In September 2014, the Federal Bureau of Investigation and the Department of Homeland Security issued a public warning of an increase in computer network exploitation and disruption by disgruntled or former employees.

“The FBI and DHS assess that disgruntled and former employees pose a significant cyber threat to U.S. businesses due to their authorized access to sensitive information and the networks businesses rely on,” the FBI and DHS reported. The federal government defines an insider threat as a current or former employee, contractor or other business partner who has or had authorized access to an organization's network, system or data and intentionally misused that access to negatively affect the confidentiality, integrity or availability of the organization's information or information systems.

Every year, the CU Times reports on dozens of fraudulent schemes committed by employees at all levels, including CEOs, vice presidents, managers, loan and investment officers, service representatives, IT professionals and tellers. They all had different levels of access to their credit union's IT systems that enabled them to carry out their fraud for years.

Moreover, the 2012 Common Sense Guide to Mitigating Insider Threats produced by the Software Engineering Institute at Carnegie Mellon University in Pittsburgh also showed banking and finance companies post far more insider fraud incidents than did healthcare firms, commercial facilities and state and federal governments. But IT firms and commercial facilities did record more theft of intellectual property and sabotage incidents that financial services institutions.

Hoping and trusting that employees are not going to do anything wrong is not a security strategy, Mike Tierney, chief operating officer for the Vero Beach, Fla.-based SpectorSoft, said.

“What do you do? Do you trust? Yes, you can trust but trust with verification is a much stronger position to be in. You should inspect what you expect,” he explained.

SpectorSoft is a computer and mobile device user activity monitoring and analysis software provider that works with more than 36,000 businesses, government organizations, schools and law enforcement agencies on security and compliance issues.

About 77% of employee fraud occurs in accounting, operations, sales, customer services, purchasing and upper management, but many organizations are not prepared to address this risk.

A 2014 SpectorSoft survey of 355 IT professionals found that 59% of them were unable to detect an insider threat, leaving them vulnerable to fraud, data breaches and IP theft.

But insider threats are not easy to detect.

Though the vast majority of employees are trustworthy, evidence indicates that about 10% of employees account for 95% of the incidents, according to SpectorSoft. Nonetheless, it's difficult to know who these employees are and how to prevent their breaches because most insider misuse occurs within the boundaries of trust necessary to perform normal duties,” according to a 2014 Verizon Data Breach Investigations Report.

In a recent webcast, Tierney and Dominique Cultrera, vice president of human resources at SpectorSoft, outlined steps that organizations can take to detect insider threats to reduce risks and, in some cases, prevent major problems and the costs associated with fraud, data breaches and intellectual property theft.

An organization's security plan should cover the three stages of what SpectorSoft calls the beginning, middle and end of an employee lifecycle.

Tierney said every position in the organization is associated with risks. In general, the greater the access the greater the risk. He suggested that every position in the organization be assigned a risk rating. On a scale from 1 to 10, for example, a receptionist position may get a risk rating of 1 or 2, while a CFO position may require a risk rating of 7.

“When we look at a position we can determine what access that position requires to fulfill its role.” Tierney said. “That is a powerful first step in defining the risk associated with that position.”

Once the employee begins work, or the middle phase of the employee lifecycle, the human factor will combine with the positional risks, which will drive changes to the original risk levels over time.

“As U.S. Defense Secretary Donald Rumsfeld famously said, 'You have known knowns. You have unknown knowns and you have unknowns unknowns – and we're worried about the unknowns,'” Tierney said. “Where does risk exist that you don't know about and what are some things that can be happening in the employee lifecycle that you may not be privy to in a security role that may lead to elevated risk.”

Cultrera pointed out that over the years, peoples' situations at work change, their personal lives change and so can their behaviors.

The human resources department can play an important role in detecting any red flags such as when an employee is placed on probation, a performance plan or gets a less-than-stellar performance evaluation. Other concerns can occur when an employee applies for a hardship loan against his 401(k) plan or when an employee's paycheck is legally garnished. Other problems can surface when an employee doesn't get an expected promotion, a raise or is not getting along with other employees or managers.

“People are more apt to commit fraud if there are things going on in their lives,” Cultrera said.

When these employee issues surface, organizations should consider increasing the risk level and communicate that information only with others who need to know so that an employee's right to privacy is not violated.

But in order to effectively communicate the risk levels and protect an employee's right to privacy, it's important for HR, IT security, legal and upper managers to work closely together.

For example, when an employee is placed on a performance plan, HR may increase the employee's risk score from 5 to 8. That elevation in the risk score can be communicated without IT security and others knowing the reasons behind the risk score change, which will protect the employee's privacy.

For the middle stage of an employee lifecycle, Tierney recommends that every company implement a monitoring plan to make sure the access to information the organization has granted employees is being used properly. This is particularly important for higher risk positions or when the risk level of any employee is elevated.

“You want to be closely monitoring the activities of highly privileged users down to recording every keystroke, because every keystroke has so much more weight and so much more consequence than someone who has a lower set of privileges,” he said.

However, the greatest risk for insider threats occurs at the end of the employee life cycle, or when the employee resigns or is fired.

“People who are leaving a company are more likely to take something with them,” Tierney explained. “What we know is that one out of every two employees surveyed say they think it is OK to take corporate data with them when they leave. I've seen surveys where 18% of employees admitted to stealing corporate intelligence after leaving a company. When 18% are admitting it, you know the number is a lot higher than that.”

During the exit interview, the final stage, it's important to review confidentiality agreements with employees to remind them of their legal obligations and direct them to either return or destroy any corporate information they may have in their possession.

What's more, it's important for organizations to closely review an employee's digital behavior in the workplace 30 days before she is to be fired or when she gives her two-week notice of resignation. Tierney said research has shown the 30-day threshold is when the insider threats are most likely to occur.