Preventions
- Home
- - Preventions
- -PV052
- ID: PV052
- Created: 23rd April 2025
- Updated: 24th April 2025
- Contributor: The ITM Team
Criminal Background Checks
A subject may be required to undergo a criminal background check prior to joining the organization, particularly when the role involves access to sensitive systems, data, or physical spaces. This preventative measure is designed to identify any prior criminal conduct that may present a risk to the organization, indicate a potential for malicious behavior, or conflict with legal, regulatory, or internal policy requirements.
Criminal background checks help assess whether a subject's history includes offenses related to fraud, theft, cybercrime, or breaches of trust—each of which may elevate the insider threat risk. Roles with elevated privileges, access to customer data, financial systems, or classified information are often subject to stricter screening protocols to ensure individuals do not pose undue risk to organizational security or compliance obligations.
This control is especially critical in regulated industries or environments handling national security assets, intellectual property, or financial infrastructure. In such settings, background checks may be embedded within broader personnel vetting procedures, such as security clearances or workforce integrity programs.
Where appropriate, periodic re-screening or risk-based follow-up checks—triggered by role changes or concerning behavior—can strengthen an organization’s ability to detect emerging threats over time. When implemented consistently, background checks can serve as both a deterrent and a proactive defense against insider threat activity.
Sections
ID | Name | Description |
---|---|---|
MT001 | Joiner | A subject joins the organisation with the pre-formed intent to gain access to sensitive data or otherwise contravene internal policies. |
MT021 | Conflicts of Interest | A subject may be motivated by personal, financial, or professional interests that directly conflict with their duties and obligations to the organization. This inherent conflict of interest can lead the subject to engage in actions that compromise the organization’s values, objectives, or legal standing.
For instance, a subject who serves as a senior procurement officer at a company may have a financial stake in a vendor company that is bidding for a contract. Despite knowing that the vendor's offer is subpar or overpriced, the subject might influence the decision-making process to favor that vendor, as it directly benefits their personal financial interests. This conflict of interest could lead to awarding the contract in a way that harms the organization, such as incurring higher costs, receiving lower-quality goods or services, or violating anti-corruption regulations.
The presence of a conflict of interest can create a situation where the subject makes decisions that intentionally or unintentionally harm the organization, such as promoting anti-competitive actions, distorting market outcomes, or violating regulatory frameworks. While the subject’s actions may be hidden behind professional duties, the conflict itself acts as the driving force behind unethical or illegal behavior. These infringements can have far-reaching consequences, including legal ramifications, financial penalties, and damage to the organization’s reputation. |
MT017 | Espionage | A subject carries out covert actions, such as the collection of confidential or classified information, for the strategic advantage of a nation-state. |
MT020 | Ideology | A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals.
Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making.
Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves. |
MT013 | Misapprehension or Delusion | A subject accesses and exfiltrates of destroys sensitive data or otherwise contravenes internal policies as a result of motives not grounded in reality. |
MT002 | Mover | A subject moves within the organisation to a different team with the intent to gain access to sensitive data or to circumvent controls or to otherwise contravene internal policies. |
MT004 | Political or Philosophical Beliefs | A subject is motivated by their political or philosophical beliefs to access and destroy or exfiltrate sensitive data or otherwise contravene internal policies. |
MT007 | Resentment | A subject is motivated by resentment towards the organisation to access and exfiltrate or destroy data or otherwise contravene internal policies. |
MT019 | Rogue Nationalism | A subject, driven by excessive pride in their nation, country, or region, undertakes actions that harm an organization. These actions are self-initiated and conducted unilaterally, without instruction or influence from legitimate authorities within their nation, country, region, or any other third party. The subject often perceives their actions as acts of loyalty or as benefiting their homeland.
While the subject may believe they are acting in their nation’s best interest, their actions frequently lack strategic foresight and can result in significant damage to the organization. |
MT006 | Third Party Collusion Motivated by Personal Gain | A subject is recruited by a third party to access and exfiltrate or destroy sensitive data or otherwise contravene internal policies for in exchange for a personal gain. |
MT018 | Curiosity | A subject, motivated solely by personal curiosity, may take actions that unintentionally cause or risk harm to an organization. For example, they might install unauthorized software to experiment with its features or explore a network-attached storage (NAS) device without proper authorization. |
IF015 | Theft | A subject steals an item or items belonging to an organization, such as a corporate laptop or corporate mobile phone. |
MT022 | Boundary Testing | The subject deliberately pushes or tests organizational policies, rules, or controls to assess tolerance levels, detect oversight gaps, or gain a sense of impunity. While initial actions may appear minor or exploratory, boundary testing serves as a psychological and operational precursor to more serious misconduct.
Characteristics
Example ScenarioA subject repeatedly circumvents minor IT security controls (e.g., bypassing content filters, using personal devices against policy) without immediate consequences. Encouraged by the lack of enforcement, the subject later undertakes unauthorized data transfers, rationalizing the behavior based on perceived inefficiencies and low risk of detection. |
IF022.004 | Payment Card Data Leakage | A subject with access to payment environments or transactional data may deliberately or inadvertently leak sensitive payment card information. Payment Card Data Leakage refers to the unauthorized exposure, transmission, or exfiltration of data governed by the Payment Card Industry Data Security Standard (PCI DSS). This includes both Cardholder Data (CHD)—such as the Primary Account Number (PAN), cardholder name, expiration date, and service code—and Sensitive Authentication Data (SAD), which encompasses full track data, card verification values (e.g., CVV2, CVC2, CID), and PIN-related information.
Subjects with privileged, technical, or unsupervised access to point-of-sale systems, payment gateways, backend databases, or log repositories may mishandle or deliberately exfiltrate CHD or SAD. In some scenarios, insiders may exploit access to system-level data stores, intercept transactional payloads, or scrape logs that improperly store SAD in violation of PCI DSS mandates. This may include exporting payment data in plaintext, capturing full card data from logs, or replicating data to unmonitored environments for later retrieval.
Weak controls, such as the absence of data encryption, improper tokenization of PANs, misconfigured retention policies, or lack of field-level access restrictions, can facilitate misuse by insiders. In some cases, access may be shared or escalated informally, bypassing formal entitlement reviews or just-in-time provisioning protocols. These gaps in security can be manipulated by a subject seeking to leak or profit from payment card data.
Insiders may also use legitimate business tools—such as reporting platforms or data exports—to intentionally bypass obfuscation mechanisms or deliver raw payment data to unauthorized recipients. Additionally, compromised service accounts or insider-created backdoors can provide long-term persistence for continued exfiltration of sensitive data.
Data loss involving CHD or SAD often trigger mandatory breach disclosures, regulatory scrutiny, and severe financial penalties. They also pose reputational risks, particularly when data loss undermines consumer trust or payment processing agreements. In high-volume environments, even small-scale leaks can result in widespread exposure of customer data and fraud. |
IF022.001 | Intellectual Property Theft | A subject misappropriates, discloses, or exploits proprietary information, trade secrets, creative works, or internally developed knowledge obtained through their role within the organization. This form of data loss typically involves the unauthorized transfer or use of intellectual assets—such as source code, engineering designs, research data, algorithms, product roadmaps, marketing strategies, or proprietary business processes—without the organization's consent.
Intellectual property theft can occur during employment or around the time of offboarding, and may involve methods such as unauthorized file transfers, use of personal storage devices, cloud synchronization, or improper sharing with third parties. The consequences can include competitive disadvantage, breach of contractual obligations, and significant legal and reputational harm. |
IF022.002 | PII Leakage (Personally Identifiable Information) | PII (Personally Identifiable Information) leakage refers to the unauthorized disclosure, exposure, or mishandling of information that can be used to identify an individual, such as names, addresses, phone numbers, national identification numbers, financial data, or biometric records. In the context of insider threat, PII leakage may occur through negligence, misconfiguration, policy violations, or malicious intent.
Insiders may leak PII by sending unencrypted spreadsheets via email, exporting user records from customer databases, misusing access to HR systems, or storing sensitive personal data in unsecured locations (e.g., shared drives or cloud storage without proper access controls). In some cases, PII may be leaked unintentionally through logs, collaboration platforms, or default settings that fail to mask sensitive fields.
The consequences of PII leakage can be severe—impacting individuals through identity theft or financial fraud, and exposing organizations to legal penalties, reputational harm, and regulatory sanctions under frameworks such as GDPR, CCPA, or HIPAA.
Examples of Infringement:
|
IF022.003 | PHI Leakage (Protected Health Information) | PHI Leakage refers to the unauthorized, accidental, or malicious exposure, disclosure, or loss of Protected Health Information (PHI) by a healthcare provider, health plan, healthcare clearinghouse (collectively, "covered entities"), or their business associates. Under the Health Insurance Portability and Accountability Act (HIPAA) in the United States, PHI is defined as any information that pertains to an individual’s physical or mental health, healthcare services, or payment for those services that can be used to identify the individual. This includes medical records, treatment history, diagnosis, test results, and payment details.
HIPAA imposes strict regulations on how PHI must be handled, stored, and transmitted to ensure that individuals' health information remains confidential and secure. The Privacy Rule within HIPAA outlines standards for the protection of PHI, while the Security Rule mandates safeguards for electronic PHI (ePHI), including access controls, encryption, and audit controls. Any unauthorized access, improper sharing, or accidental exposure of PHI constitutes a breach under HIPAA, which can result in significant civil and criminal penalties, depending on the severity and nature of the violation.
In addition to HIPAA, other countries have established similar protections for PHI. For example, the General Data Protection Regulation (GDPR) in the European Union protects personal health data as part of its broader data protection laws. Similarly, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) governs the collection, use, and disclosure of personal health information by private-sector organizations. Australia also has regulations under the Privacy Act 1988 and the Health Records Act 2001, which enforce stringent rules for the handling of health-related personal data.
This infringement occurs when an insider—whether maliciously or through negligence—exposes PHI in violation of privacy laws, organizational policies, or security protocols. Such breaches can involve unauthorized access to health records, improper sharing of medical information, or accidental exposure of sensitive health data. These breaches may result in severe legal, financial, and reputational consequences for the healthcare organization, including penalties, lawsuits, and loss of trust.
Examples of Infringement:
|
ME024.003 | Access to Critical Environments (Production and Pre-Production) | Subjects with access to production and pre-production environments—whether as users, developers, or administrators—hold the potential to exploit or compromise highly sensitive organizational assets. Production environments, which host live applications and databases, are critical to business operations and often contain real-time data, including proprietary business information and personally identifiable information (PII). A subject with access to these systems can manipulate operational processes, exfiltrate sensitive data, introduce malicious code, or degrade system performance.
Pre-production environments, used for testing, staging, and development, often replicate production systems, though they may contain anonymized or less protected data. Despite this, pre-production environments can still house sensitive configurations, APIs, and testing data that can be exploited. A subject with access to these environments may uncover system vulnerabilities, access sensitive credentials, or introduce code that could be escalated into the production environment.
In both environments, privileged access provides a direct pathway to the underlying infrastructure, system configurations, logs, and application code. For example, administrative access allows manipulation of security policies, user permissions, and system-level access controls. Similarly, access to development environments can provide insights into source code, configuration management, and test data—all of which could be leveraged to further insider activity.
Subjects with privileged access to critical environments are positioned not only to exploit system vulnerabilities or bypass security controls but also to become targets for recruitment by external actors seeking unauthorized access to sensitive information. These individuals may be approached or coerced to intentionally compromise the environment, escalate privileges, or exfiltrate data on behalf of malicious third parties.
Given the sensitivity of these environments, subjects with privileged access represent a significant insider threat to the integrity of the organization's systems and data. Their position allows them to manipulate or exfiltrate sensitive information, either independently or in collaboration with external actors. The risk is further amplified as these individuals may be vulnerable to recruitment or coercion, making them potential participants in malicious activities that compromise organizational security. As insiders, their knowledge and access make them a critical point of concern for both data protection and operational security. |
ME024.004 | Access to Physical Hardware | Subjects with physical access to critical hardware—such as data center infrastructure, on-premises servers, network appliances, storage arrays, or specialized equipment like CCTV and alarm systems—represent a significant insider threat due to their ability to bypass logical controls and interact directly with systems. This level of access can facilitate a wide range of security compromises, many of which are difficult to detect through conventional digital monitoring.
Physical access may also include proximity to sensitive areas such as network closets, on-premises server racks, backup repositories, or control systems in operational technology (OT) environments. In high-security settings, even brief unsupervised access can be exploited to compromise system integrity or enable ongoing unauthorized access.
With this type of access, a subject can:
In operational environments, subjects with access to physical control systems (e.g., ICS/SCADA components, industrial HMIs, or IoT gateways) may alter processes, cause service disruptions, or create safety hazards. Similarly, access to CCTV or badge systems may allow them to erase footage, monitor employee movements, or manipulate access control logs.
Subjects with this form of access represent an elevated risk, especially when combined with technical knowledge or administrative privileges. The risk is compounded in environments with limited physical security controls, inadequate logging of physical entry, or weak segmentation between physical and digital assets. |
ME024.001 | Access to Customer Data | A subject with access to customer data holds the ability to view, retrieve, or manipulate personally identifiable information (PII), account details, transactional records, or support communications. This level of access is common in roles such as customer service, technical support, sales, marketing, and IT administration. Access to customer data can become a means of insider activity when misused for purposes such as identity theft, fraud, data exfiltration, competitive intelligence, or unauthorized profiling. The sensitivity and volume of customer information available may significantly elevate the risk profile of the subject, especially when this access is unmonitored, overly broad, or lacks audit controls.
In some cases, subjects with customer data access may also be targeted by external threat actors for coercion or recruitment, given their ability to obtain regulated or high-value personal information. Organizations must consider how customer data is segmented, logged, and monitored to reduce exposure and detect misuse. |
MT005.002 | Corporate Espionage | A third party private organization deploys an individual to a target organization to covertly steal confidential or classified information or gain strategic access for its own benefit. |
MT005.003 | Financial Desperation | A subject facing financial difficulties attempts to resolve their situation by exploiting their access to or knowledge of the organization. This may involve selling access or information to a third party or conspiring with others to cause harm to the organization for financial gain. |
MT005.001 | Speculative Corporate Espionage | A subject covertly collects confidential or classified information, or gains access, with the intent to sell it to a third party private organization. |
IF012.002 | Statements On Personal Social Media | A subject uses personal social media accounts to post statements or other media that can result in brand damage through association between the subject and their employer. |
IF012.001 | Statements On Organization's Social Media | A subject uses existing access to social media accounts owned by the organization to post statements or other media that can result in brand damage. |
IF016.001 | Misuse of a Corporate Card | A subject may misuse a corporate credit for their own benefit by making purchases that are not aligned with the intended purpose of the card or by failing to follow the policies and procedures governing its use. |
IF016.006 | Creation of Fictitious Invoices | A subject with access to a billing system or indirect access to a billing system misuses their access to create fraudulent invoices, causing payments to be diverted to themselves, a business they own, or a third party. |
IF016.007 | Excessive Overtime | A subject that self reports hours worked, and/or is eligible to claim overtime or an individual responsible for reporting such working time may falsify time records or make false representations to a working time system to cause payment or time in lieu for unperformed work. |
IF016.004 | Insider Trading | A subject with access to sensitive or confidential information may decide to use that information to trade the company's stock or other securities (like bonds or stock options) based on significant, nonpublic information about the company. |
IF016.005 | Modification of Invoices | A subject with access to a billing system or indirect access to a billing system misuses their access to modify existing invoices, causing payments to be diverted to themselves, a business they own, or a third party. |
IF016.002 | Unauthorized Bank Transfers | A subject misuses their direct or indirect access to dishonestly redirect funds to an account they control or to a third party. |
IF015.004 | Theft of Non-Digital Assets | A subject steals non-digital assets, such as physical documents, belonging to an organization. |
IF015.003 | Theft of Other Digital Assets | A subject steals other digital assets, such as monitors, hard drives, or peripherals, belonging to an organization. |
IF015.002 | Theft of a Corporate Mobile Phone | A subject steals a corporate mobile phone belonging to an organization. |
IF015.001 | Theft of a Corporate Laptop | A subject steals a corporate laptop belonging to an organization. |
References
- https://www.gov.uk/criminal-record-checks-apply-role
- https://www.fbi.gov/how-we-can-help-you/more-fbi-services-and-information/identity-history-summary-checks
- https://commission.europa.eu/law/cross-border-cases/judicial-cooperation/tools-judicial-cooperation/european-criminal-records-information-system-ecris_en