic, including addiction to heroin, prescription painkillers, and other opioids, is said to cost the U.S. around $80 billion a year from lost productivity, incarceration costs linked to addiction, health care, and treatment. According to the Centers for Disease Control and Prevention, between 1999 and 2016, over half a million people in the United States died from drug overdoses. More than half were the result of an opioid overdose, and there was a significant spike in opioid deaths from 2010-2016. The Substance Abuse and Mental Health Services Administration's (SAMHSA) annual National Survey on Drug Use and Health (NSDUH) for 2016 notes that 11.8 million people misused opioids in the previous year. Of those, 11.5 million misused opioid pain relievers. It is estimated that close to 75% of those with substance misuse disorders are in the work force.

Employees who misuse and abuse substances cost employers money and negatively impact those in the workforce around them. In one study from 2007, prescription opioid abuse was said to have cost employers over $25 billion. One can assume that as the opioid epidemic increases, these numbers will also increase. The National Council on Alcohol and Drug Dependence, Inc. has identified the following areas as potential impacts on organizations due to employee substance abuse, some of which are at the very least counterproductive workplace behaviors and, worst-case scenario, insider threats:

• Tardiness/sleeping on the job
• After-effects of substance use (hangover, withdrawal) affecting job performance
• Poor decision making
• Loss of efficiency
• Theft
• Increased likelihood of having trouble with co-workers/supervisors or tasks
• Preoccupation with obtaining and using substances while at work, interfering with attention and concentration
• Illegal activities at work including selling illicit drugs to other employees

Many of the effects of substance abuse may be visibly detectable via technical means. Several examples of this technical detection that organizations may consider include:

• Monitor badge records for tardiness, absences during the day, and missed work
• Gather information from Human Resource Management systems that could provide information about recent disciplinary actions, security violations, and, where legally allowable, drug test results
• Monitor for web searches concerning alleviating effects of withdrawal and procuring substances
• Gather information from background checks, where legally allowable, to garner information about past substance related arrests (i.e., DUI) and significant financial stressors potentially stemming from drug abuse

Organizations should work with their general counsel and/or human resources departments to support their employees facing substance use and abuse issues and work to mitigate malicious and unintentional insider threats by taking the following steps, many of which are outlined in the CERT Common Sense Guide for Mitigating Insider Threats, Fifth Edition:

• Refer struggling employees to Employee Assistance Programs (EAPs) for support and possible referrals
• Implement drug testing, including for prescription opioid medications, in compliance with all applicable laws and ensuring employee confidentiality
• Conduct background checks to determine if an employee demonstrates financial insecurities or arrests that may be due to current or former substance use and abuse
• Educate all employees on recognizing substance use and abuse disorders both in themselves and in co-workers
• Provide a supportive work environment where people in need will seek help with difficult issues such as substance abuse

Substance use and abuse happens across all demographics. Organizations should work closely with their legal and human resources departments to implement practices and policies that address employee substance use and abuse in a manner that supports employees and the organization and maintains employee privacy.