We saw this in the news recently “The NSW cyber security agency is extending its scope to cover councils and small agencies.”
“Customer service minister Victor Dominello on Wednesday announced a three-year, $60 million investment in the agency, saying it represented a four-fold increase in spending on cyber security and would ensure a world-class security infrastructure for government services, including local government for the first time.”
There are some significant implications that will not be lost on smaller agencies and local councils. They understand that even up until recently that only 23% of Commonwealth Departments were not compliant with the ASD ISM TOP 4. The ASD Essential 8 is even more transformative and will require a herculean effort to mature cyber posture.
As part of the Cyber Security NSW ‘Mandatory 25’ which local government and small agencies will now need to comply with, there is a requirement to “appropriately security screen” staff and contractors.
Personnel security is fundamental to good business. Our background is a Commonwealth National Security Clearance Agency, so we understand the frustrations and damage that occurs when background checks are not done properly. Yes, most personnel strive to conduct themselves in an ethical and professional manner. However, it would be negligent to ignore the risk of someone deliberately causing harm or exploiting their positions of trust.
And on that point, IBM (below) and Verizon research both indicate that malicious trusted insider threats (not clicking a bad link or a fat finger error) account for 1 in 4 data breaches. That’s a lot!
Cyber resilience and cyber posture needs to properly consider ‘people risk’ aspects.
Consider Dave. He is a serial data breach offender.
Would you want to be responsible for bringing him into your organisation?
So what does that look like? Well, bare minimum Australian Standards 4811 Employment Screening is considered deficient in many ways. Even A National Police check and a basic referee check is insufficient (Royal Commissions have called that process futile). In 2020, the Victorian Auditor General said that 60% of contractors did not have Police check – meaning more than 3,400 people work in the Victoria Public Service have not been assessed for criminal history. We all remember the security guard errors that sparked the second wave of COVID19 deaths in Victoria. They were not screened or vetted properly – be it for criminal histories, counter-productive workplace behaviours, data breaches or foreign influences.
ICAC’s White paper called Strengthening employment screening practices notes “Employers should have a robust process for responding to red flags that arise from employment screening checks.”
ICAC’s Employment Screening Handbook: “Employment screening [AS4811] typically consists of checking a candidate’s identity. There are better practices available to inform employment screening such as the Protective Security Policy Framework (PSPF) & the Personnel Security Protocol.”
Furthermore, the ACSC has said that “We encourage all organisations to implement a range of measures, both policy and technical, to increase their cyber security. Personnel management is a key part of cyber security, which is recognised as a key part of the ACSC’s Cyber Security Principles” (see https://www.cyber.gov.au/acsc/view-all-content/guidance/cyber-security-principles).
ISM P10: “Only trusted and vetted personnel are granted access to systems, applications and data repositories.” and ISM Security Control 0434 states that “Personnel undergo appropriate employment screening before being granted access to a system and its resources.”
As an Australian-owned company, we have developed an A.I. Vetting-As-A-Service platform. That means that we offer a PSPF compliant background suitability screening assessment which vets people using the Attorney General’s personnel security standards and protocols. The Cleard Life “CL0 Basic Check” mimics an AGSVA Baseline Security Clearance – without duplication or delays.
By adding our screening element on top of your organisation’s background checking procedures, integrated with your (or your outsourced screener’s) platform, we immediately interview your candidate (or staff) and using our traffic light risk protocol we send the result to the hiring manager.
This is done with a turnaround time of as little as next day after the candidate interview is complete!
For PERSEC governance, risk, compliance measures we are able to standardise, harmonise and lift your cyber screening to the PSPF standard.