The “bad apples” argument for insider threats is simply too reductionist. Here is why:
When an intentional insider threat manifests it is a product of a hugely complex and escalating set of circumstances. The argument that they are “just bad people who go around stealing and sabotaging” is at best naïve and at worst actually putting your organisation at greater risk.
Imagine for a moment that your life has taken a turn for the worse. Your partner has left you in a messy divorce and you now have expensive custody issues to deal with. On top of that money is tight. You are struggling to pay the bills and have little left over at the end of the month. To make matters worse your mother has just been diagnosed with a serious illness and you have to help your siblings find the money to expedite her care. You’re not even sure if you can really afford to drive the car to work. Speaking of work, your new manager is making life hard for you. She is putting up barriers that were never there before and that promotion you now SO desperately need has been ripped from your grasp and handed to Deborah instead. Deborah!?! I mean she has barely been here 5 minutes for goodness sake.
You are at breaking point. You’re isolated. You are desperate.
A foreign competitor reaches out and offers you a job. A nice sizeable “golden hello” attached to it too. “It would be great if you could bring a copy of the projects you’ve been working on” hint hint nudge nudge. I am only taking a copy. The company still has the data. Right!?!
This money would solve many of these issues. At the very least it will give you some breathing space.
You see in this example the person isn’t “evil” or “bad” they are desperate. They get pushed towards a tipping point desperately treading water. It just so happens that the life vest that was thrown to them first was somewhat dark and nefarious and well, criminal.
This is why employee assistance programs have been shown to be so effective as part of insider threat programs. That much needed life vest can easily come from you as the employer helping the person struggling, leaving them less vulnerable and your company more secure.
Effective insider threat programs aren’t just about “chasing the bad guy” they are about preventing desperation, dissatisfaction and disgruntlement. Sure, we need to monitor and address issues but we all understand prevention is always better than cure.