Insider Risk Assessment
Organisations are strongly encouraged to undertake a review of their existing risk assessment to understand any heightened insider risks your organisation may face in view of the current situation. This review will help shape a proportionate response to managing insider risk within your organisation.
For personnel who hold national security vetting, it is important to remind staff of their responsibilities in maintaining their vetting status. Personal connections within states of concern should be disclosed via the organisation’s vetting department. Staff holding NSV who are planning (or have recently travelled) to the region should inform or seek authorisation for travel from their security department.
Whilst there continues to be a regular feed of media coverage relating to the heightened political tensions, Organisational Seniors are encouraged to communicate with the workforce about the current situation, the potential threat to the organisation and importantly use this as an opportunity to reinforce key security messages that you want the workforce to follow to keep themselves, their colleagues, and the organisation safe.
Organisations should also seek to utilise their external communications channels to promote their security posture to deter hostile states with malicious motivation.
Staff Vigilance and Reporting
Linked to effective communications, consider what security campaigns you currently deploy across your organisation to educate staff on how state actors target individuals employed in high-risk roles within an organisation. NCSC’s recent new guidance highlights that spear phishing is a technique known to have been exploited by State Actors to gain access to networks. Consider temporary mitigations such as implementing a security alert for all incoming emails highlighting the security situation to reduce susceptibility to this type of attack. Organisations may also consider enforcing a password update for all staff and systems to help protect against an existing compromise of systems and which aims to secure networks from further compromise.
Staff should also be savvy regarding how state actors utilise social and professional networking platforms to target personnel in key roles and what a malicious approach looks like, how staff should respond and how to minimise the risk of being targeted in the first instance. Organisations should recommend staff who utilise social media, check and update their privacy and security settings.
It is important to ensure that clear mechanisms are in place and understood for staff to report unusual activity or concerns. Senior endorsement to encourage this action is highly recommended.
Organisations should be cognisant of the fact staff may hold differing political views on the current situation. Ensuring wellbeing support channels and provisions to ensure all staff feel safe and are not subject to any workplace violence or intimidation should be considered. These open channels can also be utilised to remind staff of confidential reporting mechanisms should staff wish to report security issues.
Personal or Official Travel to Ukraine or Russia
Organisations are encouraged to review existing policies relating to official and personal travel to Ukraine or Russia during these heightened political tensions. Organisations and employees should refer to any guidance issued by FCDO whilst planning any personal or business travel to countries likely to be impacted. At the very minimum, processes whereby staff are required to engage with the Security Department prior to travel to these countries are strongly encouraged.
Business Continuity Arrangements
Review your organisation’s existing business continuity arrangements to minimise disruption as far as practically possible to allow your organisation to return to ‘business as normal’ in the quickest possible time should a security incident occur. Consider which staff, systems and I.T is vital to your business continuity, how you communicate your business continuity arrangements and what alternative resources are available to your organisation in the event of an incident.