A “trusted insider” is a current or former employee or contractor who has legitimate access to information, technology, assets, or premises owned by a business or organisation.
A trusted insider threat is simply the threat posed by the trusted insider which may be intentional, unintentional (for example unwittingly releasing confidential or classified information), or under duress (for example blackmail). Insider threat activities may include intentionally circumventing security procedures which creates security vulnerabilities, theft, sabotage, or criminal activity which results in or has the potential to result in harm to a business - or in defence industry’s case, damage to national security. The damage can be significant and may include not only financial implications but reputational damage, regulatory breaches and associated litigation.
Defence industry is one of the most susceptible sectors to insider threat risk. Businesses are at risk of losing their Defence contract if an employee’s actions lead to a security breach, regulatory breach, or loss of Defence information. A recent example of this was the illegal export of Export Control (ITAR) information from a large international defence prime employee in the US.
Risk assessments should consider all forms of trusted insider activity when assessing and treating security risks. Irrespective of the industry, businesses that employ staff are at risk.
A strong security culture is imperative in protecting against trusted insider threats. All too often businesses commit funding to robust physical security and IT security measures, without consideration of their security culture and forgetting that humans are often the weakest link.
In a business with a strong security culture, staff will be trained to understand security threats to the business and will willingly comply with security policies and procedures. Suspicious behaviour and behaviour not aligned with the code of conduct will not be tolerated. Management will support and enforce security policies and the risk of internal fraud or malicious activity will be low. If an incident does occur, it is more likely to be identified, reported, and investigated in a timely manner.
Conversely, in a business with poor security culture, compliance with security related policies and procedures (if they exist) will be relaxed, the risk of incidents occurring will be high, and if an incident does occur, it will be more likely to go undetected or worse still detected and unreported.
Here are 10 steps to protecting your business from trusted insider threats:
- Determine who is responsible for the security plan within your business.
- Establish your risk appetite and conduct a security risk assessment to identify and document your security risks including those around trusted insiders.
- Implement a security plan detailing IT security measures, physical security measures, information security measures, personnel security measures, and governance.
- Implement security related policies and procedures such as: Code of Conduct, Social Media Policy, Drug and Alcohol Policy, IT Security Policy, and Information Security Policy.
- Ensure staff are trained to understand security threats and internal security policies and procedures.
- Develop a strong security culture through:
- Top down commitment to security;
- Enforcement of policies/procedures; and
- Ongoing security awareness training.
- Implement stringent personnel vetting procedures.
- Ensure all staff and contractors sign non-disclosure agreements upon engagement.
- Once the security plan is in place, conduct regular security audits and reviews which may include proactive data mining to detect suspicious behaviour or red flags.
- Review the security plan in consideration of the threat environment on a regular basis.
Overall, employees must all play a role in protecting their business. Therefore, employee trustworthiness and security training and awareness are key elements to building a strong security culture. An employee is often the way in which security incidents or suspicious behaviour is identified. This means frameworks must exist to foster a safe reporting environment.
Note: Kara Kennedy is Managing Director of Your Business Security, a Goal Group member.