This week Charlie discusses how an organisation should deal with insider threats.
Last week I attended a conference organised by the Scottish Business Resilience Centre called “The cuckoo in the nest: Scotland’s first insider threat conference” and I thought I might share some of the points I learned in the conference. I think for us as business continuity people, we see the threat as coming from outside the organisation and all staff are happy dedicated people who would never do any harm to the organisation they love working in! The conference showed that this was not always true!
A few of the points made by the speakers:
- 1. One of the points made by several speakers was what is an insider threat? Those who have privileged access to our IT system, intellectual property, and physical access to our buildings and/or goods can be a large number of people and organisations. These can include suppliers, outsourced services, joint venture partners, contractors, temporary employees, consultants, cloud service providers, distributers and agents. All have insider access to part or your entire organisation and could use this access to cause you harm. A classic example is the major damage to the Western Intelligence services by Edward Snowden leaking sensitive information while working as a contractor for Dell and Booz Allen Hamilton. Do you have robust measures for checking those who have access to your sensitive information and systems? Are measures in place for making sure that those working with you are aware of their responsibilities in regard to your information, and do you check that they are complying with them?
- Many speakers also made the point that insider threats don’t all need to be malicious actions by employees; accidental actions could have as major an impact as a purposeful action.
- Do you have a robust leavers’ system which makes sure that all employee access to IT systems, keys to buildings, alarm codes and ID cards are taken from employees when they leave the organisation? Are security guards and other security personnel informed if they leave the organisation so that they don’t let a familiar face without an ID card back into the building? If you have 'bad leavers' this is especially important.
- A time of change in an organisation, especially if it is not bought into by all employees, can be a time when you are more likely to have disruptive events caused by employees within your organisation. The speakers told of two stories. One in a Scottish newspaper when there was the change to digital printing, the number of computers which ‘accidently’ had coffee spilt on them went up massively and continued until the change was accepted by employees several months later. Another example occurred when there was a major change in a nuclear power station. Staff had not interfered with the safety systems but had smashed up the toilets. This was felt to be due to their anxiety and anger about the changes. If your organisation is implementing a major change, perhaps be more vigilant for acts of sabotage but also give as much support to staff as possible, which may prevent acts of intentional damage.
- One of the speakers was Detective Chief Superintendent - Head of Organised Crime and Counter Terrorism. He made a couple of good points. He stressed the importance of good vetting of new employees to avoid your organisation being infiltrated by organised crime. He said that organisations greatly underestimate the threat of infiltration from organised crime who either put their own people into your organisation or who coerce your employees to commit crimes on their behalf. Anywhere they think they can gain advantage or there is easy money to be made, organised crime will try and exploit the ‘opportunity’.
- The second point was he asked whether anyone had insider threat on their risk register. The majority in the conference said they didn’t. He said that the insider threat should be on all organisations’ risk registers and we should all have a plan in place for dealing with it once it is discovered.
One of the final points was made by Ken Milliken, a Corporate Investigator for KPMG. He remarked with great glee how expensive it was in terms of lawyers, corporate investigations and management time if you have an insider event or wrongdoing in your organisation by employees. Like all business continuity managers we must try and prevent incidents happening before they take place.