We were thrilled to have Beth Cartier join us on “A Little Privacy, Please!” Beth is a longtime cybersecurity leader, former CSO, and now a principal at Control Risks. She has spent more than 15 years in incident response and emerging tech, and she also teaches at Columbia University.
Our latest episode explored what insider threats look like today and how organizations can effectively address them. Beth has seen insider risk from every angle, and she brings the kind of practical, real‑world perspective that makes this topic come alive.
What do modern insider threats look like? What trends should organizations watch for?
Insider threat is misusing legitimate access, and that’s what makes it so hard. People need access to do their jobs, so you can’t just cut it off. And it doesn’t look like the stereotypical guy in a hoodie in his mother’s basement. It can be executives, IT staff, sales teams—really anyone.
Right now, we’re seeing a lot of data theft because it’s just so easy. Uploading files to cloud storage or emailing them to yourself takes seconds, and people sometimes don’t even realize the data isn’t “theirs.”
Motivations vary, but financial drivers are big. Economic uncertainty, fear of layoffs, and the idea that AI might replace their jobs all play into it. These aren’t always “bad people,” but they may be scared or trying to protect themselves and doing harmful things in the process.
Who should own insider threat governance, and how should organizations structure it?
Every company is different, but this has to be cross‑functional. HR, legal, IT, and security, they all play a role. Early in my career, HR drove an insider threat program because the head of HR had the initiative and the influence to make it happen.
Legal must be closely involved because of all the privacy, monitoring, and employment issues. HR needs visibility on the personnel side. IT and security understand technical controls. Physical security can be important too—badge access and building entry patterns matter.
A lot of this is pattern recognition. One team might see unusual technical activity; another might know an employee is making threatening calls. If those teams operate in silos, the organization will not connect the dots. You need someone accountable for coordinating all these moving parts.
What mistakes do companies make during employee off‑boarding that increase insider‑risk exposure?
The biggest issue is not understanding employee access. Identity and access management used to be the “take out the trash” job in security—boring and ignored. But with the cloud, it’s the backbone of proving identity and controlling data.
During terminations, especially involuntary ones, companies often lack good monitoring or don’t cut off access quickly enough. If you fire someone at 10:00 am, and their access stays live until 5:00 pm, that’s seven hours of an angry, hurt person with full privileges. That’s dangerous.
Organizations also miss third‑party access—all the SaaS tools and shadow IT that aren’t tied to single sign‑on. And insider incidents can involve collusion. If the terminated employee’s best friend still works there and is scared they might be next, they may help the person get back in through internal systems.
Effective off‑boarding really depends on understanding access throughout the employee lifecycle, not just on their last day.
What are the first steps organizations should take to strengthen insider threat readiness?
Step one is admitting it’s a real issue. People have different motivations than you expect.
Step two is building that cross‑functional team—HR, legal, security, IT—and understanding what data insiders might go after and who has access to it.
You don’t have to spend a fortune. Start by making sure you’re using the tools you already have. Bring HR and legal into the conversation early. Ensure employees have signed acceptable‑use and monitoring agreements so you have the legal basis to act. And remember: a corporate computer is a corporate computer—people still forget that.
