Our Greatest Strength is also our Greatest Weakness
People are an organisation’s biggest asset and are generally recognised as the most important source of competitive advantage. However, they are frequently misunderstood, ineffectively leveraged and in some cases they can also become be greatest threat. The threat posed by insider’s, someone who (knowingly or unknowingly) misuses legitimate access to commit a malicious act or damage their employer is increasing. The strains and challenges that individuals experience in their personal lives, alongside the ever present activities of criminal and terrorist groups, and potentially the intelligence services of foreign states, results in an array of threat sources which organisations should consider during risk management processes and the subsequent design and implementation of mitigation methods.
Insider’s have traditionally been categorized as belonging to one of three groups;
• Exploited individuals
• Malicious opportunists
In a previous article, Insider Risk: A Fourth Element, we suggested that a fourth group should be considered, uneducated or non-compliant individuals. Alongside considering each of these types of insider, an added dimension should also be considered, one which focuses upon IT exploitation and been appropriately termed by the UK Centre for the Protection of National Infrastructure (CPNI) as a “Cyber Insider”.
As organisations implement increasingly sophisticated physical and cyber security measures to protect their assets from external threats, the recruitment of insiders becomes a more attractive option for those attempting to gain access, to both physical premises, assets and information.
The insider risks resulting from the described threats can be effectively mitigated through the design and implementation of good personnel security practices. These holistic security systems can reduce the risk of individuals posing a threat to a business, throughout the life of their engagement.
ERG design personnel security systems which seek to reduce the risk of recruiting staff who are likely to present a security concern, minimise the likelihood of existing employees becoming a security concern, reduce the risk of insider activity, protect an organisation’s assets and, where necessary carry out investigations to resolve suspicions or provide evidence for disciplinary procedures. Throughout this design, ERG will ensure to implement security measures in a way that is proportionate to the risk.
ERG design personnel security models which are based upon the seven core elements, recommended by the CPNI:
• Governance and Leadership
• Insider Risk Assessment
• Pre-Employment Screening
• Ongoing Personnel Security
• Monitoring and Assessment of Employees
• Investigation and Disciplinary Practices (Response)
• Security Culture and Behaviour Change