The Enemy Within: How poor Organisational Culture can give rise to Insider Threat

The Enemy Within: How poor Organisational Culture can give rise to Insider Threat

“A nation cannot survive treason from within. An enemy at the gates is less formidable, for he is known and carries his banner openly…”

Marcus Tullius Cicero, (106 – 43 BC) 

The amended Security of Critical infrastructure (SOCI) legislation recently enacted by the Department of Home Affairs has put owners of key and critical infrastructure assets on notice to take steps to protect these assets against a range of external threats.  These assets are deemed essential to the functioning of the Australian economy, our society and to our national security.

But what of the people who operate, maintain and work within these critical asset classes who may, through their authorised access, do harm to that organisation with or without the intent to do so?

This article will look at the concept of Insider Threat in a number of contexts:

1. The legislative requirements to protect critical infrastructure
2. In comparison to the threat of terrorism
3. The importance of good culture to managing the risk from arising from within

 

Protecting Assets

Risks come in and out of our collective conscious based on frequency, location and recency of occurrence. The brutal events of September 11 in the US (2001), and later London (2005) for example, brought the threat of terrorism into such stark focus that it led to a decades’ long Global War. Yet the response to that threat for much of the Western world has since moved out of public awareness (except perhaps when we go through security at the airport).

Natural disasters like the Christchurch earthquake (2011), and the Black Summer fires (2018-19) decimated not only homes and families but critical infrastructure including roads, railways and radio towers, waking society again to the forces of nature and climate change. But unlike the families in the impact zone and their families, many of us have moved on from that awareness.

The ongoing war in Ukraine (2023) highlights the devastation from infrastructure and critical assets being targeted and attacked on a daily basis, but war seems far from most of our homes. Those attacks on infrastructure have been physical and cyber in nature… like the Colonial Pipeline hacking in the US (2021) and the Optus and Medibank data leaks (2022).

These threats to modern society are omnipresent and move between physical threats like terrorism and natural disaster (on the left) to more insidious threats like data, cyber and people (on the right):

Diagram 1: PHYSEC and PERSEC threat management

Threat Management

Risk management of physical threats (PHYSEC) like terrorism considers what is vulnerable and at risk (the assets); where the threat emanates (e.g. an extremist group) and how the instigator of the threat might try to access vulnerabilities (like entry points). This results in a threat and risk assessment telling us where to deploy our limited resources.

Risk management of personnel security (PERSEC) considers the threat of attack and exposure from individual actors (both foreign players and our own employees) to critical assets, access controls and data. Controls and counter measures assess everything from people’s suitability of employment through to the specific types of cyber threat such as phishing, hacking or social engineering. This again results in an assessment of the risk we face and the resources required to combat the threat.

However, risk management based on location, recency of event, or headline tend to focus us on the more spectacular, yet far less likely forms of threat – like terrorism, example. A far more potent and realistic threat exists in the very fabric of our organisation, and over which we have far more control. That threat comes from our own people, doing their daily jobs in most cases without the intent of harm – the Insider Threat.

Insider Threat

“We have faced the enemy, and we are them.”

Oliver Hazard Perry, The Battle of Lake Erie (1813)

Everything in an organisation involves people. Our own people give rise to a much larger number of more believable threats than those posed from outside the organisation.  This threat may involve fraud, theft of confidential or commercially valuable information, theft of intellectual property and trade secrets, sabotage of security measures, or misconfiguration that leads to data leaks.

This insider threat comes from negligent or malicious insiders, such as employees (present and former), contractors, third-party vendors and business partners who have or had access to inside information.

In this context, it is important to challenge our own thinking on what constitutes the greatest threat to critical infrastructure and consider putting people at the centre of our threat assessments rather than assets.  In this way we may begin to appreciate that we ourselves are potentially generating many of our own threats.

There are four factors to consider when making this assessment:

• Does our culture give rise to insider threat?
• Who is responsible for our people?
• What happens across their career?
• How do they interact with/across the full asset lifecycle?

 

Culture must be our number one priority

Consider how organisational behaviour drives culture. Poor security culture encourages high-risk behaviours. When done poorly, the following areas create the exact climate necessary to upset and influence people to cause harm and become a threat to our assets:

• Poor leadership results in a lack of direction, people feeling ignored over overlooked and becoming disenfranchised.
• Psychological safety is the sense that we can bring our whole self to work, and that we are free to speak our mind or share opinion without fear of recrimination or bullying. Low psychological safety results in withdrawing, passive aggressive behaviour and acting out.
• Breaches of trust can lead to counterproductive work behaviour from hiding knowledge or inefficient usage of time to serious insider threat activities – e.g., releasing classified information.
• Poor work allocation can either mean not enough work to be done (presenteeism) or too much on people who then become stressed or burned out.
• Bad communication can make people either feel left out, or over-informed and having their time wasted (answering so many surveys for example).
• Poor change management impacts team dynamics, interdepartmental collaboration (competition), people’s jobs and roles and creates relational stress.

 

We are all responsible for all our people

We are prone to distance ourselves from managing threat, or believing it is someone else’s responsibility. People are supposed to be managed by Human Resources, or People and Culture! However, an overhead division cannot manage the employee experience during their day job. It is the team we belong to where we experience organisational culture. That team, and our teammates are our responsibility.

If an employee does not feel supported by their own leaders, they can start questioning their job security, have a sense of uncertainty about the future and feel vulnerable to the events around them. This can lead a previously loyal employee to change their trust in an employing organisation. Loyalty and psychological attachment can be eroded quickly.

People need managing all the way through their employment and beyond

Pre employment screening is a good first step to make sure we have no bad apples. We can also secure our assets by taking their keys and laptop on the way out. But a lot happens on the way through a career. There are measures we should be taking to ensure safety, depicted in the following diagram:

Diagram 2: Managing risk throughout the employment lifecycle

After passing a background check and being employed, the individual undergoes induction and training, and in those first few months exhibits good cultural fit and is accepted by others in the team. It is important to define and communicate the norms of expected behaviour to a new starter. Aim to empower employees to act for the benefit of organisation.

Once on the job we should monitor their work and behaviour. We must take the time to know our people, and be available to support them. A well-balanced insider threat program can serve to be a champion for employee wellbeing and a means for productive, committed and engaged workforce.

Consider open-source intelligence gathering (OSINT) including pattern recognition of keystroke and building access. It is important to have a trusted and safe whistle blower program that enables reporting of suspicious or illegal activity without recrimination. Leaders and supervisors should report counterproductive behaviour noted during performance management.

Again, it is leaders who drive the local culture, enable capability development, skills acquisition and training; organise social events, and engender the sense of belonging (or estrangement) – especially for people at the margins. Local team leads are the ones who daily drive increasing resilience or corruption and engender psychological safety or erode it day by day.

Asset management is not a one-time deal

Lastly, consider how people interact with assets (physical and virtual) across the lifecycle of the asset, illustrated below:

Issues can arise before an asset comes online. One only needs to think of the delays in opening the new ASIO building, and the issue of losing the building’s blueprints (which were accessed offsite through one of the construction workers’ accounts) and the threat of foreign actors accessing those plans before the building was complete. Threat can arise anywhere across the supply chain at any depth (think smuggling things into a secure facility), or during maintenance activity or upgrade. It can also take place as an asset is decommissioned and disposed of (especially in the nuclear industry).

Our employees and the people who make up the system that supports and operates critical infrastructure are its greatest advocates and protection.  We must put them at the centre of our organisational and security thinking if we are to combat Insider Threat and external attack.

For more information on SOCI, visit our website and for further reading:

• Jamie Buckingham, “9 Lies we tell ourselves about work”
• Dr Eric Shaw on insider threat at IRG (insiderriskgroup.com)
• Rosalind Searle on Organisational Change risk: An operational (dis)trust based framework

 

Author: Dr Robert Holmes is the Senior Director of Consulting at Providence. His expertise in human behaviour, change management and organisational performance has shaped Infrastructure delivery in the Water, Energy and Resources sectors and enable workforce planning, high performance and resilience.