Statements On Organization's Social Media

A subject may be required to undergo a criminal background check prior to joining the organization, particularly when the role involves access to sensitive systems, data, or physical spaces. This preventative measure is designed to identify any prior criminal conduct that may present a risk to the organization, indicate a potential for malicious behavior, or conflict with legal, regulatory, or internal policy requirements.

Criminal background checks help assess whether a subject's history includes offenses related to fraud, theft, cybercrime, or breaches of trust—each of which may elevate the insider threat risk. Roles with elevated privileges, access to customer data, financial systems, or classified information are often subject to stricter screening protocols to ensure individuals do not pose undue risk to organizational security or compliance obligations.

This control is especially critical in regulated industries or environments handling national security assets, intellectual property, or financial infrastructure. In such settings, background checks may be embedded within broader personnel vetting procedures, such as security clearances or workforce integrity programs.

Where appropriate, periodic re-screening or risk-based follow-up checks—triggered by role changes or concerning behavior—can strengthen an organization’s ability to detect emerging threats over time. When implemented consistently, background checks can serve as both a deterrent and a proactive defense against insider threat activity.

Offering mental health support and conflict resolution programs to
help employees identify and report manipulative behavior in the
workplace

A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows employees to confidentially raise concerns with trusted teams, such as Human Resources or other qualified professionals. In some cases, it may be appropriate to discreetly share this information with trusted individuals within the Insider Risk Management Program to help prevent and detect insider threats while also providing necessary support to the employee.

An individual’s prior employment history may be verified through formal reference checks conducted prior to their onboarding with the organization. This process aims to validate key aspects of the subject’s professional background, including dates of employment, job titles, responsibilities, and performance, as well as behavioral or conduct-related concerns.

Reference checks serve as a critical layer in assessing an individual’s suitability for a given role, particularly where access to sensitive systems, data, or personnel is involved. When conducted thoroughly, this process can help identify discrepancies in a candidate’s reported history, uncover patterns of misconduct, or reveal concerns related to trustworthiness, reliability, or alignment with organizational values.

Employment reference checks are particularly relevant to insider threat prevention when evaluating candidates for positions involving privileged access, managerial authority, or handling of confidential information. These checks may also uncover warning signs such as unexplained departures, disciplinary actions, or documented integrity issues that elevate the risk profile of the individual.

Organizations may perform this function internally or engage trusted third-party screening providers who specialize in pre-employment due diligence. When combined with other vetting measures—such as criminal background checks and social media screening—reference checks contribute to a layered approach to workforce risk management and help mitigate the likelihood of malicious insiders gaining access through misrepresentation or concealment.

A social media policy is a set of rules that governs how employees should use social media platforms in connection with their work. It outlines acceptable and unacceptable behaviors, helps employees understand the consequences of misuse, and serves as a deterrent by promoting accountability, raising awareness of risks, and ensuring consistent enforcement.

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

An individual may be required to present and verify valid government-issued identification prior to their association with the organization. This process serves as a foundational identity assurance mechanism, ensuring that the subject is who they claim to be and enabling further vetting procedures to be accurately applied.

Verification of official identification—such as passports, national ID cards, or driver’s licenses—supports compliance with legal, regulatory, and internal requirements related to employment eligibility, right-to-work verification, security clearance eligibility, and access provisioning. It also helps establish a verifiable link between the individual and other background screening measures, including criminal record checks, reference verification, and credential validation.

In the context of insider threat prevention, government-issued ID verification helps prevent identity fraud and the onboarding of individuals using false or stolen identities to gain unauthorized access to sensitive roles, environments, or data. This is particularly critical in sectors handling classified information, critical infrastructure, or financial assets, where subjects may otherwise attempt to obscure prior conduct or affiliations.

Organizations may perform this verification in-house using secure document validation systems or biometric identity matching, or they may rely on trusted third-party identity verification providers offering digital identity assurance services. As part of a multi-layered personnel screening framework, this control helps reduce the risk of malicious insiders gaining a foothold under false pretenses.

A subject’s publicly accessible online presence may be examined prior to, or during, their association with the organization through the application of Open Source Intelligence (OSINT) techniques. This form of screening involves the systematic analysis of publicly available digital content—such as social media profiles, posts, comments, blogs, forums, and shared media—to assess potential risks associated with an individual.

Social media screening is typically conducted to identify indicators of reputational risk, conflicting motives, or behavioral patterns that may suggest the potential for insider threat activity. Content of concern may include public expressions of hostility toward the organization, affiliation with extremist or high-risk groups, or engagement with topics unrelated to the subject's role that could indicate potential misuse of access.

Trusted service providers specializing in OSINT and digital risk intelligence may be engaged to perform this screening on behalf of the organization. These providers use automated tools and analyst-driven review processes to ensure consistent, legally compliant, and policy-aligned assessments of online behavior.

When implemented as part of pre-employment screening or ongoing risk monitoring, social media screening can serve as a proactive measure to detect insider threat indicators early. To be effective and ethical, such programs must follow applicable privacy laws, data protection regulations, and internal governance standards. When responsibly executed, social media screening enhances the organization's ability to identify individuals who may present an elevated risk to information security, personnel safety, or corporate reputation.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

Social Media Monitoring refers to monitoring social media interactions to identify organizational risks, such as employees disclosing confidential information and making statements that could harm the organization (either directly or through an employment association).

Implement User Behavior Analytics (UBA) tools to continuously monitor and analyze user (human) activities, detecting anomalies that may signal security risks. UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. UBA can also provide real-time alerts when users engage in behavior that deviates from established baselines, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider events.