Insider Trading

A subject may be required to undergo a criminal background check prior to joining the organization, particularly when the role involves access to sensitive systems, data, or physical spaces. This preventative measure is designed to identify any prior criminal conduct that may present a risk to the organization, indicate a potential for malicious behavior, or conflict with legal, regulatory, or internal policy requirements.

Criminal background checks help assess whether a subject's history includes offenses related to fraud, theft, cybercrime, or breaches of trust—each of which may elevate the insider threat risk. Roles with elevated privileges, access to customer data, financial systems, or classified information are often subject to stricter screening protocols to ensure individuals do not pose undue risk to organizational security or compliance obligations.

This control is especially critical in regulated industries or environments handling national security assets, intellectual property, or financial infrastructure. In such settings, background checks may be embedded within broader personnel vetting procedures, such as security clearances or workforce integrity programs.

Where appropriate, periodic re-screening or risk-based follow-up checks—triggered by role changes or concerning behavior—can strengthen an organization’s ability to detect emerging threats over time. When implemented consistently, background checks can serve as both a deterrent and a proactive defense against insider threat activity.

Offering mental health support and conflict resolution programs to
help employees identify and report manipulative behavior in the
workplace

A structured program, including a helpline or other reporting mechanism, designed to assist employees who feel vulnerable, whether due to personal issues, coercion, or extortion. This process allows employees to confidentially raise concerns with trusted teams, such as Human Resources or other qualified professionals. In some cases, it may be appropriate to discreetly share this information with trusted individuals within the Insider Risk Management Program to help prevent and detect insider threats while also providing necessary support to the employee.

An individual’s prior employment history may be verified through formal reference checks conducted prior to their onboarding with the organization. This process aims to validate key aspects of the subject’s professional background, including dates of employment, job titles, responsibilities, and performance, as well as behavioral or conduct-related concerns.

Reference checks serve as a critical layer in assessing an individual’s suitability for a given role, particularly where access to sensitive systems, data, or personnel is involved. When conducted thoroughly, this process can help identify discrepancies in a candidate’s reported history, uncover patterns of misconduct, or reveal concerns related to trustworthiness, reliability, or alignment with organizational values.

Employment reference checks are particularly relevant to insider threat prevention when evaluating candidates for positions involving privileged access, managerial authority, or handling of confidential information. These checks may also uncover warning signs such as unexplained departures, disciplinary actions, or documented integrity issues that elevate the risk profile of the individual.

Organizations may perform this function internally or engage trusted third-party screening providers who specialize in pre-employment due diligence. When combined with other vetting measures—such as criminal background checks and social media screening—reference checks contribute to a layered approach to workforce risk management and help mitigate the likelihood of malicious insiders gaining access through misrepresentation or concealment.

Implement a process whereby HR data and observations, including those from managers and colleagues, can be securely communicated in a timely manner to investigators, triggering proactive monitoring of potential insider threats early in their lifecycle. Collaboration between HR teams, managers, colleagues, and investigators is essential for detecting concerning behaviors or changes in an employee's personal circumstances that could indicate an increased risk of insider threat.

Mental Health and Personal Struggles

• Trigger Event: HR receives reports or observes a significant change in an employee's behavior or performance, which may indicate mental health issues or personal struggles that could elevate the likelihood of an insider threat. This information may come from managers, colleagues, or direct observations within HR.
• Indicator: Multiple reports from managers, direct supervisors, or colleagues highlighting behavior changes such as stress, depression, or erratic actions.
• Response: HR teams should notify investigators of high-risk employees with visible signs of distress or any reported instances that might indicate susceptibility to manipulation or exploitation.

Negative Statements or Discontent with the Company

• Trigger Event: HR identifies instances of employees making negative statements about the company, its leadership, or its operations, potentially through personal social media channels, internal communications, or third-party reports. Additionally, such concerns might be raised by managers or colleagues.
• Indicator: Recorded incidents where employees voice dissatisfaction in forums or interactions that may expose vulnerabilities within the company, which may come from colleagues, managers, or HR’s internal channels.
• Response: Immediate referral to investigators for further investigation, including tracking if such sentiments are coupled with any increase in risky behaviors (e.g., accessing sensitive data or systems without authorization).

Excessive Financial Purchases (Potential Embezzlement or Third-Party Influence)

• Trigger Event: HR or finance teams notice discrepancies in an employee's personal financial behavior—particularly excessive spending patterns that appear inconsistent with their known salary or financial profile. This could indicate embezzlement, financial mismanagement, or payments from third parties. Such concerns may also be raised by managers or colleagues.
• Indicator: Transactions that show a high degree of personal spending or financial behavior inconsistent with the employee’s compensation, possibly flagged by HR, finance, or colleagues who notice unusual behaviors.
• Response: Referral to investigators for correlation with employee access to financial or sensitive company systems, along with further scrutiny of potential illicit financial transactions. Third-party or whistleblower reports, including from colleagues or managers, may also be investigated as part of a broader risk assessment.

Hearsay and Indirect Reports

• Trigger Event: Anonymous or informal reports—such as rumors or gossip circulating in the workplace—that hint at potential insider threat behaviors. These reports, often from colleagues or managers, may be unsubstantiated, but they still warrant an alert if the volume or credibility of the information increases.
• Indicator: Reports or concerns raised by employees, colleagues, or external parties suggesting that an employee may be engaging in unusual behaviors, such as excessive contact with external vendors, financial irregularities, or internal dissatisfaction.
• Response: Investigators work with HR to assess the situation by cross-referencing any concerns, including those from colleagues or managers, with the employee's activity patterns, communication, and access to sensitive systems.

Implementation Considerations

• Collaboration Framework: A clear and secure protocol for HR, managers, colleagues, and investigators to share critical information regarding employees at risk. This should maintain employee privacy and legal protections, while still enabling timely alerts.
• Confidentiality and Privacy: All information related to personal behavior, health, or financial matters must be handled with sensitivity and in accordance with legal and regulatory frameworks, such as GDPR or local privacy laws.
• Continuous Monitoring: Once flagged, employees should be monitored for any other risk indicators, including changes in data access patterns, unapproved system access, or behavior that correlates with identified risks.

Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters.

Regulation Awareness Training equips staff with the knowledge and understanding required to comply with legal, regulatory, and policy obligations relevant to their roles. This includes, but is not limited to, export controls, international sanctions, anti-bribery laws, conflict-of-interest rules, antitrust regulations, and data protection requirements.

The training should be customized according to the specific risks of different roles within the organization, ensuring that employees in high-risk areas—such as legal, procurement, sales, finance, engineering, and senior management—receive in-depth education on how to recognize and avoid behaviors that could lead to regulatory violations. Scenarios that could result in inadvertent or intentional breaches should be addressed, alongside practical advice on how to report concerns and escalate issues.

To accommodate varying learning styles and operational needs, Regulation Awareness Training can be delivered through multiple formats:

• eLearning Modules: For general staff, to provide flexible, scalable training on compliance topics, which can be completed at the employee's convenience.
• Instructor-led Sessions: For higher-risk roles or senior management, where more interactive, in-depth training may be necessary to address complex regulatory requirements and nuanced decision-making.
• Scenario-based Workshops: To reinforce learning with real-world examples and role-playing exercises that help employees internalize regulatory concepts.

By fostering a culture of compliance and accountability, Regulation Awareness Training helps minimize the risk of breaches, whether intentional or accidental, and strengthens the organization’s ability to identify, prevent, and respond to regulatory infringements.

A subject’s publicly accessible online presence may be examined prior to, or during, their association with the organization through the application of Open Source Intelligence (OSINT) techniques. This form of screening involves the systematic analysis of publicly available digital content—such as social media profiles, posts, comments, blogs, forums, and shared media—to assess potential risks associated with an individual.

Social media screening is typically conducted to identify indicators of reputational risk, conflicting motives, or behavioral patterns that may suggest the potential for insider threat activity. Content of concern may include public expressions of hostility toward the organization, affiliation with extremist or high-risk groups, or engagement with topics unrelated to the subject's role that could indicate potential misuse of access.

Trusted service providers specializing in OSINT and digital risk intelligence may be engaged to perform this screening on behalf of the organization. These providers use automated tools and analyst-driven review processes to ensure consistent, legally compliant, and policy-aligned assessments of online behavior.

When implemented as part of pre-employment screening or ongoing risk monitoring, social media screening can serve as a proactive measure to detect insider threat indicators early. To be effective and ethical, such programs must follow applicable privacy laws, data protection regulations, and internal governance standards. When responsibly executed, social media screening enhances the organization's ability to identify individuals who may present an elevated risk to information security, personnel safety, or corporate reputation.

Google's Chrome browser stores the history of accessed websites and files downloaded.

On Windows, this information is stored in the following location:

C:/Users/<Username>/AppData/Local/Google/Chrome/User Data/Default/

On macOS:

/Users/<Username>/Library/Application Support/Google/Chrome/Default/

On Linux:

/home/<Username>/.config/google-chrome/Default/

Where /Default/ is referenced in the paths above, this is the default profile for Chrome, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

Microsoft's Edge browser stores the history of accessed websites and files downloaded.

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Local\Microsoft\Edge\User Data\Default\

On macOS:

/Users/<Username>/Library/Application Support/Microsoft Edge/Default/

On Linux:

/home/<Username>/.config/microsoft-edge/Default/

Where /Default/ is referenced in the paths above, this is the default profile for Edge, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

Mozilla's Firefox browser stores the history of accessed websites.

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile Name>\

On macOS:

/Users/<Username>/Library/Application Support/Firefox/Profiles/<Profile Name>/

On Linux:

/home/<Username>/.mozilla/firefox/<Profile Name>/

In this location two database files are relevant, places.sqlite (browser history and bookmarks) and favicons.sqlite (favicons for visited websites and bookmarks).
 

These database files can be opened in software such as DB Browser For SQLite.

Social Media Monitoring refers to monitoring social media interactions to identify organizational risks, such as employees disclosing confidential information and making statements that could harm the organization (either directly or through an employment association).