Skip to content
  • Home
  • Insider Risk Management Digital Guidance

Insider Risk Management Digital Guidance

Last Updated 13 May 2022

Introduction to CPNI Insider Research

Welcome to the 'Introduction to Insider Threat' CPNI learning module. This module concentrates on considering the types of insider and activites and a reflection on the pathway to becoming an insider.

Welcome to the 'Introduction to Insider Threat' CPNI learning module.

 

This is the first module within a series of nine about Insider Risk.  We recommend completing all nine if you can for the most rounded perspective on this important topic.

 

Let's start by looking at the learning objectives for this module.

 

  • To consider types of insider and their activities.
  • To reflect on the pathway to becoming an Insider, considering motivations and behaviours.

CPNI's R&D on Insider Risk is well developed over many years. We started our research with a literature study. Once we established what data was already available, we began a collection of cases from both public and private sector. 

 

We use a consistent definition of an Insider: 'A person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes'.

 

By interviewing security managers, line managers and colleagues in organisations that experienced an insider event, we have developed a rich understanding of insider risk.

 

This provides a clearer picture of how an insider can cause damage to the organisation, their behaviours and motivations, as well as what organisational factors might influence their activity. It covers cases from the private and public sector, some relating to national security and some international cases.  

 

Our findings have been published in a study report on the CPNI website.  A link to the report will be on the resources page at the end of this module. 

 

CPNI has identified three main types of insider.

 

The first is the 'Deliberate insider'. This is someone who obtains employment with the deliberate intent of abusing their access.

 

The second is the 'volunteer or self-initiated insider'. This is someone who obtains employment without deliberate intent to abuse their access but at some point decides to do so.

 

The third type of insider is the 'recruited or exploited insider'. This is someone who obtains employment without deliberate intent to abuse their access but at some point is exploited or recruited by a third party to do so.

 

There are two sub-groups.

 

The first is the unwitting or unintentional insider. This includes individuals who are manipulated by a third party, or who engaged in poor security practices, which they are unaware assists a malicious third party. This could happen to anyone.

 

The second is the ex-employee, particularly the employee who may have been disgruntled and not left on the best of terms.  They may retain access to your organisation and will have knowledge which would be of interest to third parties.

 

What are we protecting against? There are a range of actors who might utilise insiders against your organisation. The harm done by these insiders might be physical harm to other members of the workforce or members of the public, and reputational, operational and financial damage to the organisation.

 

Insiders may be used by:

 

  • Terrorist organisations.
  • Hostile State Actors.
  • Commercial competitors.
  • Single-issue groups.
  • Serious Organised Crime groups.
  • And, the media.

 

CPNI categorises insider incidents into five main groupings.

 

In no particular order these are:

 

  • Facilitation of third-party unauthorised access to an organisation’s assets. 
  • The unauthorised disclosure of information, such as to a foreign intelligence service.
  • Process corruption, which is the illegitimate altering of an internal process or system for unauthorised purposes.
  • Physical or electronic sabotage.
  • And finally, theft of materials or information.

 

In CPNI’s 'Insider Threat Study Report', the two most frequent types of insider activity were:

  • The unauthorised disclosure of sensitive information.
  • And then, process corruption, which is often fraud related.

 

 

Motivations for undertaking an insider act are complex. In addition to a primary motivation there are usually secondary motivations, with disaffection in the workplace playing an important role.

 

From our research, we know that some behaviours are more predictive than others. And they have a clear and negative impact in the workplace.

 

But there is always a cluster and combination of these behaviours, not just one.

 

Being able to recognise these combinations will allow you to make an early intervention and deal with a minor workplace behaviour of concern before it becomes an insider event.

 

We have divided these conditions into three areas: 

 

  • Personality. For example, somebody showing immaturity, low self-esteem, amoral and unethical behaviour, and possessing a superficial nature.
  • Lifestyle & circumstances. For example, someone with an exploitable or vulnerable lifestyle & work profile, poor work attitude, and suspect foreign travel.
  • Behaviours of concern. For example, unauthorised handling of sensitive material, security violations, and unusual IT or copying activity.

 

It is worth reiterating that it is extremely important that these findings are not taken out of context, or used as a means to profile or discriminate against individuals who may match some of the characteristics and traits identified.  We should be careful not to profile an insider on statistics alone.

 

So, as we start to conclude the first of the Insider Risk modules, let's summarise the key points we've covered.  We've explained:

 

  • The different types of insider and their activities.
  • The pathway to becoming an Insider, including motivations and behaviours.

 

You can access further information on the topics covered in the next steps document below.

 

A reminder that the next module in the Insider Risk series is called ‘Leadership & Governance’.

 

Thank you for joining us. See you again for future modules from the CPNI Security Series.

Governance and Leadership

This is the second module within a series of nine about Insider Risk. The learning objectives for this module is to understand why 'Governance and Leadership' is the foundation for good personnel security, to introduce the 7 Key Elements of personnel security and to demonstrate how this leads to effective mitigation of insider risk.

Welcome to the 'Insider Threat: Leadership and Governance' CPNI learning module.

This is the second module within a series of nine about Insider Risk.  We recommend completing all nine for a thorough perspective on this important topic.

Let's start by looking at the learning objectives for this module.

  • To understand why ‘Leadership and Governance’ is the foundation for good personnel security.
  • To introduce the 7 Key Elements of personnel security.
  • And finally, to demonstrate how this leads to effective mitigation of insider risk.

As well as the role of good governance, CPNI’s ‘Insider’ Data Collection Study notes the importance of senior leadership understanding and owning their people risk.

The report explains:

“A lack of awareness of people risk at a senior level can lead to organisations missing the attention and resources necessary to address the insider threat. There needs to be a single, senior, accountable owner of ‘people risk’ to whom all managers with a responsibility for people risk report. Inadequate corporate governance and unclear policies in ‘managing people risk’ and unclear policies and procedures can also make it more difficult to prevent and detect insider activity.”

Through research across the Critical National Infrastructure, CPNI has identified seven key elements of a good 'Personnel Security' regime and strategy. In this and subsequent modules we will work our way through these seven elements

  • The starting point is Governance - in other words, for a senior board member to take ownership of and have responsibility for mitigating people ‘insider risk’. It is essential that this senior person, no matter what their job title or position on the board, must be able to influence resources for an insider programme and ultimately own the risk.

Once a ‘Senior Decision Owner’ has been identified, you should be asking some fundamental questions about the organisation’s response to insider risk.

  • Firstly, what does the management of Insider Risk look like within your organisation?  Do you recognise the application of a best practice model?                     
  • Do you receive adequate data, from both internal and external sources, on the threats and associated risks that insiders could pose to your business or sector in order to make effective decisions?
  • Are effective and proportionate mitigations in place that reduce your organisational vulnerability to insider activity to within your stated risk appetite?
  • Acknowledging the financial, reputational and operational damage an insider could pose, do you feel there is currently sufficient resource allocated to your organisation’s 'Insider Threat Programme'? 
  • Has your organisation conducted a review of insider risks within the last 12 months?
  • And finally, do you regularly communicate with your workforce in a way that reduces potential anxiety? For example, where an organisation’s operating model is changing.

Organisations need to build and/or strengthen a programme of work to mitigate the insider risk.

CPNI’s ‘Insider Threat Mitigation Framework' can be used by organisations to understand the strengths and weaknesses in their current programme, and to develop a stronger regime.

An 'Insider Risk Mitigation Framework', driven by the Senior Decision Maker, provides governance and structure in mitigating risks.

As you can see, leadership and governance are part of the foundations of any programme to mitigate insider risk.

This foundation will help implement mitigations, such as policies and procedures based on assessed risks. This programme helps to create a working environment where staff are:

  • More savvy to the risks they face and what to do about them.
  • Confident reporting workplace concerns. 
  • And better informed because there is strong communication.

We will visit different elements of this programme as we progress through subsequent 'Insider Risk' modules.

This framework is available as an interactive PDF on our website. You can click into each shape for further information.

Now let's take a closer look at Board Engagement and Governance.

Here you can see further detail on the importance of ‘leadership and governance’ in mitigating insider risk. You can also find a range of supporting products providing further details on the subject.

There are many benefits to the 'Insider Risk Mitigation Framework', which include:

  • It encourages reflection on the roles and responsibilities of a Senior Decision Maker in mitigating ‘insider risk’.
  • it encourages meaningful discussions on your organisation’s ‘insider risk mitigation strategy’ with stakeholders from across the business who are responsible for its successful implementation.
  • And thirdly, it supports ongoing reviews of your organisation’s existing insider mitigation strategy to determine whether it remains sufficient to manage the risks identified.

A single, accountable board-level owner of security risk, and a top-down implementation of security policies and expected behaviours will:

  • promote a consistent approach to security across the organisation.
  • foster a multi-disciplinary approach to countering the insider threat.
  • demonstrate to staff the value placed on personnel and people security policies and procedures.
  • And, act as a deterrence effect to mitigate potential insider activity.

In summary, 'senior leadership responsibility’ AND ‘support for the implementation of security policies' are critical parts of the foundation of any effective programme to mitigate insider risk. It encourages a consistent and multidisciplinary approach, a strong security culture, and it acts as a deterrent.

Further advice and resources are available on the CPNI website, including:

The Holistic Management of Employee Risk (referred to as HoMER), which sets out fundamental principles of Board level accountability for personnel security, such as:

  • avoiding information silos.
  • being transparent and ethical about what you’re doing.
  • And, leading a strong security culture.

Plus, CPNI’s 'Passport to Good Security', which is tailored to Senior Executives.  It sets out the key themes for best practice and providing relevant prompts for the actions they need to take as part of the organisation’s strategy. It will help Senior Leadership to identify, assess and mitigate the threats to the organisation.

So, as we start to conclude the second of the Insider Risk modules, let's summarise the key points we've covered.  We've explained:

  • Why ‘Leadership and Governance’ is the foundation for good personnel security.
  • The 7 key elements of an effective ‘personnel security regime’.
  • The benefits of an 'Insider Risk Mitigation Framework'
  • And finally, how senior leadership responsibility and support can contribute to the effective mitigation of insider risk.

A reminder that the next module in the Insider Risk series is called 'Leadership role in preserving Organisational Trust'.

Thank you for joining us. See you again for future modules from the CPNI Security Series.

Leadership Role in Preserving Organisational Trust

This is the third module within a series of nine about ‘Insider Risk’. The learning objectives for this module are to consider the importance of organisations preserving trust with employees during significant disruptive events, to reflect on what can happen if there is a breakdown in trust, to consider how this may contribute to increased risk of insider activity and to look at the three practices that an organisation can deploy to help preserve established trust.

Welcome to the 'Insider Risk: Leadership role in preserving Organisation Trust' CPNI learning module.

 

This is the third module within a series of nine about ‘Insider Risk’.  We strongly encourage you to complete all nine modules if you can.

 

Let's start by looking at the learning objectives for this module.

 

  • To consider the importance of organisations (specifically leadership) preserving trust with employees during significant disruptive events, such as the COVID-19 pandemic.
  • To reflect on what can happen if there is a breakdown in trust and employees see limited efforts to support them during a crisis.
  • To consider how this may contribute to increased risk of insider activity.
  • And finally, to look at the three practices that an organisation can deploy to help preserve established trust.

 

Leadership support for a strong protective security model not only protects the organisation, it also ensures the safety and job security of its workforce.

 

Strong protective security relies on the trust built between employer and employees.

 

But, disruption can have a negative effect on how some employees perceive or trust their employers, especially in response to a crisis.

 

It is the responsibility of senior management and employers to act to preserve the trust an organisation has built with its workforce, even more so during periods of disruption. 

 

Disaffection and disengagement can spread quickly, especially when employees feel:

  • a sense of uncertainty about the future.
  • AND, vulnerable to the events around them.

 

So, what happens when external forces jeopardise that trust?  And when employees see limited efforts to support them during the crisis? 

 

It can mean that employees no longer feel ‘protected’ by the organisation.

 

In these circumstances, some employees might seek to undertake unauthorised insider acts, for their own benefit or even just to exact revenge against their employers.

 

CPNI’s 'Insider Data Collection Study' identified that: 

 

"In many insider cases there was an element of disaffection displayed by the employee. This ranged from being the main reason for the employee deciding to commit an insider act, to simply being disengaged from their employer and therefore not feeling committed to their organisation."

 

The study also discovered that poor management practices where there was a failure to address and resolve workplace issues, such as grievances against the organisation, contributed to that sense of dissatisfaction.

 

It is the responsibility of organisations and its leadership to spend time and resource ensuring that their workforce have confidence in the decisions they’ve made. This builds trust over time, and in some cases can repair trust that’s been eroded due to previous poor decisions.

 

This is particularly important during a crisis. A single, external, and disruptive event, out of the control of the organisation, can lead to two conditions in the workforce:

 

  • Disruption of familiarity.
  • And, an increased sense of vulnerability.

 

Employees who are faced with new ways of operation, or even the possibility of loss of employment, look to the organisation for reassurance.

 

There are three practices that an organisation can deploy, which can help preserve established trust.

 

The first is: 'Developing a vision after the crisis'. This involves what is known as “Cognitive bridging”, whereby the leadership takes the organisation on a “walk over the bridge”, moving from a position which is no longer viable due to the crisis, even if the other side of the bridge seems different or unknown.

 

A clear vision of what the future looks like for the organisation will provide certainty and positivity, in a time when employees feel vulnerable and nervous of change. The communications surrounding this vision needs to:

  • explain why the current position is no longer tenable and the organisation HAS to move to another.
  • And, be open, honest, consistent across the organisation, respectful, and non-patronising.

 

The second practice is: 'Understanding that personal emotions are important'.

 

Organisations must accept that employee emotions, triggered by the disruption, are an important factor to consider when going through this change. Therefore, organisations should:

  • emphasize that emotional responses are taken seriously by the organisation.
  • ensure that employees have time and space to share these emotions.       
  • be caring of employees who are emotionally affected by the disruption.
  • And, understand that some employees may need time to come to terms with the changes, especially if they are fast paced.

 

And the third is: 'Collective decisions'.

 

Leadership should involve employees in the decision-making process. Giving them a voice during the disruption and enabling them to feel they are contributing to the change process, will reduce employees’ sense of vulnerability. This provides a sense of personal control when the situation seems out of their control.

 

To enable organisations to carry out the preservation of trust through these practices, they should use the following mechanisms where appropriate.

 

First, is through the use of existing foundations of trust. This involves deploying those established organisational structures which engender familiarity and confidence in employees.  For example:

  • drawing reference to a similar situation which the organisation was able to successfully navigate through.
  • promoting confidence in robust organisational processes.
  • emphasising organisational values and principles.
  • and, where possible depending on the disruption, the continuation of organisational rituals and social practices.

 

And second, to recognise the importance of the management role. Key to preserving trust in the organisation is that employees see management fulfilling a role that is supportive and protective during a period of disruption. Management should be seen as ‘guardians’ or ‘stewards’ of the organisation, and not primarily as ‘change agents’ seeking to make a name for themselves.

 

There is advice and further guidance available on both the CPNI and CREST websites, including:

 

  • A manager's guide to successful organisational change.
  • AND, a guidance paper titled 'Preserving organisational trust during disruption such as a pandemic'

 

So, as we start to conclude the third of the Insider Risk modules, let's summarise the key points we've covered.  We've explained:

 

  • The importance of organisations, specifically leadership, preserving trust with employees during significant disruptive events.
  • What can happen if there is a breakdown in trust, and employees see limited efforts to support them during a crisis.
  • How this may contribute to an increased risk of insider activity.
  • And finally, the three practices that an organisation can deploy to help preserve established trust.

 

A reminder that the next module in the Insider Risk series is called 'Role based risk assessment'.

 

Thank you for joining us. See you again for future modules from the CPNI Security Series.

Role-based Risk Assessment

This is the 4th module within our series of nine about Insider Risk. The objectives of this module are to understand why effective risk management is the foundation of an organisation's protective security programme, to explain the key principles required in security risk management to support strategic decisoon making, to provide a methodology that your organisation can implement to develop and to explain ​​​​​​the principles of how to conduct a 'Role Based Risk Assessment'​.

Welcome to the CPNI 'Insider Risk: Role-Based Risk Assessment' learning module.

 

This is the 4th module within our series of nine about Insider Risk.  We encourage you to complete all nine modules so you have a comprehensive overview of the essential components required for an effective Insider Risk mitigation programme.

 

Let's start by looking at the learning objectives for this module.

 

  • To understand why effective risk management is the foundation of an organisation’s protective security programme.
  • To explain the key principles required in security risk management to support strategic decision making and, in this case, relate it to an organisation’s Insider Mitigation Programme.
  • To provide a methodology that your organisation can implement to develop and mature your organisation’s ‘personnel security risk assessment’ processes and incorporate these into your organisation’s overall risk narrative.
  • And, to explain the principles of how to conduct a 'Role Based Risk Assessment’, and how this can help your organisation to protect its critical assets from the risk of insider activity.

 

Effective security risk management requires an organisation to have senior support and defined governance structures to translate the strategic vision of an insider programme into practice.

 

Senior managers, who will be the owners of security risk, need to be conversant with the key principles of protective security to guide their strategic decision-making.

 

Understanding what security risks your organisation faces is essential for developing appropriate and proportionate security mitigation measures within your organisation’s insider threat programme.

 

Let start by taking you through the key steps that CPNI recommend when considering and assessing insider risks.

 

Firstly, it is vital that your organisation identifies what are your critical assets and systems, so you know what needs protecting.  You should consider what assets and systems are necessary for the delivery of effective operations or are of specific organisational value.

 

Organisations all have a differing operating focus and operating environment.  Assets of value will therefore be indicative of the range of threats, threat actors, and vectors critical to an organisation.   

 

For example, assets may include:

  • Information – personnel information, sensitive information on your security processes, commercial information, research information, or corporate information on your organisation’s suppliers and/or customers.
  • Physical – Sites, buildings and rooms that control key functions.
  • Personnel – Workers who have unique specialist skills on which your organisation may depend and where there is little resilience.
  • Assets controlled by a 3rd party, such as a Managed Service Provider.  For example, a datacentre that stores all of your I.T Hardware and data.

 

To ensure critical assets and systems are fully identified, CPNI recommends engaging a suitable organisation-wide stakeholder group who have specialist insight of their business area and who can support in the identification of your organisation’s critical assets and systems.  This group can provide ongoing support to the risk assessment and management process and can identify which will provide the greatest benefits.

 

Once assets and systems that are deemed critical to your organisation have been identified, they should be categorised in relation to the level of criticality to your business.

 

Once you have established what are your organisation’s critical assets and systems, the threats that could jeopardise your organisation’s work need to be identified. These threats could range from national security threats, through to criminal or protestor activity. In this Module we will focus on the risk they pose in the context of insider risk.

 

Before we move on, it is important we understand the difference between “threat” and “risk”.

 

  • 'Threat' is defined as the intent and capability of a hostile to damage your organisation.
  • 'Risk' is defined as the impact and likelihood of an attack against your organisation.

 

The 'Insider Threat' informs the likelihood’ part of the insider risk assessment, along with an assessment of the vulnerability.  

 

‘Vulnerability’ is a weakness in your organisation’s systems and processes that could be exploited by a threat actor to deliver a successful attack.

 

There are numerous global threats to our way of life and due to the nature of our work, these threats might come from one person, a group of individuals, or even another country.

 

Some threats may be more relevant to your work than others.  It is therefore important to establish which ones pose a credible and potentially damaging threat. 

 

For instance, would your organisation be the target for a terrorist attack that could cost the lives of your most valuable asset – your workforce and customers?  Or is your threat from a hostile state that wishes to destabilise the economic well-being of the UK, or steal your Intellectual Property?  Or is it from a smaller group, such as a criminal network, that seeks to steal valuable materials which are essential for your processes?

 

Gather information from reliable sources to inform your assessment on the threats that could do your business the most damage. Relevant threat advice can be obtained from a range of sources including:

  • CPNI.
  • Your local Counter Terrorism Security Advisor known as a CTSA.
  • NaCTSO: the National Counter Terrorism Security Office.
  • Your local police force.
  • Local business network forums, business partners and co-located organisations.
  • And, where appropriate, industry regulators.

Once your organisation has identified what are your critical assets and systems, and you have a thorough understanding of the threat, your organisation’s security risks can be developed. To allow for effective prioritisationthe security risks need to be sufficiently specific and detailed.

 

Here is an example of a threat scenario:

The theft of IP relating to Project X, a sensitive project whereby the UK is leading in cutting edge research, which results in the loss of the UK’s strategic economic and political advantage, and organisation reputational damage.

 

A System Administrator, with access to all research data, steals IP relating to Project X, a sensitive project which the UK is leading in cutting edge research and is attracting significant UK political interest, by transferring data onto a personal device with the intention to sell to a commercial competitor for financial gain.

 

Here we are specifically interested in understanding whether threat scenarios could be facilitated by an insider based on their legitimate access. Any insider access, whether from your own employee, a contractor, a supplier, or even a business partner, to your identified assets and systems, provides the opportunity to increase impact and likelihood of success to do harm.  

 

It is therefore key to consider and document within your organisational risk register which roles provide the greatest opportunity to facilitate each threat scenario.

 

We now move onto the final stage of the process – which is described as the ‘role-based risk assessment’.  

 

This part of risk management will require detailed information from various parts of your organisation and ideally could form part of your organisation’s Insider Threat Stakeholder Group’s responsibilities.

There are clear benefits in undertaking a 'Role Based Risk Assessment', including:

  • It is recognised as a foundation of good personnel security management – as defined by CPNI’s Insider Risk Mitigation Framework.
  • It assists with identifying threats to your critical assets, especially from insider activity.
  • It ensures you are deploying the appropriate counter-measures, and importantly, evaluates their effectiveness.
  • It focusses precious resource where it is most needed i.e. on your highest priority risks.
  • It highlights particular teams, groups or even specific roles that might present more risk than others.
  • And finally, it is an uncomplicated and transparent process that can be aligned to other organisational risk decision-making processes, such as contingency planning and safety reviews.

 

There are 3 key principles of the 'Role Based Risk Assessment':

  • OPPORTUNITY.
  • PRIORITISATION.
  • AND, MITIGATIONS.

 

Firstly, let's consider 'Opportunity'.  This is establishing what roles have access to critical assets and what their vulnerabilities are. For example, you may identify that there are currently minimal, or 'ineffective’ measures in place to provide protection.

 

Some roles provide access to more than one set of assets. Remember that this is not an assessment of the individuals who occupy these roles, but an assessment of the role functions which require access.

 

Consider: 

  • What are these roles?  
  • Should these receive more attention than others?
  • Who should be included in this assessment process? For example, others in the organisation, such as HR or the IT department, may be able to give assistance based on certain data.

 

Secondly, let's consider 'Prioritisation'.  When considering what your highest priority risks are, you should take into account ‘Likelihood’ and ‘Impact’.  This will help you apply a proportionate level of resource.

 

You should consider:

  • How likely is it this act will happen? 
  • Has it happened before? 
  • If so, are the circumstances the same now? 
  • What is the impact of this happening? For example, will it stop your organisation being productive for 1 day, 1 month or 1 year?
  • And, what level of risk can your organisation tolerate?

 

And thirdly, let's consider 'Mitigations'.  These can reduce the 'Insider Risk' by limiting both the impact and likelihood of an Insider act.     

 

To help mitigate your risks, consider what measures are available to you that are legal and proportionate to the risk?  

 

It helps to think holistically about the full range of measures available to organisations.  They may include physical or cyber related security measures, as well as personnel security measures.   

 

Be imaginative, but remember these need to be proportionate to the level of risk identified and ensure compliance with the law.

 

Mitigation measures that your organisation implements should be supported by policies, procedures and guidance that are in place, understood, and consistently enforced.  Themes an organisation may want to consider deploying as part of a mitigation strategy may include:

  • Security Education & Training (which includes shaping an organisation’s security culture through shaping priority behaviours of its workforce).
  • Physical & Technical Control Measures.
  • Employee Screening & Vetting.
  • Monitoring and Review (covering human as well as technical).
  • And, effective security communications across the workforce.

 

As you complete the risk assessment, it is imperative that you record your assumptions and decisions throughout the process.  This information should form your organisation’s Risk Register. Remember, this document should be protected as it will contain sensitive information.

 

There are likely to be decisions that the accountable owner of ‘people risk’ will need to make on new or changes to existing mitigation measures. A thorough risk assessment process will help support seniors in their decision-making process.

 

Risk Assessment is a continual process. Your risk register should be reviewed regularly, such as when there has been a significant change to the security policy, a change to your organisation’s operating model, or after a security incident.  A new assessment will be required to take account of a change in threat or additional mitigations that alter previous risk priorities.

 

So, as we start to conclude the 4th of the Insider Risk modules, let's summarise the key points we've covered.  We've explained:

  • The key principles that an organisation needs to have in place for effective risk management.
  • The importance of identifying your organisation’s critical assets and systems.
  • The importance of understanding what security threats your organisation faces.
  • How a 'Role Based Risk Assessment can help an organisation manage an effective insider risk programme.
  • How to be clear what potential insider risks you face and how to prioritise them.
  • How to assess what roles pose the most risk, based on the opportunity they provide.
  • And finally, how to ensure you implement necessary and proportionate counter-measures.

 

You can find tools to help you with your 'Insider Risk Assessment' via the next steps document below.

 

A reminder that the next module in the Insider Risk series is called 'Employment Screening'.

 

Thank you for joining us. See you again for future modules from the CPNI Security Series.

Employee Screening

This is the 5th of nine modules about Insider Risk. The learning objectives for this module are to understand the purpose of 'Employment Screening' in the context of insider risk, to understand the 'Government Baseline Personnel Security Standard', to know what checks and enquiries can be done, to understand the 'screening throughout employment' requirements and to know the essentials of Document Verification.

Welcome to the 'Insider Risk: Employee Screening' CPNI learning module.

 

This is the 5th of nine modules about Insider Risk. We encourage you to complete all the modules in the series soyou have a comprehensive overview of this important subject.

 

Let's start by looking at the learning objectives for this module.

 

  • To understand the purpose of 'Employment Screening' in the context of insider risk.
  • To understand the 'Government Baseline Personnel Security Standard' (or BPSS) and BS7858.
  • To know what checks and enquiries can be done.
  • To understand thescreening throughout employment’ requirements.
  • And, to know the essentials of Document Verification.

 

Strong Employment Screening is fundamental to having good personnel security. Your organisation’s Employment  Screening policy should be underpinned by a robust risk assessment process, as described in Module 4  on InsiderRisk.

 

It is important to get this step right, to have as much assurance as possible about the person you are allowingaccess to your assets.

 

Specifically, screening seeks to:

 

  • Confirm identity.
  • Verify credentials.
  • ‘Test character’ - has the individual concealed important information which may make them unsuitable foremployment in a particular role?

 

The information obtained as part of this process may help identify individuals who might present securityconcerns and pose a risk to your business.

 

The level of checks required will be dependent upon the role that the applicant is going to fulfil and the level ofrisk that the role presents based on access. Proportionality is a watchword in CPNI.

 

Consider the cost to the business and the extent to which the post presents the opportunity to cause harm ordamage. Not all employees need the same level of checks.

 

Be clear what your Employment Screening policies are and have them in writing, so there are no ambiguities. This includes making a clear statement that thorough Pre-Employment Screening will take place. By doing so you will be giving a clear indication to applicants that the organisation is security conscious and will be perceived as a hard target by someone attempting to gain access through employment to deliberately conduct amalicious insider act.

 

The main purposes of a Pre-Employment Screening policy are to:

 

  • Prevent ‘insiders’ entering the organisation.
 
  • Confirm staff are legally entitled to work in the UK and, where, appropriate, meet nationality rules whenworking in government service.
  • Verify declared skills and employment history.
  • Identify areas of concern. For example, gaps in career history or contradictory information.
  • Help protect reputation and maintain public confidence in the organisation.
  • Help reduce staff turnover, deepen expertise and increase morale within an organisation.
  • And, reduce the risk of business disruption or financial loss to the organisation due to counter-productive workplace behaviour.

 

An employment screening policy helps ensure transparency and that everyone is treated equally in the employment process. It also ensures good audit trails - so be sure to record your decision- making.

 

Your organisation’s Employment Screening processes must be legal, robust, consistent, fair and efficient.

 

Remember that applicants must provide consent to undergo screening. Organisations should specify on the application form that upon signing the form applicants are consenting to relevant screening checks.

 

Be sure to take a structured approach to Pre-Employment screening by ensuring it is part of the overall recruitment process. And be aware that it can be time consuming. The Pre-Employment screening process should therefore ideally take place as late as possible within the recruitment process, to ensure recruitmentresource is used as effectively as possible.

 

A good pre-employment screening process will deter and detect deliberate insiders, terrorists and criminals fromobtaining employment within your organisation.

 

But, errors can still happen, as these case studies illustrate.

 

Case 1 (on screen text only)

 

A person from New Zealand was registered in the UK in 1995 with a medical degree from Auckland University.They worked as a doctor for 25 years in the UK.

 

In October 2018 they were convicted of fraud and theft after taking advantage of a vulnerable dementiapatient. It was uncovered that they didn't actually have a medical qualification.

 

Case 2 (on screen text only)

 

In the year 2000 a Premier League football club appointed a new Director of Communications. Within 13 days theyhad been sacked after it was revealed they had lied on their CV.  Among their embellishments were a 1st class degree from Cambridge, a distinction in their common professional examination, and a forged reference. In reality, they had been debarred the previous year due to a series of offences.

 

Effective pre-employment screening may have prevented these situations.

 

Government Baseline Personnel Security Standard (or BPSS) and BS7858 (on screen text only)

 

The 'Baseline Personnel Security Standard', shortened to BPSS, and generally referred to as the ‘Baseline Standard’, aims to provide, by application of a common ‘standard’, an appropriate level of assurance as to thetrustworthiness, integrity and reliability of prospective employees.

 

Use of the 'Standard' is mandatory in the public sector and will form the first stage of any National Security Vetting requirement. It is required for all civil servants, members of the Armed Forces, and government contractors.

 

Its rigorous and consistent application also underpins national security vetting.

 

The Standard sets the minimum screening period at five years.

 

The following checks are required:

  • Proof of Identity.
  • Proof of Address.
  • Right to Work.
  • 5 year career references.
  • Criminal records checks - unspent only.
  • And, if necessary, a 5 year credit and financial check with address history verification.

 

 

Prospective employees are required to give a reasonable account of any significant periods (6 months or moreduring the past 3 years) of time spent outside of the UK.

 

Private sector organisations are recommended to screen to the British Standards Institute’s BS7858 (2019). This represents basic security checks to allow organisations to satisfy themselves that the applicants are who say they are, are legally entitled to work in the UK, and pose no risk to the organisation.

 

Be aware that an organisation may be fined if immigration and 'right to work' checks are not completedcorrectly. They are a legal requirement.

 

It is an offence to employ a person aged 16 or over who does not obtain the necessary immigration status to work in the UK. The Immigration Act 2014 imposes a maximum fine to up to £20,000 per illegal worker. And, for repeatoffences, up to 2 years imprisonment and/or an unlimited fine.

 

Employers can check the latest information on right to work in the UK by visiting Visas and Immigration onwww.gov.uk, where there is a tool that can help.

 

 

The checks in blue on screen constitute the BPSS. This is the same for full time staff, part time staff, contractors. As you can see, some checks are good practice whilst others are dependent upon the role.

 

Criminal Convictions (on screen text only)

 

When considering criminal convictions, it helps to obtain detail and context. When was it? Was it a one off? The decision and risk rests with the employing department. Seek legal advice if you are unsure.

 

Finance Checks (on screen text only)

 

Remember, financial checks may not be relevant for every role. But if they are relevant, consider what information are you looking for? What do you want to establish? Do you need to do credit checks, County Court Judgement, orBankruptcy checks?

 

And finally, remember that you need to obtain 5 years’ worth of previous employment and educational records.But, be prepared for limited information, especially from past employers.

 

Overseas Checks (on screen text only)

 

We will now look at screening for applicants who have previously lived overseas.

 

Overseas checks can often be difficult and time consuming. You should therefore set a threshold for when they are required and factored into your organisational risk assessment process. For example, how long does somebody have to have been a resident overseas to qualify for checks in your organisation? Is it 3 months? 6 months? Your procedures must be reflected in your Employment Screening policy.

 

Organisations should consider that local difficulties may complicate things. For example, local jurisdiction, local data protection laws, and what information can and cannot be passed. There may also be language difficulties,and differing standards of record keeping.

 

And, once you have some results, they may be difficult to interpret. What information are you actually getting? If translation of documents is required, who does this? Be sure to verify the translation, especially ifa translation is supplied by the applicant.

 

Because checks, particularly overseas checks, can be lengthy, an applicant may be able to have temporary ormanaged access, based on the risk, whilst undertaking the required checks.

 

But, there may be circumstances where it might not be possible to employ the applicant, when checks cannot be carried out or assurances gained by other means. This should not reflect on the honesty or integrity of the applicant but be clearly related to the role-based risk assessment for the duties they will be undertaking.

 

There are various documents you can request, including:

  • Proof of residence.
  • Visa and passport stamps.
  • Employee and academic references.
  • Proof of itinerary.
 
  • References from UK departments or agencies based overseas.
  • Character references.
  • And, bank statements.

 

You can also conduct your own checks, including contacting the relevant country’s UK embassy, or the UKrepresentation in the relevant country. They should be able to advise on what enquiries you will be able toundertake and what you will receive.

 

You could consider outsourcing to local suppliers, as they will have knowledge of the country and should be able to overcome the obstacles we have discussed. However, remember your organisation owns the risk and thereforemust be confident in what you outsource.

 

Social Media Searches (on screen text only)

 

Organisations may also consider conducting social media searches as part of their employee screening processes.If conducting checks of an individual’s online profile, they must be necessary, proportionate and transparent.

 

If the employer has no justifiable reason to do internet checks, then they should not be done and only onlineinformation which is publicly accessed should be researched.

 

If your results are recorded, they must be kept securely and only for as long as there is a business requirement,and mostly importantly, be compliant with data protection legislation.

 

You should be aware of potential risks inherent in online social media searches, including:

 

  • The need to ensure information is related to the right person.
  • Whether the applicant presents themselves differently online to how they come across in real life?
  • Being mindful of third-party views and opinions, as well as your own personal opinions and unconsciousbias.
  • Being clear on who is to conduct the checks, and what you are looking for.
  • And, ensuring your approach is consistent and following your policy.

 

CPNI recommends that you do not reach a decision on whether to employ an individual based solely on the results of media searches. These must be added to all other information at your disposal to reach a fair and balanceddecision.

 

Further information on the relevant legislation that applies to Employment Screening can be found within the ‘employing people’ section of the gov.uk website.

 

Contractor Screening (on screen text only)

 

Now let’s consider Contractor Screening

 

Contractors should be risk assessed and screened according to the same process as permanent staff. The risk assessment should ensure that the level of employment screening carried out for any contractor reflects the level of access and responsibility associated with the role and that of a permanent employee undertaking a similar role.

 

All employment screening requirements should be embedded into your contract i.e. the level of screeningrequired, who undertakes screening, thresholds for adverse traces, and re-engagement.

 

And, systems must be in place to confirm the contractor arriving for work is the same person supplied by thecontracting company or agency.

 

If you cannot screen to the same standard as permanent staff, consider managed or controlled access orsupervision, zoned access, or distinguishable staff passes as part of your mitigation measures.

 

Organisations should have the right to audit their contractors to ensure they are screening and conforming to your requirements. Before you conduct an audit you should agree the purpose of the audit and the terms of reference. You should also provide reasonable notice and ensure the audit process is independent and transparent.

 

If you re-engage a contractor, some level of checking, proportionate to the level of risk the role presents, is recommended to ensure the contractor poses no greater threat to the organisation than before. This may rangefrom a short series of questions confirming the contractor’s current circumstances, to a repeat of the entire screening process. This process should be cascaded throughout the entire sub-contracting chain.

 

Employment Screening after recruitment (on screen text only)

 

Screening should not end once an applicant has gained employment. Repeat screening may be necessary during employment if the employee gains more access to sensitive roles and assets. These are some of thecircumstances which may necessitate additional screening:

 

  • Passing a probation period.
  • Additional responsibility being given to them
  • Moving to a new role with a higher risk profile
  • And, achieving promotion.

 

But, there will be others. As part of a role-based risk assessment, additional screening might be required i.e.checking qualifications again, references, and National Security Vetting.

 

Document Verification (on screen text only)

 

Let's now consider document verification. This is the process of ensuring that documents presented by prospective employees are genuine and that the holder is the rightful owner. Document verification is an integral part of the Pre- Employment Screening process and therefore should be integrated within your wider Employment Screeningpolicies.

 

When examining documents, we are attempting to verify authenticity, or more specifically whether or not;

 

  • The document holder is an Imposter - where the document is genuine and the holder of the documentlooks like the actual rightful owner.
  • The document is a counterfeit document, which is a document made from scratch to resemble an officiallyissued document.
  • The document is a forgery – which is a genuine document which has been altered, perhaps by substituting aphotograph.
  • Or whether the document is a complete fantasy. These are documents with no authority and which are notofficially recognised. They may have the physical appearance of a passport, identity card or driving licence, but are not an acceptable statement of either identity or nationality.

 

Also, it is possible that the holder has obtained a genuine document but through a fraudulent process.

 

Organisations should consider the training needs of staff undertaking document verification. You shouldconsider:

  • How much training /experience do they already have?
  • What training do they require?
  • And the frequency of this training?

 

Also, consider what equipment should be made available to support staff in their role – for example you may wishto consider the use of magnifiers and UV light sources.

 

‘Look, feel and examine’ is an approach your organisation is encouraged to take when verifying documents:

 

  • First and foremost, Look. Is the person in front of you the same as the person in the documentphotograph? Check facial features.
  • Does the document appear to have been tampered with or taken apart? Check stitching, page alignment and the laminate, Also, check there are no missing pages. Pages may have been removed in order to hidean individual’s travel history – i.e. visa stamps.
  • Now Feel. Passports and driving licences contain a security feature known as ‘intaglio printing’ which results in the ink having a rough and raised feel when running your hand over parts of the document.
  • And finally, Examine. You should make use of the equipment you have available to support in the detailedexamination. This could include looking for security features that appear/react under UV light such as high-quality watermarks, holograms, security threading and stitching, security fibres and security printingtechniques such as laser perforations.
 

It is important staff involved in the document verification process are aware of your organisation’s reporting procedures should they have concerns regarding the documentation being presented to them.

 

For full detail on security features when verifying documents, please visit the Employment Screening Pages on the CPNI website.

 

Here are some top tips for conducting effective document verification.

  • Only accept secure ID documents – ones with security features, like passports and ID cards.
  • Compare with an example of a known original document.
  • Only accept originals (not copies). If it is only possible to initially view an electronic version of a document,then note this, and ensure that you examine the original document as soon as possible.
  • Make a copy or scan the original document, being sure to ask permission first
  • Establish a routine when checking i.e. look, feel, examine. Look for more than one security feature.
  • And, of course, check the photo id is a good likeness for the person presenting the documents, consideringage and facial features.

 

So, as we start to conclude the 5th of the Insider Risk modules, let's summarise the key points we've covered.We've explained:

 

    • The purpose of 'Employment Screening' in the context of insider risk.
    • The 'Government Baseline Personnel Security Standard' (or BPSS) and BS7858.
    • What checks and enquiries can be done.
    • The screening throughout employment requirements.
    • And, the essentials of Document Verification.

 

It is important to recognise that Employee Screening alone will not mitigate all insider risks, but a holistic approach to security, drawing upon a range of mitigations, will provide the most effective way to reduce this risk.

 

So, join us for the next module in the Insider Risk series where we will consider 'Ongoing Personnel Security'.

 

Thank you for joining us. See you again for future modules from the CPNI Security Series.

Ongoing Personnel Security

This is the 6th module within our series of nine about Insider Risk. The learning objectives for this module are to understand effective on-going personnel security practices for countering the insider threat, specifically the role of management, the induction, reporting mechanisms, technical and physical mesaures and exit procedures.  

Welcome to the 'Insider Risk: Ongoing Personnel Security – a continuous process' CPNI learning module.

 

This is the 6th module within our series of nine about Insider Risk.  We encourage you to complete all nine modules so you have a comprehensive overview of this important subject.

 

Let's start by looking at the learning objectives for this module.

 

  • To understand effective on-going personnel security practices for countering the insider threat, specifically:
  • The role of management.
  • The induction.
  • Reporting mechanisms.
  • Technical and Physical Measures.
  • And, exit procedures.

 

If pre-employment screening is an effective way of mitigating insider risk, why have ongoing security measures?

 

Here are the thoughts of a US Defence Official:

 

“…all of the spies that have been caught…passed background checks.  They all decided, at some point, that they were going to do something that they had agreed not to do or swore not to do, and they broke their promise…a background check will not predict future behaviour.”

 

This is why we should be concerned, and why on-going personnel security is so important.

 

Personnel security should extend beyond recruitment for the following reasons:

 

  • Pre-employment screening can never be 100% effective.
  • People's attitudes, loyalties and circumstances change over time.
  • The opportunity to cause harm may increase as staff move into more trusted and/or sensitive roles.
  • Staff moving positions may accumulate unnecessary access, such as to information, sites and systems.
  • And, because it assists in the prevention and identification of insider activity.

 

Many insider cases involve employees who had been employed for some time and had not originally joined their organisation with any malicious intent.

 

CPNI’s Insider Data Collection Study identified that the majority of insider cases are self-initiated - or in other words, the individual saw an opportunity to exploit their access once they were employed, rather than seeking employment with the intention of committing an insider act. So, longevity of employment does not always mean loyalty.

 

Effective Ongoing Personnel Security Practices (on-screen text only)

 

Insiders are diverse and unpredictable, and no single set of countermeasures can guarantee protection.

 

However, there are some simple and effective ongoing personnel security measures which will help mitigate the insider threat, such as:

 

  • A strong security culture in which a work environment is established, where people take personal responsibility for contributing to security through their everyday activities and interactions in the workplace.
  • An appropriate set of personnel security policies that are clearly communicated across the workforce.
  • Robust monitoring - to identify unauthorised activity/access to sites and systems.
  • Established investigative procedures - where concerns raised about an employee are responded to with proportionate and appropriate steps to resolve any issues.
  • A security awareness and training programme that extends across the whole workforce.
  • And, good induction and exit procedures.
  • All of these measures need to be endorsed by organisational seniors to encourage a workforce to be an effective part of your security posture.

 

The Induction (on-screen text only)

 

The induction of new joiners is a key entry point at which their perception of security in the organisation is formed. 

 

It provides an opportunity to outline the organisation’s security measures and procedures, demonstrate the organisation’s commitment to them, and allow new staff to understand what is expected from them.

 

You can embed the desired security mind-set and behaviour in your employees from the outset, which is important in building and maintaining a good security culture.

 

Make the security messages at induction meaningful and relevant, focussing on the first 12 months of the employee lifecycle.

 

Take a look at 'Security Messages for New Joiners' to learn more.

 

Organisations should implement a security training and awareness programme for all staff. Staff should have a clear understanding of the threats the organisation may face, which will help ensure the actions and behaviours required of staff are understood and more likely to be adopted. Your organisation is likely to have core security training for all staff, no matter what role they are in, with tailored training for staff dependant on their role.

 

The Role of Management in Good Security (on-screen text only)

 

Disaffection is an important motivating factor in most insider cases. Managers therefore play a key role in influencing staff behaviours, and are usually best positioned to detect behaviours of concern at any early stage.

 

As the 'Insider Data Collection Study' says:

 

“…in many insider cases there was an element of disaffection displayed by the employee. This ranged from being the main reason for the employee deciding to commit an insider act, to simply being disengaged from their employer and therefore not feeling committed to their organisation."

 

Managers therefore have a role to play in helping:

  • Reduce levels of disaffection – through intervention and aftercare.
  • Promote good security behaviour.
  • And, address and resolve concerns about staff.

 

Managers should take an ongoing interest in their staff, including who they are and their issues, both relating to their job roles and also their welfare.

 

As James Turner from the Australian Information Security Association says:

 

“It’s not enough to vet a person, it’s not enough to interview them well; it’s not enough to know their background.  You’ve actually got to take an ongoing interest in who they are and what they’re dealing with on an ongoing basis.  If someone had been interested in Snowden all through this period of time, the flags would have been raised.”   

 

Here are some of the potential indicators of concern that a line manager should be looking for in their staff, but remember these should never be used in isolation or to discriminate against an individual:

 

PERSONALITY TRAITS

Significant signs that have a clear and negative impact on work and/or colleagues, including but not limited to:

  • Self-importance.
  • Self-entitlement.
  • Arrogance.
  • Amoral and Unethical behaviour.
  • Superficial behaviour.
  • Restlessness and impulsiveness.
  • Lacking conscientiousness.
  • Manipulative behaviour.
  • Or, appearing emotionally unstable.

 

LIFESTYLE AND CIRCUMSTANTIAL VULNERABILITIES

Where frequent and/or clear signs are shown which had a significant negative impact, such as:

  • Poor work attitude.
  • Signs of stress.
  • Exploitable or vulnerable lifestyle.
  • Or, recent negative life events.

 

WORKPLACE BEHAVIOURS

Where frequent signs were shown and the employee was unlikely to have an adequate explanation, such as:

  • Unusual IT activity.
  • Unauthorised handling of sensitive material.
  • Or, committing security violations.

 

Here is an example of a case of an insider who left his job in the defence industry. Some months later he emailed sensitive military information, including classified information, to people who had no authority to see it. He also claimed to have shared the information with ‘hostile’ states. 

 

The insider had become disillusioned with British authorities. After suffering two alleged homophobic assaults, he accused the local police force of failing to investigate or classify the attacks as hate crimes. The experience led him to carry weapons when he went out in public.  A few years later he was detained for psychiatric assessment and later handed a suspended sentence for having a hammer and machete in public. At this stage he was still working in the defence sector. 

 

In an email, the insider explained: “If the nation does not care for my security then why should I care for national security?"

 

In this case there were a number of behavioural indicators which might have been recognised by line managers, including negative life events and signs of stress. Early management intervention may have altered his negative mindset and removed him from the pathway to an insider act.

 

Reporting Mechanisms (on-screen text only)

 

Organisations should consider what reporting mechanisms are in place for employees to be able to report concerns about security issues or unusual behaviour. The mechanisms you have in place should be seen as a facilitator to reporting and not a blocker – for example your organisation may encourage staff to report to their line manager via an app whereby reports can be submitted with ease, or via a confidential reporting line if the staff member only feels they can report their concerns anonymously.  

 

But, in order for this to work effectively, everyone across the workforce must be educated about insider risk and why it is crucial to report concerns for the security of the organisation, colleagues and the public.   

 

Organisation seniors have an important role to play in overcoming barriers of staff feeling comfortable in reporting. They should communicate the important role that staff play towards security of the organisation and therefore ensure staff feel encouraged to report something that doesn’t feel right.

 

A simple means of identifying potential insiders is to set up a confidential way of employees being able to report concerns, about security issues or unusual behaviour. This also gets staff to think about what is going on around them and helps them feel supported in reporting problems or concerns.  But, of course, be wary of malicious reporting. You should investigate all reports fairly and proportionately.

 

Insider acts can often result from a failure of management to act on behaviours of concern in the workplace.  Contributing factors include:

 

  • The fact it’s time consuming to act.
  • The manager may not feel supported.
  • And, they don’t understand what they are being asked to sign off.

 

CPNI has a range of materials encouraging line managers and colleagues that it is ok to report unusual and suspicious behaviour.  The message is simple - when unusual and unexpected behaviour is observed, it needs to be reported.

 

Technical and Physical Measures (on-screen text only)

 

A role-based access policy limits an employee’s access rights within an organisation according to their job activities. There are a range of ways this can be done – some are listed here.

 

  • 'Need to know' groups.
  • Physical barriers.
  • Effective Security Pass regime.
  • Visitor registration.
  • Removing access when staff move posts.
  • Policies relating to personal devices.
  • And, logging of data removal.

 

Employee access controls should be proportionate to the scale and nature of the threats faced by the organisation.

 

Exit Procedures (on-screen text only)

 

The insider may actually be an employee or contractor who is leaving or has left the organisation. Effective exit procedures will identify any concerns and reduce the risk.  Therefore, an employer needs to ask itself some vital questions:

 

  • Is the person leaving on good terms with the organisation?
  • Are they leaving with their access to key information still in place i.e. is their IT access cancelled on departure?
  • Can they still gain access to sensitive sites after they have left i.e. do they still have their passes/access codes?
  • And, do they understand their continuing responsibility to maintaining good security?

 

The case of a contractor in a sewerage company, who became disgruntled after his contract was not renewed, illustrates that damage can be inflicted by an insider after their relationship with the organisation has ended.   In this case the contractor retained his remote access to sewerage pumps after his contract finished.  He was able to cause malicious damage by reversing the flow of sewerage into public areas – this was a risk to public health and the environment as well as reputationally and financially damaging to the company.  

 

So, as we start to conclude the 6th of the Insider Risk modules, let's summarise the key points we've covered.  We've explained:

 

  • Effective on-going personnel security practices for countering the insider threat, including:
  • The role of management.
  • The induction.
  • Reporting mechanisms.
  • Technical and Physical Measures.
  • And, exit procedures.

 

Join us for the next module in the Insider Risk series where we will consider 'Investigations'.

 

Thank you for joining us. See you again for future modules from the CPNI Security Series.

Investigations

This is the 7th module within our series of nine about Insider Risk. This module looks at understanding good practice before, during and after conduction a security investigation to resolve suspicion about a member of the workforce, understanding reporting mechanisms linked to these investigations, providing an overview of interview considerations and considering relevant employment law.

Welcome to the 'Insider Risk: Security Investigations' CPNI learning module.

 

This is the 7th module within our series of nine about Insider Risk.  We encourage you to complete all nine modules, so you have a comprehensive overview of this important subject.

 

Let's start by looking at the learning objectives for this module.

 

  • To understand good practice before, during and after conducting a security investigation to resolve suspicion about a member of the workforce
  • To understand reporting mechanisms linked to security investigations.
  • To provide an overview of interviewing considerations.
  • And, to consider relevant employment law and how to be mindful of the individual’s rights throughout the process.

 

BREAKER SLIDE: Why is a security investigation necessary?

 

All organisations will at some point need to conduct a security investigation into alleged malicious activity by a member of their own workforce.  In previous modules we have described the kind of harmful activity that could be conducted by an insider.

 

There are numerous sources of information that might first alert an organisation to a possible insider. These will vary depending on the maturity of personnel security processes within the organisation.  Here are just a few examples:

 

  • Hotlines, either e-mail or phone.
  • Reports received from staff.
  • Protective monitoring or an electronic audit

 

Remember, the information you receive might not always be about an identified individual: it could be about an unidentified individual acting suspiciously. Or the information could relate to a possible insider incident where the perpetrator is unidentified.

 

Whatever information is received it is unlikely to be the entire picture. So, the organisation will need to conduct a security investigation to understand the potential insider threat and risk to the organisation.

 

BREAKER SLIDE: Considerations once suspicions are raised

 

When assessing the information received, consider:

 

  • Whether it could be malicious reporting? 
  • If there could be an innocent explanation for the suspicious activity?
  • If the reported actions are actually unauthorised? An organisation should have clear policies outlining what is and isn’t authorised, and these should be communicated across the whole workforce.
  • Whether the activity could be deemed unlawful and therefore require the involvement of law enforcement agencies?
  • If organisational procedures have been adhered to?

 

The investigation should be led by an experienced investigator who does not have a connection to the case.  This person should have a thorough knowledge of the organisation’s security policies and procedures, an understanding of the principles of good personnel security, and experience of conducting formal and informal interviews.

 

Knowledge of the information that has been received and the investigation should be treated as extremely confidential and tightly held. At this point it is also recommended that an organisation should ensure it has adequate information handling procedures to protect sensitive information and limit knowledge of the investigation to a small circle of people who have a ‘need to know’.

 

At the outset, there should be a clear purpose and scope of the investigation.  An organisation’s lawyer should be consulted on the plan for the investigation.  This will help ensure that decisions and actions undertaken as part of the investigation are proportionate, relevant, focussed and lawful.

 

BREAKER SLIDE: Next steps

 

If you are dealing with information relating to an identified individual, the organisation should always consider the risks associated with their position through a role-based risk assessment, as described in module 4 of this series.  For instance, the organisation should establish what accesses do they have? Do they have the opportunity to conduct an insider act?

 

The organisation can carry out an initial investigation to determine whether further action is necessary.  Depending on the seriousness of the issue and giving consideration to whether any investigation needs to remain covert, the organisation could conduct an interview to establish the facts. 

 

The organisation might judge that the information received is concerning or serious enough to justify further investigation. If an investigation is required, even informally, it is important that this is legally sound and internal processes are adhered to. Otherwise, this may compromise the integrity of the case against the employee if it later becomes more serious and requires police involvement or the outcome is challenged in an employment tribunal.

 

This is also an opportunity to carry out a general overview of security arrangements in the organisation, seeking to increase compliance with existing measures.

 

BREAKER SLIDE: Use of the interview during an investigation

 

If deemed appropriate, an interview can provide an opportunity for an explanation and for assurance to be secured quickly if there is an innocent explanation. 

 

When conducting an interview, staff may be accompanied by a union or staff representative, but not an external lawyer.

 

The investigator should plan the interview but remain open-minded and neutral.  Remember, the interview is not an interrogation.  Building rapport from the outset will make the interviewee feel more comfortable in providing accurate information. The strategy should be to ask open questions and get the interviewee talking so that they generate information. The more information obtained the more likely it can be used be to verify its truthfulness.  A written record of the interview should be drafted and signed by the employee and the interviewer.

 

 

But remember, it may not be appropriate to conduct an interview straight away if:

 

  • The information received relates to a serious breach, which necessitates further formal investigation to gather the facts and better understand the threat and risk. In this case, an interview might undermine the investigation or be more appropriate later, after investigative actions have been undertaken.
  • There is a need to remain covert, especially if law enforcement agencies are involved.
  • Or, because an interview isn't possible as the information relates to an insider incident by an unidentified perpetrator, and the investigation is aimed at identifying the perpetrator.

 

BREAKER SLIDE: The Investigation

 

Should further investigation be required, these are some of the key aspects to keep in mind:

 

  • Decide whether the investigation should be overt or covert. If overt, then the employee should be informed in writing. If covert, this will need to be authorised by a senior manager responsible for security. 
  • Keep original documents relevant to the investigation securely until all related appeals and legal challenge are concluded.
  • And finally, consider who needs to be informed and involved. This could be key colleagues within your organisation, such as a senior manager or a colleague in HR. Or it could be an outside agency, such as the police. Often, the earlier the engagement, the better.

 

The investigator should act as a hub, deciding what information is required, requesting and then collating that information, continually determining what the overall picture means in relation to the threat and risk, and deciding what further actions may be necessary.

 

All actions should be proportionate to the threat or risk involved.

 

Information may be obtained from HR or other data sources, depending on what is available within the organisation.

 

More intrusive actions might involve covert monitoring, which may be justified if a serious security breach is suspected. But be sure to consult lawyers first. One form of covert monitoring is IT protective monitoring. There is more on this in the next module in the Insider Risk series.

 

Another intrusive measure is a search - for instance, of the suspect’s desk, locker, or the suspect themselves. Ensure searches are in line with existing organisational policies. Searches should be in the presence of an independent witness, such as a member of HR. Keep a full record of everything found. Anything removed should be recorded and signed by the witness.

 

And collect any evidence and handle it appropriately and securely. The findings of the investigation should be written up in a report, providing an unbiased factual account, which can be presented to a disciplinary panel for decision.

 

BREAKER SLIDE: Employment Law

 

Organisations should react proportionately when they have concerns - employees have the right not to be discriminated against and a right not to be unfairly dismissed.

 

Remember protected characteristics – age, religion, disability, race, gender reassignment, maternity and marriage or civil partnership, sex and sexual orientation.  Do not discriminate.

 

An internal security investigation is not a criminal enquiry. The burden of proof will be on the “balance of probabilities” and not “beyond reasonable doubt”, and there may be different rules for employees based outside the UK.  An organisation is advised to seek internal legal advice at the planning stage of an investigation on how to proceed lawfully.

 

Employers should comply with existing procedures, and investigation actions and enquiries must be recorded to show why they were necessary and proportionate, and what the outcomes were.  Evidence must be carefully collected and collated. This could be from a face-to-face interview, protective monitoring, or physical searches in accordance with UK legislation.

 

If the investigation concludes there is no case to answer, then there should be no further action. Furthermore, if an allegation against an employee is thought to be malicious, then it might be appropriate to take further action against those who raised the allegation.

 

A Police investigation may be required if a criminal act has taken place.   Internal investigation can continue alongside police investigation, and, if necessary, the employee can be dismissed following the organisation’s procedures before any criminal case is concluded.

 

BREAKER SLIDE: After the security investigation

 

At the conclusion of a security investigation there should be a review of the case by members of the organisation’s Insider Risk Stakeholder Group and a risk assessment undertaken to mitigate any new vulnerabilities identified by the investigation.  

 

With this in mind, consider whether you have a security culture in which ‘It’s ok to say’?  If not, CPNI’s It’s Ok To Say programme can advise you on how to raise awareness about suspicious workplace behaviour and develop a robust reporting system in your organisation.

 

And finally, CPNI recommend exercising a security investigation based on a realistic insider scenario. This will ensure that the organisation is well prepared should an insider event be reported and an investigation be required in future.

 

BREAKER SLIDE: Key points

 

So, as we start to conclude the 7th of the Insider Risk modules, let's summarise the key points we've covered.  We've explained:

  • To understand good practice before, during and after conducting a security investigation to resolve suspicion about a member of the workforce.
  • To understand reporting mechanisms linked to security investigations.
  • To provide an overview of interviewing considerations.
  • To consider relevant employment law and how to be mindful of the individual’s rights throughout the process.
  • And finally, the importance of recording all investigation actions, decisions, and outcomes and implementing lessons learned.

 

Join us for the next module in the Insider Risk series where we will consider 'Employee Monitoring'.

 

Thank you for joining us. See you again for future modules from the CPNI Security Series.

Employee Monitoring

This is the 8th module of nine about Insider Risk. The learning objectives are to understand the importance of employee monitoring and where employee protective monitoring might be useful as part of protecting critical assets and system.

Welcome to the 'Insider Risk: Employee Monitoring' CPNI learning module.

 

This is the 8th module of nine about Insider Risk.  We recommend that you complete all nine modules for a comprehensive overview of this important subject.

 

Let's start by looking at the learning objectives for this module.

 

  • To understand the importance of employee monitoring as part of a holistic insider risk mitigation programme.
  • And, to understand when and where employee protective monitoring might be useful as part of protecting critical assets and systems either through identifying individuals of concern or as part of an investigation into an already identified potential insider.

 

BREAKER SLIDE: Why is employee monitoring important?

 

A programme of monitoring and review should be in place to enable potential security issues, or personal issues that may impact on an employee's work, to be recognised and dealt with quickly and effectively throughout their career before the issues can grow to be very serious.  

 

Interventions such as line manager interviews and reports, plus staff reports of suspicious behaviour to security hotlines (as covered in previous modules) form an important part of an employee monitoring programme.   Where it is appropriate for the role, a vetting review provides a mechanism to monitor staff annually, and IT protective monitoring can continually oversee the workforce’s use of electronic systems.  Failure to do these activities can lead to an insider act. 

 

For example, a major UK supermarket suffered a data breach in 2014 when a disgruntled former internal auditor published online the details of nearly 100,000 employees, including National Insurance numbers, birth dates and bank account data. Under GDPR laws, there is a very strong emphasis on organisations having technical and organisational measures in place to ensure compliance and keep data secure.  This insider act caused reputational damage and was reported to have cost the employer £2 million to rectify.

 

BREAKER SLIDE: Employee protective monitoring 

 

During the previous ‘Investigations’ module, we looked at ways suspicious employee behaviour might be identified.  One source of that information is from electronic auditing.  Protective Monitoring, when used appropriately, is an important element of both pre-emptively spotting concerning behaviour and resolving suspicions as part of an investigation.

 

Protective monitoring has a number of functions.  

 

Firstly, it feeds into a risk assessment. Not everything will automatically be monitored and analysed - legacy systems may not even have the capacity to have audit logs. You will need to know what the high-risk roles are so that you can assess the level of monitoring that is appropriate and proportionate to the risk associated with that role.

 

There is a critical difference between having a system that is audited and having analysts that actually analyse the data from that system. Organisations should be under no illusion that just because an IT system is audited, that it means someone is actively looking at the logs – there is rarely enough resource to do that, hence needing to understand the priority systems and roles by conducting a risk assessment.

 

Secondly, IT protective monitoring has an important role in any Insider Risk investigation. Protective monitoring can help:

 

  • Identify the IT accesses of a suspect, to help the investigator assess risk.
  • Provide enhanced monitoring where it is appropriate, for example at the point an employee resigns and is exiting the organisation.
  • And, identify unauthorised activity, providing context to suspicious or concerning activity, and providing assurance around an individual of concern.

 

Consider what the retention rules are for the data in question. They should be proportionate. And remember, protective monitoring may be evidential, and may therefore need to be reported to a law enforcement agency.

 

Protective monitoring has a role to play in on-going ‘information and personnel assurance’. Your 'Insider Risk Stakeholder Group' will set thresholds and triggers based on insider threat indicators associated with the risks outlined by the business.

 

Protective monitoring does NOT prevent unauthorised behaviour on the IT systems – it can deter and detect it, but other technical controls (e.g., access controls) are required for prevention.

 

And finally, IT protective monitoring has a role in reinforcing security culture because it can be a deterrent if communicated in the right way.

 

For instance, protective monitoring could be included in any lessons learnt from investigations, so that positive outcomes can be communicated to employees, making them aware that they are monitored, and breaching policies does have consequences.

 

It is, however, important to strike a balance between communicating incident outcomes and not illuminating where gaps may lie in protective monitoring coverage.

 

Your Organisation may wish to consider promoting through your internal communications the positive use of systems – let people know that they can contact protective monitoring if they are unsure about an action they’re performing on the IT systems, or that they can report suspicious behaviour.

 

Make sure there is a balance between the positive and negative messaging and always emphasise that protective monitoring is there to protect employees and the organisation, NOT to spy on them.

 

BREAKER SLIDE: Combining sources of data

 

Protective monitoring should combine internal employee monitoring and external threat monitoring.  It is defined as:

 

‘…a set of people and business processes and technology to improve…visibility and provide an understanding of who is accessing your organisation’s sensitive data’

 

It might be easy to see that ‘external threat monitoring’ is quite separate from ‘internal employee monitoring’.  However, sometimes there is significant overlap between the two, such as spear-phishing recipients or people who’ve plugged in an unauthorised device. This is why you should involve both areas under the banner of ‘Protective monitoring’.

 

A protective monitoring analyst is likely to have a number of systems sending data to them. The challenge is to make sense of it - to ‘clean’ the data so that, for example, user-attributable actions can be differentiated from automated system actions. You do not want to challenge an employee for breaking the rules if it was, in fact, a system process that performed the action.

 

It is important to use a combination of data types with other information sources, such as from HR, security and policy, in order to obtain the best picture of the risk profile of individuals and to progress an investigation.

 

BREAKER SLIDE: When to utilise protective monitoring in an investigation.

 

A key question is whether you enhance the IT monitoring of an individual who is undergoing an investigation.

 

It would probably be wise to begin this enhanced monitoring BEFORE they are approached by a manager or member of the investigations team. This will help the IT analysts establish a baseline i.e., what their normal day to day behaviour is.

 

You could, however, consider it only necessary and proportionate to enhance the monitoring AFTER they have been approached or interviewed. This will then allow IT analysts to see if anything unusual happens as a result of this interview or any IT breaches occur.  It could help to gauge their reaction to being spoken to, for example via email content analysis.

 

BREAKER SLIDE: A holistic approach to employee monitoring

 

IT Protective monitoring will not tell you everything you need to know about your employee. There will likely still be gaps in your knowledge. These gaps can be filled through other measures and sources of information, including:

 

  • Effective mechanisms for employees to report concerns, as described in the CPNI 'It’s Ok To Say' programme.
  • Line manager interviews and security appraisals.
  • Clear and enforced secure IT operating procedures.
  • Well-managed physical access controls – consider if individuals have accesses they don’t require, and can these be removed? Also, consider remote access permissions.
  • Monitoring of unpredictable searches - it may be possible to see who is attempting to access inappropriate materials, both currently and historically.  It may help your IT team to know specific keywords associated with relevant threats so they can set alerts for when people search for them.
  • And, social media monitoring - consider if this is necessary and proportionate for your workforce, and proceed with caution to ensure you do this in a legally compliant manner.  You may wish to use social media monitoring for staff who are identified as being of external interest or at higher risk due to the nature of their role, or use keyword alerts for your organisation’s name to see how it is being portrayed in public. Note that many organisations outsource this type of monitoring, so ensure that the third party understands your risks and can respond in a timely manner.

 

BREAKER SLIDE: Key points

 

So, as we start to conclude the 8th of the Insider Risk modules, let's summarise the key points we've covered.  We've explained:

 

  • The importance of a holistic employee monitoring as part of an insider risk mitigation programme.
  • And, when and where employee IT protective monitoring can be used. 

 

Further information can be found in the "CPNI Employee IT Monitoring Insider Threat" document.  This aims to give security personnel something which will improve their awareness of legal issues and enable them to have a more educated discussion with their own lawyers.  CPNI cannot provide legal guidance to organisations. Monitoring is always organisation-specific, based on their risk and their own legal framework and policies.

 

Join us for the next module in the Insider Risk series where we will consider 'Online Personnel Security’.

 

Thank you for joining us. See you again for future modules from the CPNI Security Series.

Online Personnel Security

Welcome to the 'Insider Risk: Online Personnel Security’ CPNI learning module.  This is the 9th and final module in the Insider Risk series. The learning objectives for this module are to consider what personnel security looks like in the digital age, to understand what social engineering is and to know how to mitigate the risks of it.

Welcome to the 'Insider Risk: Online Personnel Security’ CPNI learning module.  This is the 9th and final module in the Insider Risk series. 

 

Let's start by looking at the learning objectives for this module.

 

  • To consider what personnel security looks like in the digital age.
  • To understand what social engineering is.
  • And, to know how to mitigate the risks of it.

 

BREAKER SLIDE: Personnel Security in a Digital Age

 

Digital technology is part and parcel of everyday life. It has changed the way many of us work, for the better. But it also opens up new risks. It means more information is available from employees, and sophisticated online adversaries can attempt to access this information, through social engineering.  This is the process of obtaining information from others under false pretences, based on the creation of an inappropriate trust relationship. This threat can apply to anyone.

 

Typical examples of techniques used are:

  • Phishing, the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.
  • Spear Phishing, which is directed against a specific individual.
  • Trojan Horse, a virus or malware that masks its malicious intentions by making its appearance look harmless and normal.
  • A Road Apple, which is a USB deliberately left outside an organisation for a member of the workforce to take in and put into internal systems.
  • And, free ‘gifts’ such as USB sticks handed out at conferences and exhibitions loaded with malware.

Further information on these techniques and how best to mitigate them can be found on the National Cyber Security Centre’s website.

 

Organisations should have clear policies in place to protect themselves from the harm caused by online actions and/or views of members of their own workforce, particularly in their use of social media.  The online activities of employees can inadvertently impact the operations and reputation of the employer leading to financial damage for the organisation.

 

 

BREAKER SLIDE: The risk from social engineering

 

Social engineering is the manipulation or exploitation of an inappropriate relationship with an unwitting employee to gain information or access. The person looking to elicit the information will likely look and sound genuine. This can happen face to face or via the internet.

 

Usually, the employee will be providing information as a legitimate part of their role, but they can be manipulated to provide more than they should, via techniques such as:

  • Flattery.
  • A sense of urgency.
  • Encouraging pity or sympathy.
  • Familiarity.
  • Use of disguise.
  • Importance.
  • And, inferring risk to the employee in not actioning the request.

 

A malicious approach utilising Social Engineering techniques looks for anything that will give the hostile an edge, such as a piece of information that allows them to form that inappropriate relationship.  They will use the employee’s internet profile to find out:

  • What they do at their place of work?
  • What information they have access to?
  • Who they work closely with?
  • Information relating to their workplace and organizational loyalty to indicate if there may be vulnerabilities that can be exploited.

 

They will also try to find personal details of the employee, such as:

  • Biographical data.
  • Their contact details.
  • Information about their family.
  • And, details of their interests and hobbies.

 

The Social Engineer will use this information to:

  • Establish a form of relationship, by exploiting a common factor – such as the same interests, knowledge of colleagues or family.
  • Manipulate a level of trust.
  • And, to take advantage of vulnerabilities, appearing sympathetic or offering help with the expectation of something in return.

 

For example, by pulling together information from a variety of online sources, a credible email can be constructed and sent to an employee that implies the attached link is from a colleague genuinely known to the employee.  But once opened that link downloads a virus onto the system.

 

BREAKER SLIDE: Social engineering prevention campaigns

 

CPNI’s Social Engineering campaign starter kit and checklist provide further information to help raise awareness about what social engineering is, what an approach might look like, and how staff can better protect themselves against this type of threat.

CPNI’s ‘Don’t Take the Bait’ campaign focusses on the risk from Spear phishing.

 

Spear-phishing is a type of social engineering using a targeted phishing attack. The attacker might undertake some detailed research on the target to generate a tailored and sophisticated e-mail that increases the chances of the employee giving away some sensitive information. Spotting this type of phishing attack is not easy.  

 

The campaign is intended to dispel the perception that, ‘if something gets through the firewall it is probably genuine’, to encourage staff to report any suspicious activity they encounter, to think before they click, and to recognise the influence techniques that are used in phishing e-mails. 

 

Organisations must ensure that employees know that they can challenge social engineers, reporting suspicions or genuine online mistakes without fear of blame or punishment.  Removing this fear from the employee creates a harder environment for the hostile to operate.

 

Employees have an important role to play in protecting the organisation, but this must be part of an holistic approach. Remember that an organisation needs to work on both technical mitigations and security culture to provide the best protection from those wishing to do harm.

 

‘My Digital Footprint’ is a CPNI campaign to get employees to better understand how the information they post online can be damaging to them, their friends and families and their organisations. The campaign is not about removing yourself from the internet, but rather it’s about managing what’s there - hence the tag line of ‘own it, shape it, monitor it’.

 

  • Own it: refers to knowing what your digital footprint looks like I.e. what information is out there about you.
  • Shape it: is about shaping your digital footprint into something you and your organisation feel comfortable with.
  • And, Monitor it: is about reviewing your digital footprint on an ongoing basis as you and others add to it, and social media privacy settings change.

 

There are 2 different booklets available as part of the campaign.  Firstly, ‘A brief guide’, which provides a comprehensive introduction into this subject. And secondly, ‘Tracking my digital footprint’, which provides practical detail on how to actively manage your digital footprint, including further resources and websites that can help you to do this.

 

In addition, CPNI’s ‘Think Before You Link’ campaign will help you to protect yourself, your colleagues, and your organisation from the harmful impact of online malicious profiles that exploit professional networking sites. 

 

The campaign sets out to raise awareness of the threat from hostile states targeting personnel in key roles on social networking platforms to achieve their aims.

 

It provides a simple to-do list which motivates the individual to be vigilant and act through the 4 R’s, which are Recognise, Realise, Report and Remove. The campaign also helps the individual avoid being a target in the first place.

 

The Think Before You Link campaign is based on the most recent information CPNI has seen in how this threat manifests where social engineering techniques were used. For example, in one instance, a Developed Vetting-cleared ex-civil servant was approached online on a professional networking site, and eventually recruited and asked to provide sensitive information in relation to the UK Government.

 

BREAKER SLIDE: Key points

 

So, as we start to conclude the 9th of the Insider Risk modules, let's summarise the key points we've covered.  We've explained:

 

  • What personnel security looks like in the digital age.
  • What social engineering is.
  • And, how to mitigate the risks of it, including:
    • Ensuring staff are aware of the threat from social engineering.
    • Educating staff to know how to recognise and deal with social engineering approaches – either in person or online.
    • Supporting staff who challenge potential social engineering approaches.
    • Ensuring policies are in place concerning employee use of social media to minimise the risk of manipulation from social engineering, and protect the organisation’s operations and reputation.
    • And, making staff aware of their responsibility to manage their online footprint.

 

Thank you for joining us for this final Module in the Insider Risk CPNI Security Series.  You can find more information on the subject of Insider Risk on the CPNI website.  

The information contained in this document is accurate as at the date it was created. It is intended as general guidance only and you should not rely on it. This information should be adapted for use in the specific circumstances required and you should seek specialist independent professional advice where appropriate before taking any action based on it. To the fullest extent permitted by law, CPNI accept no liability whatsoever for any loss or damage incurred or arising as a result of any error or omission in the guidance or arising from any person acting, relying upon or otherwise using the guidance. Full terms and conditions governing the use of this guidance are available on our website at https://www.cpni.gov.uk/terms-conditions

Did you find this page useful? YesNo
Thank you for your feedback. If you have any further suggestions on how this information can be made even more useful to improve your experience, feel free to share details below.
Thank you for your feedback. Sorry to hear that you haven't found this information useful. Please help us improve your experience and share how we can make this information more useful for you.