How can Human Resource organisations help combat Insider Threats?

Insider threats generally come in two forms. Malicious and accidental.


Often in the form of a disgruntled fired employee who wants to get back at their former company, though they can also come in the form of employees still working at the company. In that case they may be part of an organised crime network or an individual looking to harm the company through fraud, IT sabotage, intellectual property theft or espionage.


In the form of employees who unintentionally expose confidential data through poor cyber hygiene, weak passwords or similar such as sending a mass email with everyone's emails in the "To" field instead of the "Bcc".

Whichever one they are they contribute to a significant number of data beaches every year.

A 2017 report from Clearswift reported that

“Organizations report that 42% of IT security incidents occur as a result of their employees’

In many cases breaches from former employees stem from an organisational failure to identify a change in employee status at the point the employee leaves the company – a classic disconnect between HR and the IT companies that are responsible for data security.

Some companies are more vulnerable to this than others – it often occurs where there are high turnovers of staff or where the HR function is outsourced. But IT and HR policies and procedures are key to help companies combat the threat and make it more difficult for Insiders to operate.

2019 Case Study - ‘Spa forced to close after sacked worker cancelled hundreds of appointments’

In June 2019 Lauran Arafat started work as a receptionist at a local spa in Yorkshire. But she had only worked for the business for two days before she was fired.

Within hours of leaving the company she accessed the company database remotely, using her iPhone to pretend to be another employee, and cancelled over two hundred appointments.

Staff tried for weeks to try and keep the business going but ultimately the business collapsed, and all the staff involved were made redundant.

The former owner stated,

‘We tried everything at a personal financial cost to stay afloat, but it was a perfect storm forcing the business into insolvency and ultimately completely destroying the reputation, future plans and possibilities,’ she said. She went onto say ‘We were served notice from our location. Absolute devastation ensued. The embarrassment and humiliation was unbearable.’

Arafat was arrested in January 2021 and following a court hearing at Leeds Crown Court she was made subject to a two-year community order and was told she must carry out 250 hours unpaid work and 15 days rehabilitation activity.

Former spa director Mrs Pearce said following the sentencing: ‘The last three years have been incredibly challenging and isolating with the case going from a civil matter to the Crown Court.

‘I truly hope, that if anything, the sentence issued demonstrates the severity and impact of this individual’s conduct and that it vindicates me. I will continue to use my experience to help others in the future.’

The impact of this insider attack is clear to see – both economically and personally. And it was able to occur simply because the company did not enact simple security protocols when staff left the business.

The least we can do is ensure that the same does not happen to our own businesses.

What can you do to protect your company?

Threats like these are amongst the most difficult to guard against however there are some key considerations for companies.

Have clear HR policies around staff leaving the organisation and ensure that they are adhered to. All staff leaving to have documented and audited exit interviews to include return of company IT equipment, password cancellations etc., to limit opportunities for former staff members to be able to access company networks. Implement a handover period to try and limit impact on the organisation.

Make staff aware of the approaches that they might get and how to report them. One of Tesla’s employees was approached with a $1M deal for insider access. They reported it, helped with the investigation and the criminal, Kriuchkov was arrested. The ECRC can provide bespoke staff awareness training tailored to what threats your company and employees might face. Contact us now to find out more.

Implement strong access controls and allow access to systems that people really need rather than everything. If you were working in a physical location, you might have some areas which were only accessible to staff who worked there, and for anything really valuable, maybe a safe. But you wouldn’t give the safe keys to everyone who worked for you. If you’re not sure about access control take a look at one of our short videos about it.

Have internal network logging. This will enable you to see unusual activity, such as emailing eight thousand sensitive files outside of the network – this is how General Electric recently suffered a massive data breach. The NCSC has a free tool to help with this, Logging Made Easy. You can read more about it here.

Have policies and procedures which cover data control and access. Consider limiting the number of attachments that could be sent out at once, and then set up a rule which alerts you if any more than that are sent. This gives you the ability to check that what is being sent is going for a legitimate reason. Tell your staff that their emails are being monitored and tell them about the policy. If you are not sure whether your policies cover all that should be considered why not have a policy review with our affordable service provided by one of our students?