Insider threats can harm a company or a government agency in dozens of ways
The worst insider threats are existential, dangerous enough to literally destroy an organisation

The key to maintaining an effective security system is timely detection of security breaches. Widespread use of technology has resulted in massive amounts of data transfer which in turn makes organisations vulnerable to both internal and external threats. Mass shootings, data thefts and other internal breaches of security have cast a spotlight on the issue of insider threats. According to the Security Executive Council, an insider threat is: “Any risk posed by current or formerly trusted individual(s) with access or privileged knowledge; used to damage, deprive, diminish, injure or interrupt organisational stakeholders, assets, critical processes, information, systems or brand reputation. Insider threats include any illegal, prohibited or unauthorised conduct (acts or omissions).”

What kind of harm do insider threats cause?

Not long ago, a computer programmer working for a Wall Street firm stole 32 megabytes of proprietary computer code with the idea of selling the data to a competing firm. The company discovered the theft through routine network monitoring. The employee was charged and convicted of stealing trade secrets.

This and a number of other examples of the trouble insider threats can cause come from an FBI brochure entitled “The Insider Threat.”

The examples in the brochure mostly relate to thefts of computer files, but experts caution that insider threats go far beyond data theft. For example, they point to Nidal Malik Hasan, the U.S. Army Major who shot and killed 13 people and injured more than 30 others at Fort Hood in Texas in 2009. He worked at Fort Hood as a psychiatrist.

Insider threats can harm a company — or a government agency — in dozens of ways, from stealing proprietary information to injuring or killing people. The worst insider threats are existential— dangerous enough to literally destroy an organisation or business.

Experts say that insider threats don’t necessarily match the description of a mass shooter before the act.

Identifying insider threats

Experts say that insider threats don’t necessarily match the description of a mass shooter before the act. You’ve heard that description: Someone who has grown withdrawn, moody and disagreeable.

An insider threat secretly plotting to do harm will likely try to hide his or her emotional state from others.

“The FBI lists a number of behavioural indicators that insider threats might display,” says Mike McCall, owner and president of MPM Consulting LLC, a consultancy that helps clients deal with inside threats.

Insider threats might indicate their attention by:

  • Taking proprietary material home without need or authorisation.
  • Paying too much attention to matters outside the scope of duties, particularly those of interest to competitors.
  • Accessing the company network remotely while on vacation, sick leave or other unusual times.
  • Disregarding IT security policies by installing personal software or hardware, conducting unauthorised searches or downloading confidential material.
  • Visiting foreign countries for unexplained or odd reasons.

“I’ve asked one of my contacts at the FBI how many of these indicators you would want to see before taking steps,” says McCall. “The answer is three or four.”

The Security Executive Council advises companies to form cross-functional risk councils to identify risks of concern and to discuss mitigation strategies for the risks

Mitigating insider threats

The Security Executive Council advises companies to form cross-functional risk councils to identify risks of concern and to discuss mitigation strategies for the risks. Among the many types of risks these councils evaluate are insider threats.

“Members of the council are drawn from many functions across the corporation that deal with risk” says Kathleen Kotwica, executive vice president and chief knowledge strategist with the Security Executive Council. “That’s important because different departments will focus on different risks or aspects of risks.“

“R&D might be concerned about intellectual property theft, while personnel might be more concerned about workplace violence ,” she adds. “IT will concentrate on cybercrime, permission issues and the misuse of passwords. By creating an umbrella group, you can look at all the risks facing a company, and communicate it up the chain, including insider threats.

If the security department is starting an insider risk mitigation program, revamping an existing insider risk program or reviewing the current program, the Security Industry Council can take them through the steps to identify insider risks, rate those risks on a scale from a minor threat to a major threat, identify potential actors and targets, who in the corporation is responsible for mitigation, and look at the balance between mitigation options and cost.

“From there, we create a scorecard that reflects which insider threat risks are adequately covered and which are not,” says Kotwica. “This can be used to plan appropriate strategies to reduce the gaps identified.”

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Michael Fickes End User Correspondent, SecurityInformed.com

In case you missed it

What are the challenges and benefits of mobile access control?
What are the challenges and benefits of mobile access control?

There is a broad appeal to the idea of using a smartphone or wearable device as a credential for physical access control systems. Smartphones already perform a range of tasks that extend beyond making a phone call. Shouldn’t opening the door at a workplace be among them? It’s a simple idea, but there are obstacles for the industry to get there from here. We asked this week’s Expert Panel Roundtable: What are the challenges and benefits of mobile access control solutions? 

Securing a sustainable future
Securing a sustainable future

The UK Government has set out an ambitious ten-point plan, known as the green industrial revolution, with an aim “to forge ahead with eradicating its contribution to climate change by 2050.” This makes our government the first major economy to embrace such a legal obligation. Green recovery Acknowledging climate change and meeting net-zero is a demanding challenge especially for those affected by the pandemic. But the UK Government, with the launch of its aspiring strategy, is investing everything in its power to promote a ‘green recovery.’ Here, Reece Paprotny, Commercial Manager and Sustainability Champion at Amthal, highlights how the fire and security industry has an opportunity to use the current recovery period to explore its own sustainable journey and embrace the significance of environment, economic and social collaboration, transparency, and accountability. Employing sustainable technologies Pressure is mounting on construction to find ways to reduce emissions and help meet net-zero targets The perception is that COVID-19 presents a once-in-a-lifetime opportunity to re-write the existing rulebook. This is riding on the significance of changing public support for more environmentally friendly living opportunities, with associated cost savings, efficiencies, and cleaner industries. Innovative sustainable technologies are the key to kickstart this route to success.  Nowhere can this be seen more than in the built environment, which currently contributes to 40% of the UK's carbon footprint. Pressure is mounting on construction to find ways to reduce emissions and help meet net-zero targets. This is through the entire life cycle of a building, to reduce their impact on the environment from planning stages, through build and demolition. Building the right environment By creating the right policy environment, incentives for innovation and infrastructure, the Government can encourage companies to seize the sustainable opportunities of new technologies and value chains linked to green sectors. They can accelerate the shift of current carbon-intensive economic and industrial structures onto greener trajectories, enabling the UK to meet global climate and development goals under the Paris Agreement on climate change and the 2030 Agenda for Sustainable Development. Transparent working practices Each industry sector is expected to engage and pledge its support to achieve the significant deadlines. Every company can make a difference, even with small steps towards a sustainable future. So whilst elements such as safety and security represent just one component of building the right sustainable environment, it paves the way to opening up our sector to greater efficiencies, transparent working practices, and encourages collaborative use of resources. Sustainability in security The security sector has a significant opportunity to incorporate ‘going green’ into its practices In fact, the security sector has a significant opportunity to incorporate ‘going green’ into their processes, and practices. This is right from product lifecycles to more environmentally friendly work practices when it comes to maintenance and monitoring services. When integrating environmentally friendly practices, starts with the manufacturing and production of the wide variety of systems in operation for the security sector. And some certifications and guidelines can be achieved, such as the ISO 14000 which looks into eliminating hazardous materials being used which in turn will reduce carbon footprint.  Upgrading supply chain process Observing the complete supply chain and working with partners to reduce unnecessary travel, shipments, and transportation of products, can all contribute and create sustainable processes.  In the maintenance and monitoring of products, it is essential installers and security specialists consider their own environmental impacts. Simple changes such as switching company vehicles to electric options for site visits can make a significant difference to climate change and improving air quality. Presenting sustainable ways of disposing of products at the end of their natural lifecycle is key to change in our sector. This is especially in the security industry where many customers will need a complete overhaul of outdated solutions or need systems upgrading due to changing threat levels. Sustainable evolution Progress is being made, specifically in the fire and security industry, in its sustainable evolution. Businesses are trying to develop a reputation for “sustainability” or “good corporate citizenship.” And it has gone well beyond the theory to the practical, where companies recognise activities have an impact on the environment and are also reviewing the social and economic influences. Three pillars of sustainability In a recent interview, Inge Huijbrechts, the Global Senior Vice President for safety and security and Responsible Business at Radisson Hotel Groups sees her vision to combine safety, security, and sustainability. Inge focuses on three pillars, namely, Think People, Think Community, and Think Planet. Think People means that we “always care for the people in our hotels and our supply chain.” So, in outwards communications, safety and security were always part of the Think People focus area. Think Community is caring and contributing in a meaningful way to communities where we operate. Finally, Think Planet makes sure that “our footprint on the environment is as light as it can be in terms of energy, water, waste, and carbon, and making sure that we incorporate sustainability into our value proposition.” Moving forward Apprenticeship schemes are integral to ‘think people’ and have a role to play in the social impact on the security industry There are immediate actions that can be taken by companies in the security industry to support sustainable development, working right from within a company to supporting industry-wide initiatives. From a social perspective, at a foundation level, “Think People’ can see the Living Wage Foundation as an example of a commitment to a team.  This is for businesses that choose to go further and pay a real Living wage based on the cost of living, not just the Government minimum. Apprenticeship schemes are also integral to ‘think people’ and have a pivotal role to play on the social impact on the security industry.  It addresses the sector-wide issue of finding employees with the right mix of skills to collaborate and meet discerning consumer demands for increasingly smart security solutions for homes and businesses. Impact of the full lifecycle of products From an environmental view, or ‘think planet,’ we need to collectively look at all elements of our industry, with a desire to analyse the impact of ingredients used, supply chain, or manufacturing alone, and also consider the full lifecycle of our selected products from creation to end of life. As Jamie Allam, CEO Amthal summarises, “This is a long-term, sustainable investment in our people, our products, and our business based on our values.” “When put together, a social team which feels empowers and operates in environmental optimum working conditions is in a position to provide a great experience to our customers, creating an economic positive difference. It forms the basis of a sustainable sector vision for the security industry-wide to adopt.” Taking action Amthal is taking action based on the ready-made universally agreed UN 17 Sustainable Development Goals. Also known as Global Goals, these are at the heart of the 2030 Agenda for Sustainable Development, adopted by all United Nations Member states. This agenda is a plan of action for people, the planet, and prosperity. By being an early adopter, we believe we can engage with customers, partners, and suppliers on these issues and generate opportunities to innovate for mutual and industry sector benefit. Together, we can contribute to building a more sustainable security sector and future, and contribute to the UK Government’s green industrial revolution.

What is the impact of privacy concerns on physical security?
What is the impact of privacy concerns on physical security?

Adoption of General Data Protection Regulation (GDPR) by the European Union in 2016 set a new standard for data privacy. But adherence to GDPR is only one element, among many privacy concerns sweeping the global security community and leaving almost no product category untouched, from access control to video to biometrics. Because privacy concerns are more prevalent than ever, we asked this week’s Expert Panel Roundtable: What is the impact on the physical security market?