Insider Threat: It’s real, are you ready?

Since 2021, incidents of insider threats have increased by 44 per cent. Cost per incident has increased by more than a third to US$15.38M, with incidents that take more than 90 days to contain averaging US$17.2M (2022 Cost of Insider Threats: Global Report, Ponemon Institute).

Can your enterprise afford the operational impact and financial cost that one insider can inflict? And this is before you consider damage to your reputation, or the potential damage to national security, which, as seen in the recent Tiexeira case in the US, can be significant.

Delivering AUKUS and Defence Strategic Review outcomes will require a larger trusted workforce, more than is currently available, to create and transfer highly sensitive and valuable technology between the AUKUS nations. In addition to Defence industry, there are many Australian entities now subject to the Security of Critical Infrastructure Act (SOCI) that are obligated to implement risk management plans and report annually their ability to protect their vital capabilities in support of national sovereignty and resilience.

For defence industry and academia, the two pillars of AUKUS agreement– nuclear powered submarines and a cluster of advanced technologies – have exposed the yawning gap between workforce fantasy and reality: the fundamental need to grow, win and retain a precious highly educated and secure workforce.

Defence reporting suggests that the Nuclear Submarine Pillar alone will require around 20,000 direct jobs over the next 30 years across industry, the Australian Defence Force and the Australian Public Service including trades workers, operators, technicians, engineers, scientists, submariners, and project managers. That doesn’t include those required to address Pillar 2 activities, such as growing a sovereign guided weapons industry and advanced scientific and engineering activities. How can we grow this workforce over the coming decades?

Growing and finding these reliable and trusted people is an exciting proposition, but to do so we will need to explore all options, including modifying approaches to managing security. Defence industry, academia and SOCI entities will be compelled to compete for workforce from the domestic and international talent pool that current security practices make it difficult to employ. With the clear and present risk posed by foreign intelligence services, issue motivated and extremist groups, and employee nomadism, can a trusted workforce be created without increasing the risk of insider threat?

No organisation is immune to insider threats, which do not just emanate from malicious and criminal activity, but also careless and negligent staff (56 percent of incidents). With the enduring skills shortage can you afford to reject or discard skilled staff because they do not ‘fit the mould’ or make simple carless mistakes?

Moment-in-time approaches to security will be insufficient. People are complex – their motivations, circumstances, attitudes, performance, and loyalties evolve over time, shaped by events internal and external to the workplace that may lead to them becoming an insider threat – deliberately or carelessly. Addressing this requires a security system that is consistent and persistent, and can be tailored at the individual, team and organisational level as required within a mature security culture that enables continuous discovery.

Finding the people who can deliver the technical task and embrace a positive security culture (at all levels of security) can be achieved by a methodology of focused personality assessment, psychometric review, personnel risk appreciation and an activated workforce security culture and supporting governance.  And all that gets an enterprise just to the start line – continually attention is essential.

Australian citizens may obtain government security clearances which provide some measure of workforce assurance that a person is unlikely to become an insider threat.  However, government security clearances, personnel security guidance under PSPF, DSPF and exercised under DISP, and background checking by AusCheck are not dynamically responsive to a person’s changing circumstances and are unworkably slow. How often do people meet their obligations to self-report changes in circumstances? Even when they do, how long before the information is actioned?

However, there is no parallel validation process for non-citizens (albeit for Five Eyes partners, Australia accepts the security clearances granted to partner citizens). So how will we tap into international talent pools to meet workforce demand? The notion that an Australian citizen will be loyal to our sovereign interests and that a non-citizen will not be as loyal is a chimera, rooted in 19th century thinking and blind to contemporary reality that loyalty is far more nuanced and cannot rest on notions of patriotism.

AUKUS governments are moving those with TOP SECRET clearances to a continuous assessment model. But most workers will not need that level of clearance. Defence industry, academia, SOCI and other nationally significant entities can employ elements of that model, indeed some of the very same tools and methods, to assure their workforce who operate at lower security levels but are nonetheless critical to delivering classified or critical national security and resilience outcomes.

A personnel security methodology is available that will enable the trustworthiness of candidates and employees to be assessed on a more comprehensive basis than their citizenship and organisational ‘fit’. By understanding ethnic-cultural norms, personality type, predispositions, and psychological profile we can understand the level of risk a person may pose and design a mitigation approach opening up wider and deeper pools of talent enabling them to bring their highly valuable skills to your enterprise without increasing insider risk. The bonus is that such an approach helps you better understand your workforce by informing welfare, diversity, and culture initiatives.

People. Your greatest assets, sometimes your greatest risk. Adopting a cost-effective method of mitigating insider risk will open new sources of talent and enable you to attract and retain the precious human capital needed to deliver critical national security outcomes.

Author: Tim Slattery – Providence Senior Director Enterprise Protective Security

Adash Janiszewski

Chief Executive Officer

Adash is Providence’s CEO and is responsible to the Providence Board and Providence’s clients for ensuring the timely delivery of outcomes through advice, guidance and mentoring to Providence’s staff.