Building a secure workforce: guarding against the insider threat 2
In an earlier article, I wrote about how businesses can reduce the risk from the insider threat in ways which could also be seen as directly beneficial to employees
These included training and rewards, employee support and better management. Some of the ideas in this article might seem less positive from the employee's perspective but can be valuable tools for a business seeking to reduce its vulnerability to disloyal or unreliable employees.
First principles – again
More so even than the proposals in the last article, these ideas need to be implemented with good communication, transparency and employee co-operation. They are more likely to be greeted with suspicion by employees yet good security, like good safety, benefits everybody in an organisation. Implementing any of these arrangements should involve HR, staff representatives and legal advice to consider aspects which might seem intrusive or discriminatory.
More first steps
Not all staff in all jobs offer the same risk to an employer. To impose blanket arrangements across an organisation can be wasteful and inefficient. A good first step is to carry out a risk assessment to identify which roles offer the greatest potential for damage. In responding to the risk assessment, remember that the mitigation does not necessarily have to be people-based. For example, physical or electronic controls can greatly reduce the risk from staff gaining unnecessary access to valuable assets or information.
A frequently offered rationalisation by staff who breach security is that nobody notices anyway and that security is not taken seriously in the workplace. As a precursor to implementing personnel (and other) security arrangements it is worth carrying out a review of the security culture of your organisation. This will reveal what staff think about the security regime that is in place; whether they think it is taken seriously or something to be worked round; whether there is tension between security and their delivery targets; and whether management appears committed to it or not.
Risk assessments and security culture reviews are often best undertaken by someone outside the organisation because staff and managers have more confidence in their rigour, objectivity and anonymity.
Avoiding the insider in the first place
After many incidents when employees have been discovered to have been involved in damaging activities, colleagues and managers remark that it has come as no surprise to them. People will say that they always had misgivings about the insider who never really fitted in. Those involved in recruitment might say that the errant employee was recruited for technical competence despite misgivings about personal profile.
Of course, employers need to avoid charges of discrimination. Diversity can be a real organisational strength. But there are indicators of risk that should be avoided just as there are personal qualities that can mitigate against the insider threat. These latter include integrity, self-restraint, teamwork, responsiveness to constructive criticism and the ability to express rather than withhold frustration. Some organisations claim success in using personality profiling in recruitment to avoid hiring people who will clash with their culture and exacerbate the insider threat. Such tools need to be carefully designed and skilfully deployed.
Using the workforce as a security monitor
After someone has been found to have damaged their organisation or to have been involved in criminality, colleagues and managers will often voice long standing suspicions that they were up to no good. At the same time, they will admit to not having reported their concerns earlier either because they were uncomfortable doing so or because there was no identifiable reporting channel they regarded as trustworthy
This is in contrast to managing safety in organisations where there is often a well established process for staff reporting colleagues who take unnecessary risks, breach safety rules or behave in a way that poses a danger to others. Such reporting is acceptable culturally and facilitated by good communication channels which can protect the identity of the person making the report.
Organisations should consider replicating these arrangements as part of their security response to the insider threat. The organised use of the workforce as the eyes and ears of security is an innovative idea which can be thought controversial. Formal reporting channels can be augmented with technology or security hotlines. Anonymity needs to be protected and the response to reports needs to be managed carefully. Few organisations have yet to achieve it but moving your workforce from being security aware to being able to recognise and refer suspicious behaviour could make a big difference in reducing the risk from untrustworthy or unreliable insiders.
Steve Cummings, Special Adviser, Security & Privacy, Deloitte and Touche LLP
