Contents
By Mark Freedman
In recent years, the North Korean regime has engaged in an ongoing effort to place North Korean workers as remote employees with U.S. companies. The primary objective of this scheme is to collect wages and funnel that money back to the North Korean government – which is perpetually cash-strapped as a result of international sanctions.
This North Korean operation is a high-profile example of an insider threat, and it highlights two key trends in the evolution of this type of security problem. First, as workforces become more decentralized, it’s harder to know your employees well and to easily spot red flags. Second, an increasingly turbulent geopolitical environment has opened the door to growing state-directed insider threats.
Insider threats span a wide spectrum. At one end is the state-sponsored operative, consciously penetrating an organization with military, intelligence, or criminal aims. At the other is the unwitting, negligent employee who posts something work-related on social media without understanding its sensitivity. The commonality is that the threat actor is someone the organization has already trusted with access.
Building an Insider Threat Program Aligned to DHS Guidance
Insider threats are hard for many organizations to manage. As a result, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) years ago produced a public Insider Threat Mitigation Guide. The lengthy document provides straightforward guidance for organizations working to build a comprehensive insider threat program that can stop insider threats preventatively. Given recent developments and the growing relevance of this threat, now is a good time to revisit this guide.
An effective insider threat program that aligns with CISA’s guidance must collect relevant threat information (e.g., personnel background information, social media posts, reports from staff), analyze it, and act on it. Further, the program needs to employ technology and tools to identify concerning behaviors.
Insider incidents are rarely spontaneous. They are typically preceded by observable behavioral indicators: expressions of grievance, financial stress, sudden changes in work patterns, unusual access requests, or an online presence that reveals radicalization, financial desperation, or contact with foreign actors. The challenge is not that these signals are invisible. It is that organizations lack the processes and tools to collect, organize, and analyze them systematically before harm occurs.
Key Elements of an Effective, Proactive Program
Integrate Information, Analysis, and Response.
Insider threat programs must collect and synthesize a large amount of information from disparate sources. This may include personnel security files and HR records, facility access records, travel records, foreign contact reports, financial disclosure filings, network access and print logs, IT enterprise audits, public records and financial data, user activity monitoring logs, and surveillance video. All of this needs to come together to inform a comprehensive picture of individuals and behaviors that may pose a risk to the organization.
Expand Awareness Beyond Internal Systems.
The CISA guide states clearly, “Organizations should not shy away from comprehensive background checks for fear of perception, legal issues, or union issues, especially those that include viewing a person of concern’s mental health records or public social media profiles.” Expanding the scope of information collection to, for example, an employee’s public social media presence, activity on forums, financial disclosures, and other open-source indicators can surface red flags that internal systems would rarely detect. This includes expressions of grievance, ideological radicalization, contact with foreign nationals, or signs of financial distress.
Ensure Analysis Drives Action.
Collecting and synthesizing information is only valuable if it produces timely, actionable results. When an assessment suggests that a person of concern has the interest, motive, and ability to attempt a harmful act, the security team must be positioned to act, whether that means increasing monitoring, engaging HR or legal counsel, adjusting access privileges, or escalating to law enforcement. The difference between a program that prevents insider incidents and one that merely records them is whether analysis consistently translates into protective decisions.
The Wrap-Up
Insider threats are no longer limited to isolated bad actors or disgruntled employees. They are increasingly tied to broader geopolitical tensions, remote work environments, and sophisticated state-sponsored campaigns that exploit the trust organizations place in their people. The good news is that organizations do not need to start from scratch. CISA’s Insider Threat Mitigation Guide provides a practical framework for building a proactive program grounded in information collection, behavioral analysis, and coordinated response. The organizations best positioned to manage this evolving risk will be those that move beyond reactive investigations and instead develop the ability to identify warning signs early, connect disparate indicators, and act before an incident escalates into real harm.
Mark Freedman
Principal & CEO, Rebel Global Security
Mark Freedman is Principal and CEO of Rebel Global Security and was formerly the Chief of Staff for the U.S. Department of State’s Counterterrorism Bureau. This post is part of Liferaft and Rebel’s collaborative work to analyze the evolving global threat environment and provide critical insights to private sector and government clients.