Insider Threat – COVID-19 changes the landscape
People are the strongest link in an organisation – but evidence shows us that occasionally they are also the insider risk. Have COVID-19 working practices changed that?
The recent Security Institute-hosted webinar by the Centre for the Protection of National Infrastructure (CPNI), the UK’s National Technical Authority for personnel and physical security, on insider threat was a timely reminder of this persistent risk. All organisations, big or small, need to manage their insider risk (a member of staff/contractor, who uses their legitimate access to your organisation’s assets for unauthorised reasons). Some companies will have dedicated insider risk mitigation programmes; some will respond on an ad hoc basis following an insider incident; almost all will rely on some mitigations that require being able to interact with staff on a daily basis. Typically, that has often meant a shared physical location in a workspace.
As CPNI noted in its insider data collection study, ‘a general lack of management supervision or oversight of employees meant that many of the behaviours, problems and activities of the insider were noticed but went unaddressed’. If a key mitigation of insider risk is about staff (line managers, peers) being able to see (and recognise) when their colleagues are acting differently or observe changes in work productivity, then COVID-19 has changed this landscape. From the looks of things, for some businesses it’s a permanent change, with CEOs recognising that their staff and operations can function as effectively working from home or at distance.
However, for many staff these new working practices have additional pressures – staff are feeling isolated and concerned for their future. There is a lack of communications from the company at both a corporate strategic level and from their management chain. They have lost the opportunity to chat through some of these concerns with their peers as they no longer share office space. Ultimately, these valid concerns can start to turn to dissatisfaction with the organisation, may result in a reduction in productivity and almost certainly a fall in adherence to office processes and policies.
Insider activity rarely happens overnight, as any changes in behaviour tend to be gradual, which co-workers and managers notice from prolonged periods of time spent working together with their colleagues. It will be interesting to track whether the COVID landscape has contributed to a quicker pathway from dissatisfied member of staff to an insider, because of the isolation. What will be evident though is that the opportunity for peer/management recognition of these changes has decreased.
Staff interaction/oversight for many is now based on virtual meetings where you can choose whether to show yourself on camera or stay hidden behind a photo or blank screen, instant messaging or email. The opportunity for social catch-ups at the tea point or before meetings is replaced with silence on the screen before the chair arrives to begin procedures. There have been examples of staff who have been recruited during COVID, joined the workforce and then left without team members ever seeing their new colleague. The only people who have seen the individual were the recruitment team. This can be a challenging landscape in which to build trust.
A good insider risk mitigation programme is going to need to be flexible and dynamic in the same way that many of your company IT departments have needed to move from a ‘computer says no’ response to decision making process based on immediate requirements. Because insider risk is all about people, your security team is going to have to work with a range of departments, to help them see the COVID-related changes that affect them, their policies, processes and procedures through a security lens.
Managing the insider risk needs to effectively adapt to meet these changing environments.
Top tips include:
- Reviewing your insider risk assessment – have the risks changed, have your critical assets changed, are the current mitigations still effective during working from home and/or returning to work under COVID restrictions?
- Review your ‘work from home’ policies – are they fit for purpose? For example, what does ‘home” mean? Is it UK-based or overseas? Does company insurance cover staff working from home in another country?
- Work with your HR department to develop effective ‘at distance’ line management policies and procedures that include a security function. It is a sad fact that many businesses are having to make staff redundant. A poor exit strategy for staff is regularly identified as an opportunity for staff to exploit; it is key that your exit strategy takes account of additional risks that COVID poses – e.g. return and disabling of IT equipment and passes.
- Work with Comms departments to include security communications as part of wider corporate comms, so that securityresponsibilities are interwoven with business as usual. The role of your corporate comms has never been so important – staff are relying on clear communications whether they are in furlough or now doing their job from home. It is key that you identify all communication channels – not all staff will check your internal company website for updates, not all will read the ‘send to all’ email circulars and not all will be at meetings where new comms are given out. You need to ensure that all comms channels are used and build in a mechanism for ensuring that staff have received and understood the content. This will help reduce staff feelings of anxiety and isolation.
- Work with your IT departments to understand what the new ‘normal’ working routines look like, to check whether the auditing function provides adequate assurance or needs some adaptation.
- Review any reporting processes – if you encouraged staff to drop in and see the security teams to discuss any issues, what can you put in place for those staff who are no longer working in an office environment?
- Keep your boards informed of changes to insider risks and their responsibility to lead from the top and show visible support for, and engagement with security during these unusual circumstances.
There is a wealth of information available on the CPNI website to help organisations understand, manage and reduce the risk from insiders. There are a number of different toolkits available to help with a range of security issues. These are downloadable and can be branded for your own organisation. I would strongly encourage you to take a look at COVID-19 related pages for some simple steps and easy-to-use toolkits to help you navigate this challenging risk.
Sarah Austerberry Mlitt, CSyP, FSyI
Au Security Consulting
For related articles, see our Personnel and Vetting category including: