Espionage - It still happens and it still matters
The Director General of Mi5 noted in his annual threat update hostile states seeking to spy on certain governments is as old as the hills. Nevertheless, it still happens, and it still matters. Hostile States utilising someone on the ‘inside’ to acquire privileged information makes their job so much easier. Recently we have seen media coverage of a security officer at the British Embassy in Berlin arrested on suspicion of acting on behalf of a foreign intelligence agency.
This blog serves as a reminder that traditional spycraft does exist and importantly provides you with some high-level protective security principles that your organisation should consider.
Whilst not all roles in an organisation will be assessed as ‘high risk’ this should not mean they present no risk to your business. ‘High risk’ roles are those that have been identified through a risk assessment process the greatest opportunity to facilitate the most damage to your business based on the level of access the role affords. This will be achieved by considering likelihood and impact of the threat scenario transpiring.
An individual assessed to be in a lower risk role may still have access to information or data that would still offer valuable intelligence to a hostile state. Even seemingly mundane information can help a foreign intelligence service build up a picture of an adversary – think of jigsaw pieces and once those pieces all fit together the picture becomes very clear. For example, whilst a security officer may not have direct access to highly sensitive materials, they may have access to security patrol schedules, business continuity arrangements (perhaps including staff contact details), alarming and disarming alarm systems, building wifi passwords and potentially access to restricted access areas, which could all be considered extremely valuable to hostile states. Undertaking a role-based risk assessment will help your organisation consider the level of risk each role presents and importantly the mitigations required to reduce the identified risks.
CPNI recommends an Organisation;
- Follow CPNI's Principles of Protective Security Risk Management – know what assets are important to your site/organisation, have a clear understanding on the threats that your business faces to help shape your risk register and develop a proportionate protective security strategy that is effective.
- Implement an Insider Threat Mitigation Programme - understand which roles present the greatest opportunity to facilitate the threat scenario’s you have identified in your risk assessment process and implement measures that seeks to mitigate the risk workers may exploit their legitimate access to an organisation’s assets for unauthorised purposes. Pre-Employment Screening and Vetting alone is not sufficient.
- Test your processes. Run a tabletop exercise to stress test your processes and response mechanisms to an insider act. Be prepared and ready for when, not if, the worst-case scenario happens to your business.
Take a look at some of CPNI’s Advice and products relating to this subject
The UK is a high priority espionage target. Understand more about this threat by viewing our dedicated espionage page.
This model highlights some key steps that should be taken when considering the wider process of protective security risk management.
The CPNI Insider Risk Mitigation Framework is recommended for organisations developing an insider risk programme, and can play a key part of a holistic programme for building overall protective security maturity.
Practical advice on how to identify malicious profiles, how to respond, and how to minimise the risk of being targeted in the first instance.