A new study of nearly 100,000 employees working for Fortune 100 firms has found that people who have been with a company between 4 to 15 years present the highest risk profile. The analysis was conducted by Endera and involved continuous monitoring of publicly available criminal and civil records over a 13-month period to evaluate insider threat risk levels. Employees in the 4 to 15 year tenure group produced more risk alerts than any other group for both criminal and civil life stressors.
The study results have also been corroborated by conversations with senior HR and security professionals who say they have seem similar patterns in their own internal data. The primary reason that the 4 to 15 year tenure group is riskier is that people change over time and the person in the office today may not be the same person that passed the hiring process 4 years ago.
The 4 to 15 year tenure also frequently overlaps with the 35 to 45 year age group which is a time when people frequently reevaluate their lives and question both their professional and personal choices. A recent Intelligence and National Security Alliance (INSA) notes that, “Simultaneous marital and professional stress creates major psychological vulnerabilities”, and these vulnerabilities increase the likelihood of poor choices and risky behavior. The entire INSA paper is worth the time read and is located here: https://www.insaonline.org/wp-content/uploads/2017/04/INSA_WP_Mind_Insider_FIN.pdf
It’s important for security professionals to recognize the risk presented by employees in the 4 to 15 year tenure range. A person that exhibits risky behavior once is 5x more likely to repeat risky behavior and often the seriousness of the behavior increases over time. Also, employees who know that they have issues that would appear in a pre-hire background check are likely to remain with their current employer rather than risk a pre-hire screening process at a new company. As a result, companies accumulate and retain a population of high-risk employees over time.
It may sound counter-intuitive, but the key takeaway for security professionals is that 4-years of issue-free service to a company may make an employee more of a threat, not less.