In 2017, a Pennsylvania convenience store worker shot and killed three of his colleagues before turning the weapon on himself. Investigators later discovered he had posted extensively online about his plans and motivations. This is an extreme case, and, while the danger from insider threats may not always be so violent, they can pose as much of a risk as threats from outside.

Insider threats take many forms

Insider threats vary from harassment of co-workers to sabotage and theft. Proprietary or client data may be leaked or sold, access credentials stolen, and company systems wiped or crippled with malicious code. These threats are identical to those from outside actors, but they come from trusted employees.

No organization is immune. In 2017, Wikileaks began publishing secret CIA files in an archive known as Vault 7. It was soon discovered a former CIA software developer was responsible.

Many of these insider threats leave an online fingerprint, albeit faint. Not every warning sign is as splashy as an online manifesto. Some may be as commonplace as social media posts about a business or an employee. Others may be more difficult to see. In some cases, stolen data is traded on dark web marketplaces or shared in unindexed platforms such as Telegram.

A risky time for employers

Most economies have experienced a slowdown to the post-pandemic rise in employment. Many are experiencing stagnant or negative growth. Job market uncertainty increases the likelihood of insider threats. Disgruntled employees are more likely to stay in roles and express frustration internally. When layoffs loom, the emotional and financial impact of job loss can push some individuals toward harmful behavior of various types – from sabotage to violence.

Open Source Intelligence is a powerful tool

Open Source Intelligence (OSINT) plays a crucial role in identifying and mitigating these risks. Monitoring social media allows security professionals to pick up threats before they become serious. An advanced tool such as Signal, helps security teams overcome the challenges of monitoring the vast amount of information found online.

Using custom searches, AI-assisted alert triage, and event summaries, Signal allows security teams to pick up threats, in real time. Because insider threats seldom telegraph their presence at work, it is difficult to target particular individuals. But OSINT tools, such as Signal, monitor comments, sentiment and direct threats to organizations, unearthing internal as well as external threats.

Key risk points in the employment cycle

The end of employment is a critical time for insider threat monitoring:

• One survey found 88% of respondents would take sensitive information with them if they were fired.

• And 50% of respondents in a Symantec survey said they have taken information from their old job (40% with the intention of using it elsewhere).

While most of these employees don’t pose a serious risk, having extra notifications and searches in operation during layoffs or restructuring helps improve situational awareness.

Some insider threats emerge only after the damage is done. OSINT tools can also help uncover these incidents by monitoring suspicious activity in locations such as the dark web or unindexed platforms. If employees were planning to sell or trade sensitive data, then the right OSINT tool looking in the right places may be able to detect malicious activity. Armed with this knowledge, security teams can take action to mitigate damage and even provide vital information for the apprehension or prosecution of bad actors. Signal has the capability to monitor dark web forums for this sort of behavior, as well as unindexed areas of the internet such as Telegram or Discord.

Damage can be far-ranging

While violence grabs headlines, insider threats often cause lasting financial, operational, and reputational damage. Organizations may be held liable if they fail to take reasonable steps to prevent or mitigate insider actions. Having the right OSINT tools in place and utilizing them effectively is an excellent first step in detecting and mitigating insider threats.

Summary

Insider threats exploit the trust organizations place in their employees. With the right tools, security teams can detect trouble early and respond proactively.

Signal offers broad and deep OSINT coverage across a range of sources, including forums, blogs, as well as the surface, deep and dark web. Real-time custom alerts combined with AI-enhanced detection, triaging and reporting help security teams act fast.

To find out more about how Signal can protect your organization against internal and external threats, book a Signal demo today.