CPNI’s Insider Data collection study indicated that some organisations had not made regular or systematic use of their own technical or financial auditing functions to spot irregularities or unusual workplace behaviours.
In other organisations, counter-productive workplace behaviours were known in one part of the organisation, but this was not shared with other sections, resulting in delays in the organisation taking mitigating actions to reduce the risk, allowing insiders to act in the first place, or for some, to continue their activity without detection for longer than necessary.
CPNI advocates a holistic approach to protective monitoring where information about employee risks (physical, electronic audit and personnel data) are brought together under a single point of accountability and governance, to ensure a transparent, legal, ethical and proportionate protective monitoring capability.
This section will help your organisation understand:
- why your organisation should have monitoring and assessment policies and processes in place
- what to have in place to check that all workers (and others) are conforming and complying with your policies and systems
- how to identify individuals who may be posing an insider risk and
- how to prevent the insider risk turning into an insider act.
It's OK to Say
CPNI research and work with organisations has frequently highlighted the issue of under-reporting or a lack of intervention by employees when counter-productive and/or unusual behaviours are observed in the workplace. Such behaviours have often been seen to be pre-cursors to insider activity or welfare issues.
The It's OK to Say programme has been developed on the basis of in-depth end-user research with large organisations across the critical national infrastructure and follows the principles of CPNI’s ‘Embedding security behaviours: the 5 Es’. A number of materials have been produced as part of this programme – organisations should take care to ascertain the pre-requisites before implementation in order to gain maximum impact. We would not, for example, recommend running the animation without setting the context of the threat.