It’s important to mitigate any security risks related to people. People and personnel security comprises an integrated ecosystem of policies, procedures, interventions and effects which seek to enhance an organisation or site’s protective security by:
- Mitigating the risk of workers exploiting their legitimate access to an organisation’s assets for unauthorised purposes, known as ‘insider risk’.
- Optimising the use of people (both workforce and, where appropriate, the public) to be a force multiplier in helping to prevent, detect and deter security threats.
- Detecting, deterring and disrupting external hostile actors during the reconnaissance phase of attack planning.
People are an organisation’s biggest asset. However, they can also pose an insider risk; the recruitment of insiders has become an attractive option for hostile actors attempting to gain access to data centres and the data they hold.
CPNI defines an insider as a person who exploits, or who intends to exploit, legitimate access to an organisation’s assets for unauthorised purposes. Remember, an insider could be a full-time or part-time employee, a contractor, a supply chain business partner or customer.
In fact, it could be anyone who has been given rightful access to a data centre asset. An insider could deliberately seek to join your organisation to conduct an insider act, or may be triggered to act at some point during their employment, or after their employment officially ends.
Certain factors may increase an organisation’s vulnerability to insider activity, including:
- Ineffective leadership and governance structures to run an insider threat programme.
- Lack of role-based risk assessment to identify specific high-risk roles.
- Inadequate personnel security measures during pre-employment screening.
- Inadequate ongoing personnel security policies and procedures, limiting the organisation’s ability to monitor and investigate insider activity.
- Poor leadership and management practices, which may reduce organisational trust and erode employee loyalty and commitment.
- Ineffective security awareness and training, both at induction, throughout employment and exit.
- Lack of a strong security culture, resulting in the workforce not taking individual responsibility for security and reduced compliance with security procedures.
CPNI provides comprehensive guidance and frameworks on managing insider risk.
As a data centre operator, you will often have a relatively small number of staff onsite. However, it is likely you will be joined by staff from other organisations, including staff from the data centre’s clients who provide security and engineering support to their own infrastructure, and third-party contractors providing services such as general site security, cleaning and maintenance.
The benefits of an effective security culture include;
- A workforce that is more likely to be engaged with, and take responsibility for, security issues.
- Increased compliance with protective security measures.
- Reduced risk of insider incidents.
- Awareness of the most relevant security threats.
- Employees are more likely to think and act in a security-conscious manner.
CPNI provides a variety of materials to help organisations assess their security culture, and shape their own security culture initiatives.
Many staff onsite at a data centre are contracted by third parties, rather than directly employed by you as the operator.
CPNI recommends that organisations use the same personnel security measures with contractors as they would with their directly employed staff, and where impossible, a risk assessment is made as to if they need to downgrade personnel security standards and what alternative measures can be used.
Some factors to consider within your risk assessment for contractors should include:
- Timescales for recruiting contractors are often tight. This can result in pressure to overlook pre-employment screening measures, especially if it is anticipated they will be employed for a short time.
- Income from contract work can be irregular, which can be a motive for unauthorised activity for financial gain.
- A contractor’s primary loyalty may not necessarily be to the employing organisation and their commitment to security may be diminished.
- A contractor feeling they are not part of the team in which they are working.
- A contractor working in competitor organisations consecutively or simultaneously.
- Contracts being renewed or extended to the point where a contractor works in an organisation for many years, often with little or no re-screening.
- A contractor moving between departments and the department not being aware of security constraints applying to them.
- A contractor being poorly supported by the organisation that contracted them; it may not provide assistance, welfare support or monitoring to non-permanent staff.
CPNI provides comprehensive guidance on personnel security and contract staff.
Pre-employment screening processes
You should screen prospective employees who may have access to your critical assets. Employment screening is the process by which you check whether a potential candidate is suitable for your business.
All individuals should be subject to a suitable level of screening, informed by a role-based risk assessment. This includes permanent, temporary and contract workers. Screening should not be limited to new starters, but also individuals who are moving internally between jobs, as different roles may require different levels of screening.
Security checks as a part of your employment screening should include confirmation of identity and right to work.
CPNI provides further guidance on best practice for pre-employment screening, including when hiring from overseas.
While pre-employment screening helps ensure that an organisation recruits trustworthy individuals, people, circumstances and attitudes change.
It is important that employee risks are not just reviewed at the pre-employment stage. A programme of monitoring and review should be in place. It should enable potential security issues or personal issues that may impact on an employee's work, to be recognised and dealt with.
There are different mechanisms to enable this, for example:
- Line management – ensuring line managers are well-equipped to endorse best practice security and engage with their staff to help them understand security behaviours. They play a key role in helping the organisation develop a good security culture.
- Staff vetting reviews – ensuring employees are regularly reviewed for security clearance helps to keep sight of any significant changes that individuals may go through and how this may impact on their organisational engagement.
- Protective monitoring – using the organisation's IT audit logs to understand employee activity and behaviour. Spotting and investigating IT security breaches is the traditional remit of protective monitoring. In addition, it may be that subtler IT behaviour change is seen that points to a potential issue when combined with information from insider threat practitioners and stakeholders.
- Effective reporting/assessment mechanisms – providing confidential mechanisms for individuals to report concerns about any employee (whether permanent, contractor, management, visitors, or anyone else with access to an organisation's assets) allows everyone to play a part in reviewing the risk of other personnel.
Further CPNI guidance is available on staff monitoring within the Insider Risk Mitigation Framework.
Security training for staff
Dedicated, motivated and professional security staff are an essential component of your protective security regime and mitigate against insider and external people threats.
During both online and physical reconnaissance of a site, hostiles may look for a means to physically enter your organisation.
They may look for information online, such as employees talking about lax security practices or previous process failures. If they are confident enough, they may try to gain access to your organisation, try bypass security, or use fraudulent ID.
Employees tasked with document verification, whether during pre-employment screening and/or during visitor entry, will be vigilant to the threat of fraudulent documentation.
Motivated, attentive and observant security personnel will also form a highly effective deterrent and final line of defence where other interventions have failed.
Read more on robust visitor entry processes.
In addition to the technical requirements of a CCTV control room, CPNI has also produced materials to get the most effective performance from the CCTV operator team.
The human factors approach looks at creating a CCTV control room designed to support activities of the control room staff in a particular environmental context.
The potential benefits of this approach include:
- Identifying areas for control room improvement.
- Getting the best operator job performance.
- Optimising the potential detection of incidents/crimes.
With the above in place, there may be financial benefits in the longer term.
CPNI provides in-depth guidance on promoting security culture within an organisation.