Skip to content

Personnel Security Guidance in Response to the Situation in Ukraine

This guidance can help keep you and your organisations safe during this time of conflict

Last Updated 21 April 2022

Insider Risk Assessment   

Organisations are strongly encouraged to undertake a review of their existing risk assessment to understand any heightened insider risks your organisation may face in view of the current situation. This review will help shape a proportionate response to managing insider risk within your organisation.  

People under the magnifying glass
CPNI has developed a risk assessment model to help organisations centre on the insider threat
insider risk
Guidance 10 important steps organisations can take to enhance personnel security measures to mitigate insider risk

Vetting  

For personnel who hold national security vetting, it is important to remind staff of their responsibilities in maintaining their vetting status. Personal connections within states of concern should be disclosed via the organisation’s vetting department. Staff holding NSV who are planning (or have recently travelled) to the region should inform or seek authorisation for travel from their security department.  

Security Communications  

Whilst there continues to be a regular feed of media coverage relating to the heightened political tensions, Organisational Seniors are encouraged to communicate with the workforce about the current situation, the potential threat to the organisation and importantly use this as an opportunity to reinforce key security messages that you want the workforce to follow to keep themselves, their colleagues, and the organisation safe.  

Organisations should also seek to utilise their external communications channels to promote their security posture to deter hostile states with malicious motivation.

Staff Vigilance and Reporting  

Linked to effective communications, consider what security campaigns you currently deploy across your organisation to educate staff on how state actors target individuals employed in high-risk roles within an organisation. NCSC’s recent new guidance highlights that spear phishing is a technique known to have been exploited by State Actors to gain access to networks.  Consider temporary mitigations such as implementing a security alert for all incoming emails highlighting the security situation to reduce susceptibility to this type of attack. Organisations may also consider enforcing a password update for all staff and systems to help protect against an existing compromise of systems and which aims to secure networks from further compromise. 

Staff should also be savvy regarding how state actors utilise social and professional networking platforms to target personnel in key roles and what a malicious approach looks like, how staff should respond and how to minimise the risk of being targeted in the first instance. Organisations should recommend staff who utilise social media, check and update their privacy and security settings. 

It is important to ensure that clear mechanisms are in place and understood for staff to report unusual activity or concerns. Senior endorsement to encourage this action is highly recommended. 

Campaign Identify and report unusual or concerning workplace behaviours, and promote the appropriate intervention
Campaign This guidance contains advice on how organisations can defend themselves against malicious emails that use social engineering techniques
Campaign The campaign aims to raise awareness about what social engineering is and how staff can better protect themselves against this type of threat.
TBYL blue cover photo
Campaign CPNI has launched an innovative new app allowing users of social media and professional networking sites, to identify the hallmarks of fake profiles...

Wellbeing Channels

Organisations should be cognisant of the fact staff may hold differing political views on the current situation. Ensuring wellbeing support channels and provisions to ensure all staff feel safe and are not subject to any workplace violence or intimidation should be considered. These open channels can also be utilised to remind staff of confidential reporting mechanisms should staff wish to report security issues.  

Personal or Official Travel to Ukraine or Russia 

Organisations are encouraged to review existing policies relating to official and personal travel to Ukraine or Russia during these heightened political tensions. Organisations and employees should refer to any guidance issued by FCDO whilst planning any personal or business travel to countries likely to be impacted. At the very minimum, processes whereby staff are required to engage with the Security Department prior to travel to these countries are strongly encouraged.  

Business Continuity Arrangements

Review your organisation’s existing business continuity arrangements to minimise disruption as far as practically possible to allow your organisation to return to ‘business as normal’ in the quickest possible time should a security incident occur.  Consider which staff, systems and I.T is vital to your business continuity, how you communicate your business continuity arrangements and what alternative resources are available to your organisation in the event of an incident. 

Did you find this page useful? YesNo
Thank you for your feedback. If you have any further suggestions on how this information can be made even more useful to improve your experience, feel free to share details below.
Thank you for your feedback. Sorry to hear that you haven't found this information useful. Please help us improve your experience and share how we can make this information more useful for you.