Reducing Insider Risk
People are an organisation’s biggest asset, however, in some cases they can also pose an insider risk. As organisations implement increasingly sophisticated physical and cyber security measures to protect their assets from external threats, the recruitment of insiders becomes a more attractive option for those attempting to gain access. This collection of CPNI guidance and tools is designed to help organisations reduce the risk of an insider by undertaking good personnel security practices.
CPNI defines an insider as a person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes. An insider could be a full time or part-time employee, a contractor or even a business partner. An insider could deliberately seek to join your organisation to conduct an insider act, or may be triggered to act at some point during their employment.
Employees may also inadvertently trigger security breaches through ignorance of rules, or deliberate non-compliance (due to pressure of work). Our guidance is also relevant to mitigating these threats.
CPNI has reviewed and analysed cases of insider acts from the UK and overseas to understand how and why these events occurred, and what could have been done to prevent them. The Insider Data Collection Study report provides CPNI's main findings.
CPNI has used this data, and our relationship with the CNI to test, refine and embed personnel security into protective security measures. The output from that learning has helped us develop effective strategies to assist you in reducing insider risk.
Personnel security is a system of policies and procedures which seeks to:
- Reduce the risk of recruiting staff who are likely to present a security concern
- Minimise the likelihood of existing employees becoming a security concern
- Reduce the risk of insider activity, protect the organisation’s assets and, where necessary carry out investigations to resolve suspicions or provide evidence for disciplinary procedures
- Implement security measures in a way that is proportionate to the risk
CPNI has developed a wide range of guidance and products across seven key areas to help organisations make informed decisions about the level of personnel security risk they manage. The pages below provide more information on these key areas.
We have also developed a personnel security maturity model based around these seven core elements and an infographic on personnel security measures your organisation should consider - Personnel Security: Are You Thinking About It? (click below to enlarge).