IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Chartered Security Professional (CSyP) and certified technical security professional (CTSP)
Author Bio ▼
Peter is an expert in the physical security industry having spent 35 years gaining considerable knowledge and understanding of security technology and the principles and practices of protecting people and assets, along with the ethics necessary for leading a respected company. Over 20 years as MD of multi-award-winning security system integrator 2020 Vision Systems, the company achieved a high standard of recognition and the patronage of many respected organizations. Through his dedication and leadership, 2020 obtained industry approval with the SSAIB and Quality, Environmental, and Health and Safety accreditations.Peter is a member of the Security Systems and Alarms Inspection Board (SSAIB), a UKAS accredited Certification Body, and its representative on the British Standards Institute (BSI) technical committee responsible for drafting European CCTV Standards. He is also a member of the Security Institute and Security Leaders Technology forum and the author of a number of published security articles.
Clearly, high profile cases involving Chelsea Manning and Edward Snowden have only increased the perceived risks associated with disclosure and improper use of confidential information.
Although the causes of the Barclays and Morrisons breaches are not yet known, they do serve as a stark reminder that when it comes to security “people are the weakest link in all security strategies – whether by intent or human error” (Smith, J. 2013).
Every day, organisations and businesses face myriad security threats. One of the most insidious and perhaps the most difficult to mitigate is an attack from the enemy within: disgruntled current or former employees, contractors, consultants, even volunteers.
And there’s more at risk than data. The recent conjecture about flight MH370 focuses on the pilot and/or co-pilot hijacking the aircraft.
If this was indeed the case it spotlights one of the aviation industry’s biggest fears: a trusted employee with access to aircraft smuggling weapons or an improvised explosive, IED device on board.
According to air security expert Philip Baum, such a possibility exists in almost every airport in the world.
It has long been understood that an organisation’s people are its most valuable resource. Entrusted with a higher level of access and privilege than outsiders, employees, contractors, consultants and sometimes volunteers enjoy an understanding of an organisation’s business and operations and legitimate access to its assets.
The rogue employee chooses to abuse that trust and sense of common purpose to access and threaten their organisation’s assets, be they information, personnel or equipment, for personal reasons.
Such insider attacks or insider threats are tougher to spot, prevent or thwart than external threats as the perpetrators are friends and co-workers. Vigilance is all well and good but it’s hardly conducive to strong team spirit if colleagues are encouraged to be mistrustful of one another.
The insider might be an individual or member of a terrorist or extremist group or criminal gang who deliberately sought employment with intent to cause harm. Or it could be an individual who became disgruntled – for example, if they were overlooked for promotion or made redundant. Alternatively, external parties may have persuaded them to cause their organisation harm.
Clearly, the insider has considerable opportunity to cause their host organisation significant harm, not just resulting in financial losses but of assets, intellectual property, personal information, brand reputation, customers and, in the worst scenarios, of life.
To strengthen this inherent weakness in the security function, robust policies, procedures and systems are required.
Motives
If we are to alleviate the risk we must identify people with the potential to pose an insider threat and understand their potential motives.
The Insider Threat to Business, a security handbook published by the Australian government in 2010, uses a CRIME acronym as a useful aid memoire in understanding the motives of the enemy within:
Coercion – being forced or intimated
Revenge – for a real or perceived wrong
Ideology – radicalisation or advancement of an ideological or religious objective
Money – for illicit financial gain, and/or
Exhilaration – for the thrill of doing something wrong
Accidental threats
However, not every employee with a grievance plans to commit a malicious act against their employer and damaging acts aren’t always deliberate or wilful.
Lack of training, carelessness or negligence often account for ‘accidental’ threats posed by hapless individuals with no axe to grind. Employees often make themselves and their organisation vulnerable by misusing social media.
If an organisation approaches security policy seriously during training the risks would be much reduced, as the employee would be aware of the consequences of damaging behaviours.
A personnel security policy defines sensible control measures, the processes and procedures that facilitate the management and minimise the risk of an attack from within.
Caution, it’s all in the security risk assessment
Nowhere are these safeguards more important than an aviation industry where the stakes are high and the risks of losing lives great.
But as dramatic as high profile insider data leaks have been, research suggests that only a small percentage of data breaches involve insiders; 86% emanate from external sources.
And the vast majority of insider-led breaches occur within 30 days of the employee declaring their resignation.
It is, therefore, self-evident that a personnel security policy is only one part of the security picture. As repeatedly proven there is no substitute for adopting solid risk management programmes that address multiple risk factors. To do otherwise could prove a costly mistake.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
MH370 Disaster and Morrisons Breach Raise Spectre of Insider ThreatAfter a Morrisons employee was arrested and with MH370 pilots still under some suspicion, Peter Houlis says that attacks from within are rare but hard to spot.
Peter Houlis
IFSEC Insider | Security and Fire News and Resources
Related Topics
UK expertise in transport security outlined in Government Defence brochure
A suite of connected access solutions installed to secure Helsinki Airport
Establishing a ‘security culture’ in aviation – Aligning skill, will and focus