Personnel security is fundamental to good business.
Most personnel strive to conduct themselves in an ethical and professional manner. However, it would be negligent to ignore the risk of someone deliberately causing harm or exploiting their positions of trust. The ‘trusted insider’ represents a real and enduring risk to everyday business practices. It is an important risk consideration for both Government and the private sector. Insider activity is at the very least embarrassing and damaging to an organisation’s reputation, but it can also be disruptive, expensive and life threatening.
This article addresses the risk of the ‘trusted insider’ – a person who uses insider knowledge or access to commit a malicious act to cause harm. It provides guidance on the risks and factors associated with a trusted insider and offers practical measures to assist organisations mitigate the threat. A trusted insider is someone who leaks information or takes that material outside of the organisation without protecting the information appropriately or without authorisation. This is quite different from, and should not be confused with, a whistle blower disclosing information that, in the public interest, should be disclosed, as detailed in the Public Interest Disclosure Act 2013 (Cth).
Trusted insiders represent a diversity of types and motivations. However, all have placed personal motivations and needs ahead of their obligations to their employer. Although malicious acts by insiders are rare, the potential level of risk demands that we are alert to this threat. A number of high profile international cases of trusted insiders have highlighted the importance of maintaining strong personnel security measures. Australia is not immune to the risk of a trusted insider and avoiding the potential level of damage from such activity requires a concerted effort. I encourage all Australian organisations to read this Handbook – not only to improve your understanding of personnel security and promote a positive protective security culture – but to help build a robust and resilient organisation.
– Senator the Hon George Brandis QC
Understanding the insider threat
The insider threat can be defined as the threat posed by unauthorised access, use or disclosure of privileged information, techniques, technology, assets or premises by an individual with legitimate or indirect access, which may cause harm. Trusted insiders are potential, current or former employees or contractors who have legitimate access to information, techniques, technology, assets or premises. Trusted insiders can intentionally or unknowingly assist external parties in conducting activities against the organisation or can commit malicious acts for self-interest. There is no one type of trusted insider. However, there are broadly two categories of trusted insiders who pose a threat:
The unintentional insider: unintentional insiders are trusted employees or contractors who inadvertently expose, or make vulnerable to loss or exploitation, privileged information, techniques, technology, assets or premises. Inadvertent actions include poor security practices, such as leaving IT systems unattended and failure to secure sensitive documents, and unwitting unauthorised disclosure to a third party.
The malicious insider: Malicious insiders are trusted employees and contractors who deliberately and wilfully breach their duty to maintain the security of privileged information, techniques, technology, assets or premises. There are two types of malicious insiders:
* Self-motivated insiders are individuals whose actions are undertaken of their own volition, and not initiated as the result of any connection to, or direction by, a third party
* Recruited insiders are individuals co-opted by a third party to specifically exploit their potential, current or former privileged access. This includes cultivated and recruited foreign intelligence, or their entities with malicious intent.
All malicious insiders intentionally use their access to resources for financial gain, or to cause harm, loss or damage. Almost all physical and electronic attacks can be assisted or conducted by an insider. Some attacks can only be committed by insiders, such as the unauthorised release of proprietary information or the sabotage of assets that only employees can access.
Most self-motivated insiders is a result of an individual seeing an opportunity to exploit their access while already employed, rather than having sought employment with the intention of committing an insider act. Information obtained from an unintentional insider is often the result of a lack of security awareness and a failure to follow security protocols. Often, an unintentional insider acts in breach of their duty to their employer. Additionally, a trusted insider who inadvertently assists an external party may not be aware that they are allowing access to assets or passing on information, or that the resources they are providing are valuable and wanted by someone else. Studies indicate that most insider cases involve a self-motivated insider.
It is not only government employees who are targets of exploitation and recruitment as an insider; businesses may also be targeted.
Insider activities range from active betrayal to passive, unwitting or unwilling involvement in causing harm, including:
• unauthorised disclosure of information, including intellectual property
• physical or electronic sabotage
• facilitating third-party access to premises or systems
• theft and fraud.
There is generally no single or simple reason for an employee deliberately seeking to cause harm. Commonly, malicious trusted insiders have a number of motives for their activity .Motivations are complex and often mixed. Those who betray their organisation are often driven by a mix of personal vulnerabilities, life events and situational factors.
Key motivators for malicious insider activity include:
• financial gain
• desire for recognition
• divided loyalties
• vulnerability to blackmail
• compulsive or destructive behaviour
• family problems
While common motivators can be identified, they do not in isolation or in combination, guarantee a person will betray there organisation. The desire for status and peer recognition – sometimes coupled with or related to genuine or perceived workplace grievance – has been a recurring theme in trusted insider cases. Case studies indicate that financial gain was the primary motivation in 47% of trusted insider cases. However, ideology (20%), desire for recognition (14%) and divided loyalty (14%) were also common motivators.
Insider activity driven by ideology and desire for recognition is often closely linked to the disclosure of sensitive information. Insider activity driven by financial gain is often linked to corruption or providing third parties with access to assets and resources.
Disgruntlement or revenge also commonly fuels insider activity. A person can become disgruntled and seek revenge for many reasons. Key reasons include a lack of recognition, disagreements with co-workers or managers, dissatisfaction with the job or a pending lay-off.
Studies demonstrate that 88% of insider activities were carried out by permanent staff, 7% involved contractors and 5% involved non-ongoing employees. Significantly, more males (82%) engaged in insider activity than females (18%), and 60% of the cases were individuals who had worked at the organisation for less than five years.
A large number of insider acts are opportunistic (76%) rather than being the planned act of a deliberate infiltrator (6%). It is also important to note that many employees with malicious intent never commit an act of betrayal.
How and when
Trusted insiders will know their employer’s vulnerabilities, and how and when they can be exploited. They will exploit their employer’s trust and their access to resources and facilities to harm the business. They may abuse legitimate access or take advantage of poor access controls to gain unauthorised access. These illegal activities may take place after considerable planning or on the ‘spur of the moment’ when the opportunity arises. Technology has exacerbated the threat from trusted insiders. Technology has broadened access to information for staff at all levels and increased the ease with which sensitive information can be aggregated, removed and disseminated.
Fraud can be defined as obtaining a benefit using dishonest means, or causing a loss by deception or other means. Employees or contractors may be motivated to commit fraud to gain a benefit for themselves or others, or to cause a loss to the organisation. The dishonest benefit gained or loss caused by fraud is not just limited to a monetary cost (eg theft)—it can also encompass other resources, such as information, intellectual property and time (eg employee’s fraudulently manipulating leave). The loss associated with the fraudulent act may also extend to areas such as reputational damage and even risks to public safety.
Fraud can take many different forms, including:
• unlawful use of property, equipment or facilities
• providing false or misleading information
• using false, forged or falsified documents.
Fraud can be committed by an individual on their own behalf or on behalf of an external agent, or by a network of individuals conspiring together. Often, fraud can be facilitated by unwitting co-workers, who are unaware they are assisting the fraudulent individual.
Corruption can take many forms, but is typically characterised by an insider’s concealed, dishonest or biased behaviour to make a profit or cause a loss. Corrupt conduct consists of an abuse of trust, using a position or discretionary power for one’s own purpose. Corrupt practices have the potential to undermine Australia’s reputation for high standards of governance, robust law and justice institutions, equitable delivery of services, and transparent and fair markets. Some examples of corrupt conduct include bribery, embezzlement, insider trading, nepotism or cronyism, creating or exploiting a conflict of interest, and unauthorised access to or disclosure of information. Corruption
can facilitate other forms of insider threat, including fraud, criminal gain and espionage.
Private enterprise employees are attractive to organised crime because of their knowledge of business and government processes. Businesses can also give legitimacy to corrupt financial transactions and provide a cover for the movement of illicit goods, either domestically or internationally. Globally, there are many examples of trusted insiders who defraud businesses or who use a business to facilitate criminal activity, such as drug trafficking and money laundering.
Trusted insiders can be complicit in criminal activity, or may be duped or coerced into assisting criminals undertake illegal activity. They can work alone for their own personal gain or may be a small part of a
6 sophisticated criminal enterprise. In some cases, trusted insiders have used their employment to undertake illegal activity to assist family, friends or people with a shared cultural background or beliefs.
A person can be unaware that they are disclosing information, or that the information they are providing is valuable or sensitive. Leaving a workstation unlocked, not securing a password or not following system procedures are examples of unintentional threats that can lead to more serious compromises. Additionally, stolen or misplaced security passes, laptops and mobile devices can also lead to unintentional disclosure of sensitive or valuable information. So too can a simple conversation about what a person is currently working on with a friend or family member.
Espionage or spying
An individual, commercial entity or government can undertake espionage (or spying) for the purpose of surreptitiously or deceptively obtaining secret information for national, commercial or economic advantage. A trusted insider can be used as a tool for either traditional espionage by a foreign government or industrial espionage. Espionage poses an enduring threat to both the Australian Government and Australian business. It can provide governments or companies significant unauthorised access to a wide range of information detrimental to our interests, including future prosperity.
Insider threat studies show that the majority of trusted insiders, who act against an organisation, do not do so for terrorist or espionage purposes, but rather for motives of disgruntlement, revenge or criminal financial gain. However, trusted insiders can be extremely dangerous tools for terrorists who can leverage them to gain information or access premises.
Personnel security—what it is and why you need it
Personnel security is a set of measures to manage the risk of an employee exploiting their legitimate access to an organisation’s facilities, assets, systems or people for illicit gain, or to cause harm. Organisations need to have effective and robust personnel security frameworks in place. Implementing a personnel security framework will help you build an understanding of any insider threats facing your business and give you the tools to manage any associated risks. It will also allow you to place a level of trust in your employees so that you can confidently give them access to your business.
Pre-employment personnel security
Perform the following pre-employment background checks:
• identity checks, including overseas applicants or applicants who have spent time overseas
• qualification and employment checks
• national criminal history checks
• financial background checks.
All documents for the checks should be secured. Any applicant who fails to meet the standard of your business should be rejected for employment.
Pre-employment personnel security
Background checking is designed to give you confidence that prospective employees are who they say they are, and have the skills and experience they say they do. This will provide you with the requisite level of trust in a prospective employee to offer them a job and give them access to your business and its resources. As early as possible in the recruitment process, advise all applicants about:
• the business’s requirements for pre-employment checking
• why these checks are conducted
• what your business will do with the information collected
• to whom the information might be disclosed
• what subsequent decisions might be made about an applicant’s suitability for work.
With all pre-employment background checks, be sure of the criteria for checking before you start. Identify the requisite level of checking for each position. The more sensitive the position, the more checks you will probably want to make.
Ask us for the complete (and free) Australian Government “Personnel Security Handbook”.