I had only just finished writing my previous news article when the events of Las Vegas unfolded. I’m getting a sense from people that the more and more these terrorist and mass-murder events are occurring, the less shocked the general population are when they happen – a clear sign that’s it’s now becoming all too regular and all too familiar.
From a UK perspective, we have received a stark warning from the Director General of MI5, Andrew Parker. He went on to say that in his 34yr career, he has never before seen such “a dramatic upshift in the threat. That threat is multi-dimensional, evolving rapidly and operating at a scale and pace we’ve not seen before. Today there is more terrorist activity, coming at us more quickly, and it can be harder to detect.”
Whilst the impact from terrorism has the potential to affect us all and how we go about our daily lives, it is important not to focus solely on what’s on the outside. Organisations spend time and resources ensuring that their assets, especially their employees, are protected from security risks, which of course includes the threat from terrorism. What is too easy to overlook is the potential threat from within – known as the Insider Threat.
Most people will have heard the term “Insider Threat”, but may not have stopped to consider all of the implications and what it actually means to them. An insider threat is “a malicious threat to an organisation that comes from people within the organisation, such as employees, former employees, contractors or business associates, who have inside information concerning the organisation’s security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.”
In essence, an organisation is potentially at risk from a person or persons that it has willingly opened its doors to. The threat may be present by design or by accident, in as much as it being just as likely that an employee with good intentions may do something unintentional to unwittingly cause a security breach.
Examples of an insider threat that was unintended could be to allow oneself to be overheard in a conversation, sending classified documents to the wrong person in error, letting someone tailgate you through a controlled entrance, sending files to their personal computer from the secure work computer; the list goes on.
On the flip-side, there are individuals and organisations who would seek to gain something (even personal satisfaction by way of retribution) by deliberately gaining access to an organisation and its premises, on invitation, to cause them problems. There are also risks from employees who, not having had prior intent to cause any ill harm, are opportunistic because something has presented itself on a plate that was too tempting to pass up. In either case, both types of individual pose a risk and both will have been willingly allowed into an organisation.
It is therefore important not only to have robust screening processes in place to check those individuals that we choose to allow into our inner most circles, but to also consider operating on a ‘need to know’ basis, where important information or secured resources are not accessible unless it is a requirement of a person’s role. The number of potential links in the chain reduces the risk of a break in any one of them and by running a tight ship in terms of information and knowledge, it also makes it easier to establish where any breaches occur, on the basis that fewer individuals had the opportunity, means and motive.
It is also prudent that employees and other relevant people are considered and reviewed, from a security perspective, when any significant personal circumstances change. Occasionally people do things opportunistically, having had no pre-planned intent to do so, because of a combination of temptation and opportunity, mixed with motivation. The outlook and essentially the risk profile of an individual whom has suddenly gone into some form of significant financial debt can change rapidly from one of loyal employee to a significant security risk, depending on what they have access to within the organisation. It doesn’t take me to spell things out, but it would be prudent to know your staff and take an interest in them.
In larger organisations, it would be good management practice in any case for supervisors and team leaders to know their people, find out what makes them tick and to be aware of any changes in circumstances or behaviour. Knowing what is ‘normal’ behaviour for someone can help identify when they are acting abnormally. All too often, after an insider security breach has occurred, many people will admit to noticing some of the clues that something untoward is going on, but do nothing about it, often, because it’s by someone they are familiar with and see simply as an employee.
Of course, not everyone, in fact, only very few people are a genuine security risk to an organisation from the insider perspective, whether by negligence or design – but it can often only take one person to set an organisation back in terms of output, revenue and reputation. If an organisation gets used to encouraging its employees to develop the habit of being more security conscious then people are less likely to attempt to gain access to the organisation (as an employee) or will be less likely to succumb to temptation, with ill intent, if they know there is a good chance of them being caught. Even those who are prone to security lapses will be less likely to do so if security awareness is something that becomes part of the fabric of the organisation. Consider when was the last time you provided any form of security awareness to your employees and contractors? Perhaps it’s time to start the ball rolling now?