We all know that personnel security is central to good business. As part of the recruitment process, we jump through hoops and invest significant amounts of time and labour to find the best-fit employees for both the workplace and the requirements of a specific employment position.
This might mean: looking for suspicious gaps in CV timelines, talking at length with nominated phone references, googling the candidate to see what their electronic history reveals, trawling through their social media feeds, running a police check and then – when it looks like we’re ready to commit – requesting they sign a non-disclosure agreement upon acceptance of the position.
Most of the time, we get it right and we end up introducing another ‘trusted insider’ into our organisation. But, sometimes, despite our best intentions, we get it wrong.
According to the National Counterintelligence and Security Center in the U.S., “Over the past century, the most damaging U.S. counterintelligence failures were perpetrated by a trusted insider with ulterior motives.” Why is this the case?
Insider threats are often difficult to detect because the individual may have access to authorised information in order to perform the obligations of their employment. In other words, there is no obvious security breach. Their co-workers may also be hesitant to report them due to friendship and other personal obligations.
Insider threats usually fall into two categories: malicious and unintentional. The malicious threat is one that is performed consciously for some sort of personal gain, whether financial or moral or otherwise. Something like the Edward Snowden case springs to mind, although we’ll come back to that a little later…
On the other hand, unintentional threats are in the form of insiders who don’t mean harm but know no better. Maybe they don’t fully understand what is actually sensitive or non-disclosable information? Maybe they get drunk and blab something that seems inconsequential over a dinner table but then proves to have grave ramifications for an organisation? The best way to curtail such threats is to make sure all employees and contractors with access to certain details are very clear on what is non-disclosable information and why these measures are in place. Don’t just hand them a contract and expect them to muddle through it – sit down and explain what each clause means.
Past behaviour is often an indicator of future problems but not always. Maybe an employee has been with your company for a long period of time, before you instigated police checks as part of your recruitment? Maybe their circumstances have changed and they’re under pressure to commit a corporate crime they wouldn’t usually commit?
Regular police checks of established and trusted employees go some of the way to protecting against insider threats but having a series of digital checks & balances will help you with the extra reinforcement to keep your organisation secure. This even extends to board members who should also be checked for bankruptcy, as past bankruptcy can affect their ability to make financial decisions.
Similar to the U.S., the Australian Government has put insider corporate threats at the top of the political agenda; so much so, they’ve created a handbook from the Office of the Attorney-General that outlines how you can better protect your organisation against the so-called ‘trusted insider’ by understanding the threat, evaluating the risks and developing a robust personnel security framework.
Which leads us back to the controversial example of Edward Snowden…
According to this Australian handbook, “a trusted insider is someone who leaks information or takes that material outside of the organisation without protecting the information appropriately or without authorisation. This is quite different from, and should not be confused with, a whistle blower disclosing information that, in the public interest, should be disclosed, as detailed in the Public Interest Disclosure Act 2013 (Cth).”
Looks like we all have an obligation to do right by each other.