The National Protective Agency recently released statistics to demonstrate that organisations are still badly prepared for potential acts of ignorance or maliciousness by their employees when it comes to an ‘insider threat’.
- 28% of insider incidents took place outside of normal working hours.
- 24% of incidents happen from a remote location.
- 60% of organisations do not have a plan to manage insider risk appropriately.
An insider threat is a security risk that manifests from inside your organisation. Your employees, contractors, and third-party suppliers all have the potential to become an insider threat. These people have access to your organisation’s systems network and information. They could maliciously or accidentally release the sensitive information of employees and customers, causing significant damage to your company’s reputation and bring about intense regulatory scrutiny.
Recent media reports of employees getting even with their employers for alleged acts of indecent behaviour through lawsuits and financial recompense include MacDonalds and Canal Productions, owned by Robert De Niro. However, the financial route is only one route that can be travelled. The Cold War of the 70’s employed tactics of physical security breaches through espionage and spying, but now, with conflicts in the Middle East and Eastern Europe, the new challenge for governments and businesses is the growing cyber threat. A government perspective sees that in 2023, the UK was the third most targeted country for cyber-attacks after the US and Ukraine. In business, we saw that Tesla, the American electric carmaker, and two of its former employees were behind a data breach that compromised personal information and affected 75,735 people, including staff.
Regardless of a potential aggressor’s methodology, your organisation must understand the importance of not just protective and information security but also the dark corner of personnel security that requires more than a spotlight to illuminate the flaws in organisational procedures.
All these case studies ask you as an organisation, how well are you prepared for the insider threat, and could you do more?
Here are some good practices to assist in your planning:
- Hire the right person – Check right to work, confirm identity and pre-employment screening.
- Establish the role – Assign computer and building access and discuss security policy.
- Provide reviews – Face-to-face progress reviews and assess the work-life balance.
- Consider remote working – Assess environment and devices, consider scheduled days on site.
- Manage contractors securely – Personnel security clauses in contracts and audit compliance with security policies.
- Be there when they need you – Question changes in behaviour and establish a process for employee reporting.