While businesses are often aware of external threats perpetrated by cybercriminals looking to make a quick buck or competitors that want to play dirty, many forget that internal threats also pose a great risk to the safety and security of the organization and its personnel.
These threats come in many forms – theft, fraud, cybercrime, and workplace violence – and oftentimes, management fails to notice the warning signs and acts too late.
According to Tom Miller (pictured), CEO of risk management, analytics and compliance firm ClearForce, disengaged, violent, or criminal employees are grown, not hired. This means that most employees who would later go on to become a threat to their workplaces had no intention of doing so when they joined.
“Everyone faces different challenges and personal, financial, or professional stress,” he told Corporate Risk and Insurance. “When an employee displays warning signs of risky behavior that no-one reacts to, they can quickly move down the path of becoming an insider risk and inflict damage on an organization.”
Miller cited a Gallup poll which found that 17% of employees are actively disengaged. This resulted in less productivity as well as more careless errors and mistakes, like falling for phishing scams or accidentally releasing classified material. Other, more serious risks include workplace violence, harassment and bullying, fraud, cybercrime, crimes committed outside the office, and theft. All of these insider risks add extra costs to businesses, through litigation and loss of business reputation and opportunities, to the tune of US$8.7 million annually, on average. He also revealed that 53% of businesses confirmed that they’d experienced damages from insider attacks in 2018.
“One real life example is Harold T. Martin, a government contractor convicted of stealing over 500 million pages of classified data over a 20-year period,” Miller said. “His actions inflicted devastating financial and reputational impacts on his employer. But Martin, like all other insider risks, displayed warning signs that he was likely to act maliciously which his employers failed to recognize. Going back all the way to 2000, Martin showed signs that he was under financial and personal stress which went unnoticed by his employers. If they had reacted to Martin’s red flags, they could have connected him with the necessary counselling and resources early on to prevent the corporate risk and damage he eventually caused.”
Duty of care to employees
Aside from warning about the financial damage insider attacks could cause to organizations, Miller also believes that a company failing react to the warning signs of risky employee behavior is a breach of its duty of care to its employees.
“Employees work hard every day and expect their employers to provide them with a safe and secure work environment in return,” he said. “Failure to meet this standard can result in an employee being injured or injuring another co-worker, which can leave an employer to be found guilty of negligence. There are several types of employer negligence, but all of them involve four parts: a duty of care owed to the employee, breach of that duty of care, cause of breach, and harm resulting from the breach.”
However, due diligence from an employer does not stop at the hiring process. According to Miller, an employer can also be sued for negligent retention – if they do not take action with an employee after becoming aware that they are no longer a good fit with the company or commit crimes or acts of misconduct – and negligent supervision, which is a passive form of negligence where an employer does not appropriately monitor or control their employees.
Preventing risky behavior
According to Miller, it should be the goal of every employer to create a highly effective and trouble-free work environment that attracts and retains the best employees. However, the traditional one-time background check fails to capture threats and business risks that occur after an individual is hired. A continuous discovery system can help employers recognize the leading indicators of risky behavior and notice red flags from employees.
However, he said that it’s also important that employers are transparent with employees about continuous discovery programs, to promote trust between employees and employers and remind workers about what is expected of them and appropriate workplace behavior.
“Through continuous discovery, employers can be automatically notified about employee conduct that qualifies as a potential business risk,” Miller said. “Early action is key to mitigating business risks and a correction does not always have to be punitive. The earlier an employer intervenes the more options they have to work with employees to correct the situation. Allowing employees to anonymously report an individual’s behaviors also helps HR receive the right information.
“For example, upon notification, HR or managers could talk with an employee and learn that they are disgruntled about their workload. Management can then work with the employee to match them with the correct resources to help them better manage deadlines or enlist HR to recruit more employees to balance the amount of work in the office.”
According to Miller, employers and HR departments need to understand that knowledge is power. The earlier and the more information employers have, the better they are able to protect their business and employees.
“Through our continuous discovery system, we help employers nationwide identify and manage insider risk,” Miller said. “In the process, we help reduce the business risks and additional costs – stemming from termination, legal, and rehiring.”