Recent studies highlight growing threats to organizations from their own staff. This article considers Insider Threats along with the growing phenomena of Actively Disengaged Staff and outlines simple steps that can protect people, profits, assets, and reputations.
Countering the rise in actively disengaged staff and insider threats
The UK’s National Crime Agency’s last Strategic Assessment of Serious and Organized Crime placed Insider Threats among the top increasing threats in the UK. This rise is being enabled, and driven, by our increasing reliance on technology, post-COVID working practices, and the growth of fraud. Additionally, increasingly sophisticated physical and cyber security means that insiders and social engineering are the best, or only, options for criminals.
However, this is not the only growing internal threat facing businesses and organisations. Gallup’s 2023 US employee survey shows that workforces are becoming more ‘Actively Disengaged’. This trend is as concerning as the shift in criminal tactics, because actively disengaged staff are the most likely to jeopardise an organisation’s success by sabotaging systems and reputations.
Insider crimes and employee disruptions occur daily. Recent UK studies by the Met Police (London) and KPMG, show that employee thefts and fraud offences are rising faster than most other crime types, potentially fuelled by the cost-of-living crisis. The impact of insider crimes can range from minimal to business critical, with huge financial impact. Recent examples include: Asif Khan, an RAC employee who was convicted of stealing private data after some customers reported unsolicited calls from claims management companies after accidents; and a disgruntled Tesla employee who, after being overlooked for promotion, sabotaged production, resulting in a 5% loss in share values and lost sales.
Preventing and identifying
Insider threats or actively disengaged employees are motivated to achieve either a reward or the satisfaction of damaging their employer. A central factor in their motivation is their assessment of risk versus reward. As they possess inside knowledge and access, they can more accurately do this assessment, because they understand how to avoid detection whist maximising gains.
To counter these threats a strategic approach to culture, prevention and monitoring are vital to alter how criminals, insiders and actively disengaged employees view risk versus reward and protect people, assets and reputations. Much as the physical and cyber security ‘arms race’ pushes criminals to seek softer targets, improving internal security culture, vetting, training, and implementing effective procedures, lessen the likelihood of being targeted. These simple, cost-effective steps work as they change perceptions and reduce opportunities. They increase the likelihood and expectation of being caught and, due to better internal controls and responses, reduce the rewards available and lessen the impact of sabotage.
Technology and innovative security solutions
Choosing the right technology is vital for effective vetting and the identification and mitigation of insider threats. The right technology enables meaningful due diligence and vetting checks and the discrete monitoring of systems and compliance. To compliment technology, innovative and flexible security management solutions can also deliver security oversight, especially in small to medium companies. Such solutions help prevent, and cost effectively deal with, security issues as they remove the need to fund a full security department, whilst providing 24/7 support in the event of an incident.
5 steps to protect people, profits, assets and reputations
1. Pre-employment and ongoing vetting
Initial and ongoing vetting is vital to prevent criminality entering the workplace and counter staff who are actively disengaged. Thorough background checks during the hiring process help to identify potential risks and should include criminal record checks, employment history verification, and professional reference checks to assess a candidate’s trustworthiness and reliability. Undertaking simple security assessments of roles will help to determine the level of vetting required. This will assist managers make balanced decisions based on vetting results and ensure that the process is proportionately applied.
As behaviours are driven by decisions using technologies that assess how people think and make decisions, and how these are influenced by their characteristics, is a cost-effective way of identifying people who are more likely to make bad decisions and so damage profits, reputations or both. As people and their circumstances change, these types of assessment can be carried out at regular intervals to determine if internal threats have changed.
2. Culture and training
Ongoing programs of staff engagement, coupled with comprehensive training are vital to improve engagement, raise security awareness and ensure employees understand the importance of security protocols. Training should cover topics such as data protection, password hygiene, phishing awareness, social engineering techniques, and the consequences of security breaches. Moreover, fostering a culture of trust and vigilance within organisations encourages employees to speak up and escalate suspicious activities or potential breaches.
3. Information and access control
Implementing access controls to systems and information helps limit the exposure of sensitive data to those employees who require it for their roles. By employing principles of ‘need to know’, organisations can minimise the risk of unauthorised access and malicious actions.
4. Monitoring and auditing
Monitoring and auditing of employees’ activities can help detect unusual behaviour, unauthorised access attempts, or policy violations. Implementing robust monitoring tools and regular auditing allows organisations to identify and respond to potential security incidents promptly. This can be done using technology and/or human processes, but it is important to understand that as an individual’s circumstances change, so does the insider threat. For example, someone who encounters financial problems, addiction or personal difficulties may become exploitable or more prone to take malicious action.
5. Incident response and reporting
Establishing clear incident response procedures and channels for reporting suspicious activities or breaches encourages employees to proactively report concerns. A well-defined response plan helps mitigate potential damage and facilitates a swift, coordinated response when incidents occur. Good response plans are scalable, have clear lines of communication, designated responsibilities and authority levels.
Clearly, these steps do not operate in isolation. They work together and as part of an organisations Enterprise Security Risk Management process. Having the right consultants to guide you through these steps is of paramount importance. You should ensure they have the necessary experience and in-depth understanding of how to best prevent, mitigate and contain insider threats and actively disengaged staff. If you would like to know more or discuss anything, please contact consulting@ahnagroup.com.