Insider Risk. A Fourth Element.
Updated: Jun 18, 2018
If an item of intelligence is heard before a spy reports it, then both the spy and the one who told about it die.
The UK Centre for the Protection of National Infrastructure and a number of Consulting Groups have defined Insider Risk and provided guidance to identify and mitigate against it. The CPNI’s Insider Data Collection Study defined an insider as “a person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorized purposes”. The aforementioned study and a number of published works have provided some demographic information to assist in the identification of potential offenders, stating that permanent members of staff, working for an organisation for less than five years, who were male and aged 31 – 45 years old may be more likely to carry it out. Why do they do it?
Insiders have been categorized into three broad groups; infiltrators, exploited individuals and malicious opportunists. The general recommendations to counter these threats have been published in guidelines and shared across various articles, suggesting a number actions in response to organisations vulnerabilities, mainly concerned with security controls and employment screening. While these are valid options, security and organisational performance can be improved by additionally considering a fourth group of individuals; the uneducated.
An Insider Risk exists in the form of uneducated, unmotivated and potentially incompetent employees. These people have legitimate access to an organisations assets and yet pose a threat to its performance through their inability to use systems safely and effectively. This is line with the view that in addition to being a strategic consideration, Information / Cyber Security should be viewed as everyone’s responsibility. Organisations should educate employees about appropriate security procedures, but additionally monitor and manage the implementation of these methods.
It is becoming increasingly accepted that training employees in security procedures and the rationale for overarching policies will increase the resilience of an organisation. Further benefits could be gained by empowering managers and employees with greater knowledge and understanding. ISO31000: Risk Management is a means of identifying threats and hazards in a variety of contexts, additional to security. By equipping all employees with an understanding and an ability to apply the system, a culture will be encouraged whereby individuals will consider more deeply the negative risks and positive opportunities attached to each of their actions. In doing so, not only will an organisation improve its security, it will improve its overall performance. Although the high-risk world in which we live and are exposed to in real time through instant news and media, has encouraged organisations to consider risk, they may not presently have enough of an understanding of the processes involved to respond effectively. It is in this landscape that experts such as Frontier Risks come into their own, not only as educators but as enablers for improved business performance, through the impact that an understanding of Security Risk Management and its ability to act as a golden thread throughout an integrated security response can have.
Assess the advantages in taking advice, then structure your forces accordingly, to supplement extraordinary tactics.