Insider Threat during the cost-of-living crisis: trust is key
What will be the impact of the socio-economic crisis on the insider threat and are stronger security measures needed in response? Care is needed, as poorly thought through security measures can do more harm than good.
There is no doubt that 2023 is going to be a challenging year for many people on many fronts. The socio-economic crisis is likely to get worse, with a larger sector of our nations finding themselves for the first time falling into fuel poverty, needing to use food banks and other charitable welfare support to maintain a basic standard of living and keep roofs over heads.
The increasing energy costs, and wider cost of living rises, a slow-down in economic growth and likely subsequent pay freezes and real term cuts; a reduction in government-funded social and welfare programmes, a revolving political door, a growing mistrust in established news, science and research, all set within a wider continued global instability, Ukraine/Russia, Iran, China. A challenging year for anyone – what about security?
Increased instability does not necessarily mean increased insider activity
There might be a tendency to leap to the conclusion that insider activity will increase as our staff, impacted by the current socio-economic climate, face moral dilemmas – should they exploit those lax policies and procedures, to divert company funds to ease their money worries, or provide competitors with company information for a wad of cash?
Some organisations are likely to take the approach that stronger or more draconian security measures are required: one strike and you’re out, or multiple levels of security procedures to get through before you can just get to do your business as usual.
Adopting poorly thought through security measures can do more harm than good. The recent ICO report on biometric technologies with the early warning that companies need to assess the risks before implementation to ensure they do not discriminate is a good example. Organisations taking this approach are likely to see an increase in insider activity as their employees lose trust in their employers.
Trust is key
Successful personnel security practitioners will always talk about trust as the cornerstone of insider risk mitigation. Trust works in two ways:
- Organisational trust in our staff, contractors, suppliers, and business partners, to use our assets appropriately, to maintain and enhance our reputation and success as a business.
- Individually we have trust in our organisation to pay us for our services, to enable us to work in a safe and secure environment and to nurture our talent, providing opportunities for development and growth.
For many employees the workplace might also be considered a personal safe space: consider the spouse able to have respite in the office from an abusive partner, or the worker that can take a hot shower, or make multiples cups of hot tea free from the worry of how much electricity it might use. The erosion of the workplace as a safe place may do more to raise the likelihood of insider activity than the wider economic climate.
We do need security measures in place to mitigate the insider risk – but these aren’t new. I and others have written in previous articles about:
- The need to identify your organisation’s “crown jewels”, those assets that are critical to the success of your business
- Map the roles that have access to the crown jewels and consider potential insider activities (risks) that could occur
- Put the right layers of protection around those roles to give you the confidence and assurance that you can identify any unusual activity early
- Identify critical points of an employee lifecycle where insider risk might increase (such as notice periods) and again assess any risks to put in place appropriate mitigation.
Personnel Security talks about being the “soft” side to security. We shouldn’t lose sight of that – treating our employees as human beings rather than assets, thinking about how the organisation can support staff in these challenging times, through welfare and assistance programmes, or other innovative solutions (such as the baker who is opening up his storerooms into a communal area to make use of the heat generated by the ovens).
Making sure our line managers (our front-line defence to insider risk) are comfortable having discussions with their team around what may be sensitive issues and have access to the information to support that individual through the crises they are currently dealing with. For many employees these (non-security) actions may well be a life saver and do more to cement the individual emotional contract and levels of trust we have in our organisations.
Investing in our staff during these challenging times may also have an improved benefit in reducing the non-malicious insider act, as our actions enable our employees to focus on their work, spot that suspicious email and think before they click, rather than being worried about non-work issues.
So is 2023 going to be challenging? Yes, but this could be the year for personnel security to stop being the Cinderella of protective security and really demonstrate the value of our approach.
Sarah Austerberry
Director
Au Consulting