Building a Secure Workforce: Guarding against the insider threat
Some years ago, when I was a Head of Personnel, I used to cringe inwardly when I heard colleagues say "our people are our most important asset". Of course, I recognised the truth in what they were saying but the phrase itself seemed to have become a dreadful cliché (often used by managers who behaved as if nothing could be further from the truth)
Nevertheless, one of the benefits of organisations recognising the critical importance of their employees was that some put arrangements in place to ensure the resilience of their workforce in response to external risks such as chronic fuel shortages, bad weather or potential pandemics.
More recently, employers have recognised that the people who make up their workforce can themselves pose an internal risk if they take actions aimed at damaging the organisation, furthering their own position at their employer's expense or helping "enemies" on the outside. This awareness of the "insider threat" has grown in response to well publicised cases; research showing that while external "attacks" are more frequent, insider attacks have greater impact; and concern that in a time of economic uncertainty, employee loyalty diminishes.
Businesses are increasingly looking for ways to mitigate the risk from the insider threat. This article considers how some of the steps taken by employers to enhance personnel security can also be of direct benefit to employees.
First Principles: In implementing personnel security arrangements, organisations should recognise a few first principles. Done badly, actions intended to improve personnel security can do real damage to employee relations reducing trust between workforce and employer and potentially increasing the insider threat. Good communication, employee engagement and transparency are essential. Of course, whatever steps an employer takes must be legal and respect the rights of employees. And, personnel security cannot be the preserve of the security team. It has to involve HR, line managers and supervisors, and – most important of all - employees themselves.
First Steps: When designing the personnel security arrangements for their organisation, the first thing an employer should do is to undertake a risk assessment to identify the different risks posed by different roles. This will help avoid a one size fits all approach which can be over-engineered, disproportionate and expensive.
Most employers already recognise the need for some kind of screening, checking or vetting of potential employees to ensure they have both the identity and integrity they claim. This continues to be an important first step in effective personnel security but organisations need to avoid thinking "job done" at this point. People change, jobs change and loyalties shift so arrangements for effective ongoing personnel security management are essential.
Personnel Security and Employee Benefits: Some arrangements implemented to enhance personnel security can be of direct benefit to employees. The most obvious of these is training.
At a basic level, employees cannot be blamed for breaching security practices in which they have been inadequately trained in the first place. Good basic security training is essential but employers need to go further. For example, staff with access to sensitive information need to understand why the information is important and why it needs careful handling. Ironically from the vulnerability perspective, they need to understand the impact of such information being mishandled and the crucial role they play in ensuring this does not happen.
Security training needs to be dynamic taking into account changes in the threat environment. Staff awareness needs to be maintained and enhanced if their own circumstances change. For example, employees deployed abroad might need specific awareness raising and special training in how to avoid compromise in unfamiliar situations.
Training should also be part of the considered response when employees breach security if the action is a consequence of ignorance or incompetence rather than malicious intent. This will encourage self-reporting or reporting by others.
Another way in which employees can benefit from personnel security arrangements is by making "secure behaviour" an explicit competence in the performance management system. Employees who consistently demonstrate a good track record should be rewarded and remunerated; one-off successes should receive a bonus or at least a word of recognition from the boss. Those who are slap-dash or dismissive about security should be penalised.
Many cases of "the insider threat" involve individuals undergoing some kind of personal crisis. It might be financial, emotional or motivational. Although not usually perceived as part of an organisation's security arrangements, the provision of an Employee Assistance Programme can have direct benefit in mitigating the risk from insiders. Through offering guidance and support to employees with personal problems, such a programme can interrupt the forward motion of a potential insider who might see theft, fraud or information compromise as part of the solution.
Equally important for an organisation to pre-empt employees undergoing a personal crisis from presenting an insider threat is the ability of managers or supervisors to recognise and respond to the problems as they develop. This can depend on the effectiveness of the relationship between line management, HR and security. It will also be affected by the training and competence of managers and by the demands they face.
One organisation I worked with, which was particularly effective in its personnel security management, actually reduced the management span of team leaders in a critical area so that they would more readily spot employees with personal problems and take action before they developed into a security issue. The added assurance far outweighed the added cost.
Steve Cummings, Special Adviser to Deloitte's Security, Privacy and Resilience Practice
