Another crucial step is developing contractual language to require due diligence of contractors, Lefler says. "When the company enters into a service agreement, they need to make sure that vendors and suppliers will maintain audit systems and controls over their employees to the extent you do over yours. Include liability language in all contracts for losses due to the actions of outsiders who violate trusts," he says.
Of course, as noted previously, insider threats often come to their organizations without criminal backgrounds, so background checking will only go so far to mitigate the threat. And it may be difficult to audit a contractor's diligence in hiring for certain personality traits. That is why the next layer of measures focuses on stopping existing employees from becoming a threat to the organization.
Stop Marginalization by Fostering a Team Culture
One of reasons insiders strike out against their companies is because they have been marginalized by their peers and sometimes even their supervisors.
"Everyone who went to a public high school in America is familiar with how popular kids target some unpopular kids, often the ones who are thought of as geeky," Dietz says. "They tease them, call them names, make then the butt of jokes, don't invite them to parties and then make a point of talking about how great the party was in front of them, leading to tremendous resentment and feelings of exclusion. This happens in workplaces universally unless management becomes aware of the need to prevent it."
A person's differences - ethnicity, accent, financial situation or poor social skills, for example - can be targeted by their colleagues, leading to alienation and thoughts of revenge on the individual tormentors and the organization that fails to protect them. According to Dietz, once a marginalized employee has become the saboteur or thief, management focuses only on terminating that bad actor, not on fixing the environment that helped shape him or her.
"I think the issue is for supervisors to learn about this phenomenon and not sanction or enable it," he says. "They shouldn't look the other way or participate in it, because that's what sustains this behavior. If the supervisor points out that this isn't appropriate team behavior, it can all be short-circuited. Instead, what commonly happens is the supervisor has risen from the ranks as one of the popular people and so participates in the joking or treats the individual unfairly. Part of being a leader at that level means making sure that everyone is treated fairly and no one is being singled out."
Awareness and Reporting
Deloitte's "Building a Secure Workforce" study emphasizes the importance of training the workforce to behave as a threat monitor and maintaining a system that encourages them to report suspicious behavior. "[Malicious insider activity] is often not done in great secrecy," Lefler says. "People around them may be aware of what they are doing, but since there is not corporate sensitivity to it, employees don't always feel obligated to report what they know. That's why awareness programs are important, as are hotlines, and supervisor reporting procedures.
"The awareness program should make the employee comfortable with reporting and confident that the company will act appropriately in protecting employees and shareholders," Lefler continues. "It should be a team effort by HR, legal, security, compliance and the other business leaders. The message needs to be that it's not just about helping the company, it's about helping the employees."
Deloitte's Gelles agrees, noting that a generic awareness program conducted annually or at hiring will be far less effective than a regularly reinforced program that could amount to cultural change. "I think that's where the challenge is for companies today," he says. "They have to use not just the managers but employees to be able to be sensitized to the specific things they need to pay attention to in the specific components across the enterprise where they work." (See sidebar below.)
Brant notes that this effort is further complicated by the virtual nature of the workplace today. "Ten years ago, everything was face-to-face. Now, nearly all our communication is cyber. We have lost that element of personal interaction that allows us to see a potential problem or to deal with it. It's difficult to identify patterns of risk and to initiate follow-up when there's no personal interaction," he says.