IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Chartered Security Professional (CSyP) and certified technical security professional (CTSP)
Author Bio ▼
Peter is an expert in the physical security industry having spent 35 years gaining considerable knowledge and understanding of security technology and the principles and practices of protecting people and assets, along with the ethics necessary for leading a respected company. Over 20 years as MD of multi-award-winning security system integrator 2020 Vision Systems, the company achieved a high standard of recognition and the patronage of many respected organizations. Through his dedication and leadership, 2020 obtained industry approval with the SSAIB and Quality, Environmental, and Health and Safety accreditations.Peter is a member of the Security Systems and Alarms Inspection Board (SSAIB), a UKAS accredited Certification Body, and its representative on the British Standards Institute (BSI) technical committee responsible for drafting European CCTV Standards. He is also a member of the Security Institute and Security Leaders Technology forum and the author of a number of published security articles.
There are myriad challenges for security teams to deal with at current, but one issue that is consistently highlighted as high concern is that of the insider threat. Remote working and the furloughing of staff are leaving employees without the usual support mechanisms from their workplace, while recruiting securely has never been more of a challenge. Peter Houlis CSyP, FSyI, CTSP, Independent Security Consultant and Former MD of 2020 Vision Systems Limited, offers his thoughts on how a well thought through personnel security policy can guard against the insider threat.
“People are the weakest link in all security strategies – whether by intent or human error” Smith, J. (2013).
The coronavirus has increased the numerous security threats organisations and business face every day, and these threats are likely to grow, the more extended the pandemic control measures. One of the most insidious and perhaps challenging to mitigate is an attack from within carried out by an organisation’s people or former people; employees, contractors, consultants, even volunteers. To address this inherent weakness in security requires a clear understanding of the threat and investment in robust mitigation policies, procedures and systems.
The insider threat
An organisation will go only as far as the people who are driving it for a common purpose. These employees, contractors, consultants or volunteers occupy a trusted position and are granted a higher level of privilege than an outsider. They enjoy an understanding of an organisation’s business and operations, and legitimate access to its assets.
The rogue employee chooses to abuse that trust and sense of common purpose and use their insider knowledge to exploit the vulnerabilities of their organisations’ security, systems, services, products, or facilities to access and threaten their assets for personal reasons.
Contos, B. (2006)[1] states an insider attack, or threat is more challenging to address than external threats as individuals perpetrating the crime are often friends and co-workers, and therefore perceived as trustworthy; this makes it hard to identify the criminal. The insider might be an individual or member of a terrorist or extremist group or criminal gang who deliberately sought employment with the intent to cause harm. Alternatively, a trusted employee whose circumstances changed or others may have exploited, and subsequently led them to damage their organisation.
Clearly, the insider has considerable opportunity to cause their host organisation significant harm, not just resulting in loss of money, but of assets, intellectual property, personal information, brand reputation and customers – ultimately profits, the lifeblood of any organisation.
Motivational factors
If we are to alleviate the risk and damage initiated by an insider attack, we need to identify those persons with the potential to pose an insider threat and understand the motivational factors that lead them to commit a harmful act against their host organisation. Although personality, motives and circumstances are contributory factors, generally an insider attack will be for personal gain – though this is far from the only reason.
The Australian Government cites CRIME[2] a simple acronym in understanding the motivations underlying behaviour:
Coercion – being forced or intimated
Revenge – for a real or perceived wrong
Ideology – radicalisation or advancement of an ideological or religious objective
Money – for illicit financial gain
Exhilaration – for the thrill of doing something wrong
Doubtless coronavirus has brought the best out of most people, but for some it has contributed to insider motivation with lockdown increasing the opportunity with fewer people in the workplace, home working, resentment and financial hardship.
However, not every employee with a grievance or issue would constitute a reason to commit a malicious act against his/her employer. Similarly, not all actions are deliberate or wilful acts, lack of training, carelessness or negligence are the underlining reasons for the accidental threats carried on by individuals without any particular motive. In particular, employees make themselves vulnerable to damaging both themselves and their organisation through the misuse of social networking. This is averted when organisations approach their security policy seriously during training, as employees would be knowledgeable of the consequences of their behaviour.
Whatever the motivation or reasons, a personnel security policy defines sensible control measures, the processes and procedures to be applied that facilitate the management and minimise the risk of an attack from within.
Critical components of a personnel security policy
Mitigating the insider threat requires organisations to employ reliable individuals, thus limiting the chances of them turning rogue once recruited. To instigate measures to detect suspicious behaviour and when discovered, resolve security concerns quickly[3]. Many government publications provide UK organisations guidance on formulating a personnel security policy. These documents aim to assist organisations in identifying the key components that make up a personnel security policy and to understand and develop tailored ‘best practice’ counter-measures. At the same time, they must comply with legislation, be aligned with the organisations’ HR and Information Security Policy, and the business strategy.
In essence, personnel security is about protecting assets by managing the life cycle of employment, described in Information Security Standard ISO/IEC 27002:2005 as pre-employment, during and termination or change of employment. Along with establishing clear governance points to ensure personnel and other security policies are understood, adhered too and enforceable. The critical components are categorised as:
Screening, the measures required to confirm a prospective employee’s identity and verify their credentials and suitability for the job. Providing confidence, they are who they claim to be, and have the experience and skills they profess. The degree of screening necessary is commensurate with the clearance level required, which, in turn, is dictated by the type of organisation, and the roles and responsibilities of its individuals.
Contracts, signed employee agreements, contracts of employment, NDA’s, non-compete clause, etc. These are vital when it comes to governance and the ability to take action against employees who violate security policies or commit acts of harm.
Acknowledging Security Policy, ensures employees and contractors are aware of the strategies that apply to them. This often includes ‘Code of Conduct’, confirming in writing that they have received and understood them.
Security Education is about creating a security culture; developing both an employee’s security awareness, so they can recognise security threats and know how to respond, but also ensuring their adherence to security policies and the consequences of failure to comply.
Monitoring the ongoing management and supervision of employee behaviour, and use of company assets.
Termination Procedures, correctly ending employment, cancelling an employee’s work contract, shutting down logical and physical security access and ensuring the return of company property. These pillars form the essential procedures and processes to address the purpose and objectives of a successful Personnel Security Policy.[4]
Steps to implementing a personnel security policy
Although the Governments Centre for the Protection of National Infrastructure (CPNI) documents provide a comprehensive, in-depth view for designing and implementing a personnel security policy, it can be daunting and is particularly pertinent to Government and those organisations dealing with Government.
There is no actual fixed method for developing and implementing such a policy. Its dependant on the size, type and nature of the organisation. During my tenure as MD of an award-winning security integrator, we followed the framework in The Australian Government publication, The Insider Threat to Business (2010)[5], to implement a more straightforward tailored personnel security policy consisting of:
Stage 1: Organisational personnel security
Organisational security points: know your business, good (security) culture, undertaking risk assessments, understanding the legal framework and communicating with your employees can be considered fundamental to the success of any security strategy.
Know your business
Before starting the development and implementation of a personnel security policy, it is imperative to know the organisation, its operations, principle people and organisational structure, environment and business strengths, weaknesses and culture, along with an understanding of the broad operational environment.
Security culture
Nominate a trusted person and a single department responsible and accountable for security screening to negate conflict of interest. Ensure screening personnel have the required knowledge to carry out vetting or provide training. Alternatively, appoint an appropriate third party; taking care contracts are put in place to ensure the compatibility of screening objectives and standards.
Paramount to implementing a successful personnel security policy is endorsement from the top; the lead has to come from a position of authority, having the power to make and enforce decisions, and to create a positive security-aware culture throughout. The Insider Threat to Business (2010) endorses a good security culture as vital, including:
Awareness and ownership – an organisation’s individuals and teams understand the security threats and vulnerabilities and accept their actions can affect the risks, and appreciate security is an integral part of the organisations’ business.
Compliance and reporting – employees take complying with security policies and procedures, and the reporting of security breaches, as standard practice.
Communication and challenge – all employees are familiar with the rationale behind the security measures and are confident to challenge others if they are not complying with security requirements.
Senior sponsorship and enforced disciplinary procedures – senior managers place and demonstrate a high value on security, dealing consistently and rigorously with security breaches, according to well-established guidelines.
Discipline and offering incentives – sensitive access or information is restricted unless there is a definite requirement, and rewarding employees for ideas for improving security and reporting security breaches.
Creating a security culture involves changing people’s attitude and behaviour. There are many proven training methods accomplished in changing people’s behaviour, such as workshops, scenario-based role-plays, briefings, intranet or magazine articles, newsletters, posters, etc. dependent on the nature and size of the organisation. An induction programme presents an excellent opportunity to introduce the importance of security; emphasised through ongoing awareness training.
Risk assessment
Before implementation, carry out a personnel security risk assessment. Risk management procedures as applied to personnel security are designed to ensure control measures, are lawful, proportionate to the perceived risk, (Risk = Value x Threat x Vulnerability, is an accepted risk assessment equation), and balanced and fair (transparent). As part of this process, input from various department heads and employees is preferred. Risk Assessment for Personnel Security 4th Edition CPNI (2013) describes a suitable risk management process, which can be customised. ISO 31000:2009 contains more generalized risk assessment advice.
Understand the legal framework
Implementing a Personnel Security policy involves several legal issues; it also needs aligning with the organisation’s HR and Information Security policies. Seeking professional legal and HR advice and input from other relevant people and departments is prudent.
Communicating personnel security to employees
Inform prospective employees as early as possible of the recruitment process, such as the need for background checks and what these involve, and how the information collated is to be used, managed and stored. Together with the procedure to be adopted, should an applicant be rejected.
Stage 2: Pre-employment personnel security
Instigate a vetting procedure and apply a suitable screening process appropriate to the organisation and nature of the job. BS7858:2019 describes in detail an adequate method to establish a person’s identity, integrity and their credentials and suitability for employment, including their right to work in the UK.
Screening should encompass a thorough check of an employee’s CV to ensure there are no anomalies, the accuracy of employment record should be confirmed, references from former employers sought, and qualifications verified. Where risk dictates a CRB and financial record checks may be required, along with two suitably endorsed character references. When a prospective candidate is offered and accepts employment, the necessary employee contracts need to be issued and signed.
Stage 3: Ongoing personnel security
Access Control
Where applicable implement an access control system or procedure to limit/permit access to physical (buildings) and electronic assets. A simple security pass and signing in procedure may suffice, with colour coded passes to identify where someone is allowed to go.
Monitoring
Consider an electronic system to control who, what, when and where movements around a facility and use assets to provide real-time monitoring and alerts to breaches. Video surveillance can supplement this to provide an additional security layer.
Implement simple policies, need to know, least privilege, and clear work area, coupled with monitoring IT use, particularly staff use of social networking sites, to minimise security risk.
Security culture
Develop a procedure to review the insider motivational factors frequently; notice a change in someone’s circumstances, and provide employee support in addition to regular supervision and management reporting. Ensure managers, supervisors and employees are security aware and recognise signs of bullying or coercion, or someone asking seemingly innocent questions, overlooking small security misdemeanours.
Check with HR on reporting and investigation procedure, or if necessary, instigate a suitable process and inform all employees of its introduction and use. Issue regular security appraisal forms and consider reapplying some of the pre-employment checking stages at regular intervals, especially when an employee changes job role.
Stage 4: Information and communication technologies
Create an ITC asset register and ensure the use of ITC is compliant with the Information Security Policy. Make employees aware of policy contents, and that ICT use is subject to monitoring. Discuss the adoption of standard operating procedures to aid the identification of anomalies. Upon termination of employment, revoke access, restrictions and privileges.
The objective of employing the right people and those people understanding the consequences to both them and their organisation of undertaking an attack requires a personnel security policy containing processes and procedures drawn from a collection of subjects, embroiled in legislation and covered piecemeal by various standards. Notably, ISO 27001/2, which in general addresses information security and data management, and BS7858:2019 which describes employee screening, are key to this process. The application of proportionate counter-measures, is organisation and role-specific, and requires diligent risk management. What damage could a rogue employee do to the physical, information assets and brand reputation?
A personnel security policy applied consistently, addresses these objectives, and instils a beneficial security culture, but it requires continual review to ensure it remains balanced and valid.
[1] Contos, B. (March 2006). When Insider Threats Meet Sarbanes-Oxley. Sarbanes-Oxley Compliance Journal.
[2] Australian Government. (2010) The Insider Threat to Business.
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
How a personnel security policy can combat the insider threatPeter Houlis offers his thoughts on how a well thought through personnel security policy can guard against the insider threat.
Peter Houlis
IFSEC Insider | Security and Fire News and Resources
Related Topics
Physical security incidents cost companies $1 trillion in 2022, according to new report
Crisis management book wins 2023 ASIS Security Industry Book of the Year Award
British Museum thefts put spotlight on the insider threat
[…] Security policies and training can help to clearly educate staff on the rules and regulations of a business, taking into account the specific physical and cyber security measures implemented there. For example, you might provide details about what an employee should do if they find a USB on the floor or why it’s important to lock your screen when walking away from your desk. You may also instruct employees to be vigilant about preventing unwanted intruders on the premises. It’s very easy to hold the door open for someone as you walk into the office without thinking, but this… Read more »
[…] gaps. As Peter Houlis has shown, adjustments in personnel security policy can mitigate the risk of insider threats. But by the same token, reactive adjustments can make the threat more […]
Security culture
[…] Read Peter Houlis explain how you can take out a personnel security policy to combat insider threat on IFSEC Global. […]
[…] outside threats, but as IT has become more prevalent and more data is stored in the workplace, the insider threat has become much higher,” he […]
[…] Security policies and training can help to clearly educate staff on the rules and regulations of a business, taking into account the specific physical and cyber security measures implemented there. For example, you might provide details about what an employee should do if they find a USB on the floor or why it’s important to lock your screen when walking away from your desk. You may also instruct employees to be vigilant about preventing unwanted intruders on the premises. It’s very easy to hold the door open for someone as you walk into the office without thinking, but this… Read more »
[…] gaps. As Peter Houlis has shown, adjustments in personnel security policy can mitigate the risk of insider threats. But by the same token, reactive adjustments can make the threat more […]