top of page

Leadership, Trust, and Risk Management:Safeguarding Organizations from Insider Threats

This article is inspired by NPSA (the National Protective Security Authority - https://www.npsa.gov.uk/ ).

 

Unlocking the Keys to Insider Risk Mitigation: through a comprehensive discussion of Role-Based Risk Assessment (RBRA)" this article delves into the critical role of effective risk management within an organization's Insider Mitigation Program. The article explores the learning objectives, methodologies, and key steps recommended by the National Protective Security Agency (NPSA) to fortify an organization against insider threats. It emphasizes the importance of identifying and categorizing critical assets, understanding threats, and implementing specific security measures, including the RBRA. With a focus on opportunity, prioritization, and mitigations, the article offers practical insights into developing a robust RBRA strategy, ensuring ongoing personnel security, and safeguarding against insider risks.

 

It is emphasized that the contents of the article are not used to profile or discriminate against individuals. Care should be taken not to rely solely on statistics for insider profiling.

 

Who is an insider?

 

NPSA defines an insider as 'A person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes'.

 

Three main types of insiders are identified:


 


1.     Deliberate insider - someone who obtains employment with the deliberate intent of abusing their access.

2.     Volunteer or self-initiated insider - someone who obtains employment without deliberate intent to abuse their access but at some point, decides to do so.

3.     Recruited or exploited insider - someone who obtains employment without deliberate intent to abuse their access but at some point, is exploited or recruited by a third party to do so.


The NPSA also talks of 2 sub groups:

a)       Unwitting insider – an individual who is manipulated by a third party, or who engaged in poor security practices, which he is unaware assists a malicious third party.

b)     Disgruntled ex-employee - particularly the employee who did not leave on the best of terms. He may retain access to your organisation and will have knowledge that would be of interest to third parties.

 

What harm can an insider do?

Insiders can pose various threats, leading to physical harm (to colleagues, to the public), reputational damage, and financial loss for organizations.

 

Who can use an insider?

Potential actors utilizing insiders include terrorist organizations, hostile state actors, commercial competitors, single-issue groups, organized crime groups, and the media.

 

What are the types of insider incidents?

Insider incidents are categorized into facilitation of unauthorized access, unauthorized information disclosure, process corruption, physical or electronic sabotage, and theft.

 

The most common insider activities are the unauthorized disclosure of sensitive information and process corruption, often related to fraud.

 

What is the motivation behind insider acts?

Motivations for insider acts are complex, involving primary and secondary motives, with workplace disaffection playing a significant role.

 

Recognizing predictive behaviors is crucial for early intervention. Conditions contributing to insider risks are divided into three categories:



 

  • Personality traits (e.g., immaturity, low self-esteem)

  • Lifestyle and circumstances (exploitable/vulnerable profiles, poor work attitude), and

  • Behaviors of concern (unauthorized handling of sensitive material, security violations)


What role do Leadership and Governance play in managing insider risks?

 

Losing trust in the leadership or the leadership’s capability to lead is one of the main causes for an employee turning into an insider or falling trap with someone who may like them to turn into an insider.


Perhaps the ‘people risk’ has not been understood well, and hence not managed well. It is recommended that there is a person at the top to account for ‘people risks’ one of which is ‘insider threat.’


The employees want to see their management ‘walking the talk’ during BAU (business as usual) and more so during the crises. E.g. when they see that the management does not evacuate during drills – they start losing trust. Or when the employees see that their management did not manage the crisis well, they start losing trust in them.


Disaffection and poor management practices contribute to insider risks.

Dissatisfaction and disengagement may lead employees to commit insider acts, seeking personal benefit or revenge against employers.


So, the management can take a few steps to preserve or regain that trust of the employees:

  • Developing a Vision After the Crisis: Leadership should create a clear vision for the future, using "Cognitive bridging" to transition from an untenable present to a new, potentially unknown future. Communication should be open, honest, consistent, and respectful.

  • Understanding Personal Emotions: Organizations should acknowledge and consider employees' emotional responses triggered by disruption, providing time and space for sharing emotions and supporting those affected emotionally.

  • Collective Decisions: Leadership should involve employees in decision-making processes to reduce their sense of vulnerability, offering a sense of personal control amid changes.

 

Management should be perceived as supportive and protective "guardians" or "stewards" of the organization during disruption, rather than primarily as "change agents."

 

Insider Risk Assessment

 

Key Steps in Insider Risk Assessment include:



  • Identify Critical Assets: Recognize assets and systems critical for effective operations or of specific organizational value.

  • Engage Stakeholder Group: Involve a suitable organization-wide stakeholder group with specialist insight to support the identification of critical assets.

  • Categorize Critical Assets: Categorize critical assets based on their level of criticality to the business.

  • Identify Threats: Identify threats to the organization's critical assets, specifically focusing on insider risk in this module.

  • Understand Threat vs. Risk: Differentiate between "threat" (intent and capability) and "risk" (impact and likelihood) and how they inform the insider risk assessment.

  • Assess Vulnerability: Assess vulnerabilities in the organization's systems and processes that could be exploited by threat actors.

  • Gather Threat Information: Obtain threat advice from reliable sources to inform the assessment of threats with potential damage to the organization.

  • Develop Security Risks: Develop specific and detailed security risks for effective prioritization.

 

What is Role Based Risk Assessment (RBRA)?

The basic principle is that a person may pose specific risks due to the role he/ she plays in the organization e.g. a database administrator may have write /delete access to all employees’ data, or the CEO may have powers to override someone else's.

RBRA is based on three key principles:



 

  1. Opportunity: Identify roles with access to critical assets and assess vulnerabilities. Focus on roles, not individuals.

  2. Prioritization: Consider likelihood and impact for prioritizing risks. Assess circumstances and potential impact.

  3. Mitigations: Implement legal and proportionate measures to reduce insider risks. Consider a comprehensive approach, including physical, cyber, and personnel security measures.


Some of the mitigations may be:

  • Security Education & Training (which includes shaping an organisation’s security culture through shaping priority behaviours of its workforce)

  • Physical & Technical Control Measures

  • Employee Screening & Vetting

  • Monitoring and Review (covering human as well as technical) and

  • Effective security communications across the workforce.


The output of RBRA is also a Risk Register that should have all information starting from identification through to mitigations, assumptions, and decisions etc. Like any other risk assessment, RBRA is also a continued process, and the risk register needs to be reviewed and maintained.

 

The role a person plays in an organization can be exploited for negative outcomes, hence RBRA is discussed in this article.

 

Why is Employee Screening important?

Employee screening is fundamental for good personnel security. It aims to confirm identity, verify credentials, and test character to identify potential security concerns.

It is recommended to have a Pre-Employment Screening Policy. The checks (number and depth) will be based on the role's risk level and potential for harm.


Clear policies should be in writing, emphasizing thorough pre-employment screening to deter malicious insider acts.

 

What checks are performed in pre-employment screening?

Pre-Employment Screening prevents insiders from entering the organization by verifying the following records:

  • legal entitlement to work

  • skills

  • career references

  • criminal records

  • employment history

  • financial history

  • overseas checks

  • documents (passport, visa, proof of residence etc.)

  • social media


Repeat screening may be necessary during employment based on changes in roles and responsibilities.


The overarching theme is the importance of comprehensive and proportionate employment screening to mitigate insider risks, ensure legal compliance, and protect the organization's assets and reputation.

 

Why is Ongoing Personnel Security important?

Ongoing security measures are crucial as pre-employment screening cannot predict future behavior.


Reasons for ongoing security include the evolving nature of individuals, changes in attitudes, and increasing opportunities for harm as staff move into trusted roles.

Longevity of employment also does not guarantee loyalty.

Diverse countermeasures are necessary to mitigate the unpredictable nature of insiders.


Effective measures include a strong security culture, clear personnel security policies, robust monitoring, investigative procedures, security awareness training, and good induction and exit procedures.


Endorsement from organizational seniors is essential for an effective security posture.

The induction is a key entry point to establish security perceptions and expectations. Security messages during induction should focus on the first 12 months of the employee lifecycle.


All employees should participate in security training and awareness programs. Managers play a key role in influencing staff behaviors and detecting early signs of disaffection.


Managers should reduce disaffection, promote good security behavior, and address staff concerns.


Ongoing interest in employees is crucial for effective personnel security.

Personality traits, lifestyle vulnerabilities, and workplace behaviors can be indicators. If someone becomes too quiet or too vocal – please take it as an indication of disaffection or dissatisfaction.


Early management intervention based on these indicators can prevent insider acts.

Employee Satisfaction Surveys become completely ineffective if results, actions, and results of those actions are not shared back with employees. This may then lead to disaffection and dissatisfaction.

 

What are Reporting Mechanisms?

Organisations should establish effective reporting mechanisms for employees to report concerns about security or unusual behavior.


People may hesitate to report about an insider act or even a suspicious one for multiple reasons:

  1. does not make a difference to me attitude

  2. the person involved is my close friend, I stand to lose him/ her if I report

  3. the person involved is senior to me

  4. the company policy is very strict, and the person may be asked to leave – someone could lose job because of me in such difficult times of global recession


Seniors should communicate the importance of reporting, and investigations should be fair and proportionate.


A whistle-blower policy and process can be implemented to take anonymous calls/ mails/ inputs.


No incidents reported (through Whistle Blower Process or any other) should not be taken as no incidents happened. It may be the result of employees not having trust in their management, processes, and tools.

 

What are some Technical and Physical Measures to manage insider threats?

These include:

  • Role-based access policies

  • 'Need to know' groups

  • Physical barriers

  • Security pass regimes

  • Visitor registration

  • Access removal during role changes

  • Policies for personal devices, and

  • Logging data removal


Access controls should be proportionate to the organization's threat level.

Resiliency Testing should not become a buzzword. Security cameras installed, but not working after some time due to non-maintenance or ageing should be caught through basic tests and observations.

 

What role do Exit Procedures play in insider threat management?

Exit Process is as important as the Induction Process for effective management of insider risks. Effective exit procedures are vital to identify concerns and reduce risks.

Considerations include the person's relationship with the organization, cancellation of IT access, prevention of gaining access post-departure, and understanding ongoing security responsibilities.


The exit process must be resilient to make everyone leave on a happy note so that they do not carry any grudges that could be exploited by themselves or by someone else.


The Exit process must also remind the leavers about any NDA or other commitments that continue to be in force even beyond employment with this company.


Most organisations perhaps do not monitor their ex-employees, but this is critical for those who were in critical positions or had access to critical information/ assets. One such real case has just been reported in the Indian media today (Christmas Day 2023) (Wipro has filed a complaint against its former senior vice president, Mohd Haque, alleging that he violated non-compete clauses in his employment contract by joining competitor Cognizant. Haque, who had been with Wipro for two decades and served as the head of healthcare & medical devices for the Americas, is accused of emailing confidential information from his personal Gmail account to Cognizant. The complaint, which demands a jury trial, highlights media reports about Haque's move to Cognizant).

 

Why are Investigations required in Insider Risk Management?

Organizations may need to conduct security investigations into alleged malicious activity by their workforce.

Sources of information include hotlines, staff reports, protective monitoring, and electronic audits.


If a suspicion is raised, the organization may have to take these steps:

a)      Evaluate the possibility of malicious reporting and innocent explanations for suspicious activities.

b)      Assess whether reported actions are unauthorized, potentially unlawful, or violate organizational procedures.


The company will then need to initiate investigative proceedings in the case of b) above.

An experienced, impartial investigator, with knowledge of security policies, should lead the investigation.

Information handling should be confidential, and the investigation's purpose and scope should be clearly defined.

Consultation with the organization's lawyer is recommended to ensure proportionate and lawful actions.

Consider risks associated with an identified individual's position through role-based risk assessment.

Conduct an initial investigation to determine the need for further action, balancing seriousness, and covert considerations.

Interviews can provide explanations and assurances quickly if there is an innocent explanation.


Interviews should be planned, open-minded, and neutral, avoiding interrogation.

Covert considerations may delay interviews based on the seriousness of the breach or involvement of law enforcement.


Decide whether the investigation should be overt or covert, involving relevant parties.

Keep original documents secure, consider informing key colleagues or external agencies, and ensure actions are proportionate.


More intrusive actions may include covert monitoring and searches, adhering to organizational policies.

Collect and handle evidence securely, documenting findings in an unbiased report for presentation to a disciplinary panel.


React proportionately, avoiding discrimination based on protected characteristics.

Internal security investigations use the "balance of probabilities" standard, not "beyond reasonable doubt."

Seek internal legal advice, comply with procedures, and record actions to show necessity and proportionality.

Consider a police investigation for criminal acts.

If the internal investigation concludes no case, take no further action; consider action against malicious allegations.


Continue internal investigation alongside police involvement and dismiss if necessary.

Conduct a review by the organization's Insider Risk Stakeholder Group.

Perform a risk assessment to mitigate new vulnerabilities identified by the investigation.

Foster a security culture that encourages reporting suspicious behavior.


NPSA recommends realistic insider scenario exercises for organizational preparedness.

Thorough, lawful, and proportionate security investigations are important to address potential insider threats within an organization.

 

While closing the article let us look at Employee Monitoring also.

Employee monitoring plays an important role in preventing insider threats, with a focus on protective monitoring as a valuable tool in risk assessment and investigations. It advocates for a comprehensive approach that combines various monitoring measures to create a comprehensive understanding of the risk profile of individuals within an organization.


A monitoring and review program helps identify potential security and personal issues affecting an employee's work.

Interventions like line manager interviews, staff reports, vetting reviews, and IT protective monitoring are crucial to prevent insider acts.

A disgruntled former internal auditor caused a data breach in a UK supermarket, resulting in significant costs and reputational damage.

Protective monitoring contributes to risk assessment, aiding in identifying and resolving concerning behaviors.


It helps identify IT accesses, provides enhanced monitoring during critical events like employee exits, and offers context to suspicious activity.


IT supports Insider Risk investigations by identifying suspect IT accesses. It also assists in identifying unauthorized activity and provides context for concerning actions. Finally, it involves setting retention rules, may be evidential, and contributes to ongoing information and personnel assurance.


A Security Culture is developed in the organization that acts as a deterrent when communicated effectively. It balances positive and negative messaging, emphasizing protection rather than spying. Positive system uses and reporting of suspicious behavior are also encouraged through this Security Culture.


Protective monitoring combines internal employee monitoring and external threat monitoring.

This also involves cleaning data to differentiate user-attributable actions from automated system actions and utilizes a combination of data types and sources for a comprehensive risk profile.

Enhanced monitoring of individuals undergoing investigation can establish a baseline of normal behavior.

Consider whether to start enhanced monitoring before or after the individual is approached or interviewed.


IT protective monitoring has limitations and needs to be complemented by other measures. Hence a comprehensive approach is required that fills knowledge gaps through mechanisms like employee reporting, line manager interviews, secure IT procedures, access controls, searches, and social media monitoring.

 

Conclusion

In conclusion, safeguarding organizations from insider threats is a multifaceted challenge that demands a proactive and comprehensive approach to risk management. The insights drawn from the National Protective Security Authority (NPSA) shed light on the critical role of leadership, trust-building, and effective risk mitigation strategies. From Role-Based Risk Assessment (RBRA) to ongoing personnel security measures, this article has explored the key components of an Insider Mitigation Program.


By understanding the motivations, behaviors, and diverse countermeasures outlined herein, organizations can fortify their defenses against deliberate, self-initiated, or exploited insiders. As we navigate the intricate landscape of insider risks, it is essential to foster a security culture, conduct thorough investigations, and embrace protective monitoring as part of a holistic strategy. By integrating these principles, organizations can not only identify and address insider threats but also cultivate a resilient and secure environment for sustained success.

 

43 views1 comment

Recent Posts

See All
bottom of page