Posted on by Insider Threatin
In this blog post, I will discuss substance abuse as a potential precursor to increased insider threat and share statistics from the CERT National Insider Threat Center's (NITC) Insider Incident Corpus on incidents that involved some type of substance use or abuse by the insider. In relation to insider threats, I will discuss the prevalence of substance abuse and discuss some of its impacts on organizations. Finally, I will outline some technical means of detecting employee substance abuse and share some best practices from the CERT Common Sense Guide for Mitigating Insider Threats.
"Substance use disorders (SUDs) represent clinically significant impairment caused by the recurrent use of alcohol or other drugs (or both), including health problems, disability, and failure to meet major responsibilities at work, school, or home."
Substance use and abuse are potential precursors to insider threat. They could lead to concerning behaviors and both criminal and non-criminal acts against an organization. Insider incidents may include theft of intellectual property, sabotage, espionage, fraud, workplace violence, and non-malicious, accidental incidents. In these instances, insiders may commit malicious acts in order to procure money to support their habits or addictions or, due to the effects of the substances on their behavior, may commit acts of workplace violence. Substance use and abuse may also impact an insider's cognitive abilities, leading to unintentional insider threats. These unintentional acts might include being more likely to click on phishing emails or misplace company equipment.
An example of how substance abuse can play a part in an insider incident can be seen in the following true story from the CERT National Insider Threat Center's (NITC) Insider Incident Corpus:
The insider was a full-time branch manager for the victim organization, a bank. Over the course of approximately nine months, the insider removed over $270,000 from customer accounts and converted those funds for their personal use. The insider had developed a severe drug addiction to prescription pain medication and heroin over the course of their employment. Their financial gain was utilized to support their drug habit.
The CERT NITC Insider Incident Corpus contains records of over 1,600 actual insider incidents. A subset of 1,046 of these cases found in our Management and Education of Risk of Insider Threat (MERIT) database focuses on theft of intellectual property, fraud, and sabotage and contains detailed information regarding substances used and/or abused by an insider. Five percent of these insider incidents involved known substance use and/or abuse. Information regarding an insider's substance use or abuse is not always readily available and is frequently not known unless it is disclosed in court proceedings. The incidence of insiders using or abusing substances has risen since 2010. According to the CERT NITC's Insider Incident Corpus, there has been an increase from 1.1 insider cases involving substance abuse per year in the 20 years leading up to 2009 to an average of 4.4 cases per year from 2010 to 2016. The chart below shows that alcohol abuse was predominant in the subset of insider incidents analyzed.
Figure 1. Chart showing the prevalence of substance use and abuse in the MERIT subset of CERT NITC's Insider Incident Corpus from 1999 to 2016.
There has been an increase of insiders committing fraud either to support their own opioid or other substance addiction or to profit from the addiction of others. The healthcare industry is seeing an influx of the latter types of fraud cases, particularly from doctors who are writing out prescriptions for opioid "painkillers" and defrauding the health insurance system by illegally billing for office visits that are only occurring to write out opioid prescriptions in exchange for cash. The FBI and other law enforcement organizations refer to this as a "pill mill." This type of health care fraud will be explored in a future blog post, along with case examples from the CERT NITC Insider Incident Corpus.
Substance abuse and dependence is rampant in the U.S. today, with the opioid crisis considered to be an epidemic. This epidemic, including addiction to heroin, prescription painkillers, and other opioids, is said to cost the U.S. around $80 billion a year from lost productivity, incarceration costs linked to addiction, health care, and treatment. According to the Centers for Disease Control and Prevention, between 1999 and 2016, over half a million people in the United States died from drug overdoses. More than half were the result of an opioid overdose, and there was a significant spike in opioid deaths from 2010-2016. The Substance Abuse and Mental Health Services Administration's (SAMHSA) annual National Survey on Drug Use and Health (NSDUH) for 2016 notes that 11.8 million people misused opioids in the previous year. Of those, 11.5 million misused opioid pain relievers. It is estimated that close to 75% of those with substance misuse disorders are in the work force.
Employees who misuse and abuse substances cost employers money and negatively impact those in the workforce around them. In one study from 2007, prescription opioid abuse was said to have cost employers over $25 billion. One can assume that as the opioid epidemic increases, these numbers will also increase. The National Council on Alcohol and Drug Dependence, Inc. has identified the following areas as potential impacts on organizations due to employee substance abuse, some of which are at the very least counterproductive workplace behaviors and, worst-case scenario, insider threats:
Many of the effects of substance abuse may be visibly detectable via technical means. Several examples of this technical detection that organizations may consider include:
Organizations should work with their general counsel and/or human resources departments to support their employees facing substance use and abuse issues and work to mitigate malicious and unintentional insider threats by taking the following steps, many of which are outlined in the CERT Common Sense Guide for Mitigating Insider Threats, Fifth Edition:
Substance use and abuse happens across all demographics. Organizations should work closely with their legal and human resources departments to implement practices and policies that address employee substance use and abuse in a manner that supports employees and the organization and maintains employee privacy.
Visit the SEI Digital Library for other publications by Tracy.