The average annual cost of insider threat incidence has almost doubled over the past five years, jumping from US$8.3 million to US$16.2 million per event. Organisations are spending more time and money on containment than on prevention. Events that exceeded 91 days to rectify cost on average US$18.3 million each (Source: 2023 Cost of Insider Risks: Global Report, Ponemon Institute).
Can your enterprise afford the operational impact and financial cost that one insider may inflict? And that impact is before the effects of damage to reputation, as suffered recently by Optus, or perhaps damage to national security, as seen in the 2023 Tiexeira case in the United States, which can be significant and enduring.
Who is an insider?
The term ‘insider’ may conjure images of a foreign spy or a Snowden-type of person who compromises highly sensitive government information. The reality is far less exotic – insiders are ordinary people: colleagues and friends in the workplace.
The ASIO 2023 Countering the Insider Threat: A Security Manager’s Guide (ASIO Guide), available through ASIO outreach, defines an insider as ‘a current or former employee or contractor who has legitimate or indirect access to a workplace’s people, information, techniques, activities, technology, assets or facilities’. It is important to keep in mind that insiders also include your supply chain vendors or business partners that have, or had, authorised access to your organisation’s assets.
There are two broad categories of insiders: unintentional (negligent) and intentional (malicious) insiders. An insider’s reasons for conducting harmful activities, either intentionally or unintentionally, are varied, often complex and, as shown by decades of international research, generally have more than one motivation or driver for their behaviour.
Motivation and drivers include financial gain, revenge or perhaps disgruntlement as a consequence of poor workplace culture, lacklustre leadership or poor management and governance processes. The damage insiders inflict includes: theft of intellectual property, unauthorised release of information, sabotage of assets or operations, theft of items, or enabling a cyber-attack by carelessly clicking the phishing link that enables a breach.
Common motivations and drivers for trusted insider behaviour.
|Unintentional insiders||Intentional insiders|
The Verizon 2023 Data Breach Investigations Report analysis of misuse of legitimate access (insider behaviour) identified that 89 per cent of malicious insiders were motivated by financial gain, then disgruntlement, and five per cent by espionage.
Modern workforce challenges
Consideration of the insider threat is relevant to delivering AUKUS and Defence Strategic Review outcomes that will require an increasing defence industry workforce to accept, create and transfer highly sensitive and valuable technology between the AUKUS nations. Further, there are many Australian entities now subject to the Security of Critical Infrastructure Act 2018 (the SOCI Act) that are obligated to implement critical infrastructure risk management programs and report annually their ability to protect their critical assets and capabilities in support of national sovereignty and resilience. Managing insider threat is a fundamental component of managing a modern workforce.
For defence industry and academia, the two pillars of AUKUS agreement – nuclear powered submarines and a cluster of advanced technologies – have exposed the gap between the desired future workforce and current workforce. The need to attract and retain a highly educated and security clearable workforce will require a mix of Australian citizens and foreign nationals to meet the national security outcomes Australia is relying on.
Defence reporting suggests that the nuclear submarine program (Pillar I) alone will require perhaps 20,000 employees over the next 30 years across industry, the Australian Defence Force and the Australian Public Service. The workforce will include trades workers, operators, nuclear technicians and engineers, scientists, submariners, project managers and many other skills. Additional to those 20,000 will be the workforce required to address Pillar II activities, such as growing a sovereign guided weapons industry, quantum computing, hypersonics and advanced scientific and engineering activities. How can we cultivate and nurture this workforce over the coming decades, a workforce that will need to operate in a security classified environment?
Finding these skilled and trustworthy people will require exploration of all options, including modifying approaches to managing personnel security. Defence industry, the intelligence community, academia and SOCI entities will be compelled to compete for skilled technical employees from the Australian and international talent pool, however current government security practices and guidelines make it difficult to employ non-citizens in many roles. With the clear and present risk posed by foreign intelligence services, issue motivated and extremist groups, organised crime and employee nomadism it is reasonable to ask if a trusted workforce be created without increasing the risk of insider threat? We at Providence believe it can.
Insider threat program
An effective Insider Threat Program (ITP) will not only reduce the risk of insider threat to your organisation but also, when integrated with the usual mix of personnel management approaches and tools, be an enabler for employee wellbeing and therefore a foundation for a more productive, engaged, and satisfied workforce equipped with a robust and effective security culture.
In recruiting new employees to meet demand, and recognising the skills shortage, can you afford to reject or discard skilled prospective staff because they do not ‘fit the mould’ or remove existing experienced staff who make simple careless security mistakes? Providence can assist by creating a tailored Insider Threat Program (ITP) that will reduce the insider threat and associated risk, enable proportionate effective responses maximising access to skilled workers.
You need to know your people. You need to know the security risks attached to them, not from the perspective of ‘big brother watching you’ but to be able to understand what motivates them, to genuinely support them deal with stressors both within and beyond the workplace. The vast majority of insider incidents are perpetrated by individuals who you selected to be part of your team and started out in your organisation as committed and loyal employees. But people and their life circumstances change so managers need to be nimble and alert in detecting changes and managing them to mitigate the risk of an insider threat developing.
Poor organisational culture and ineffective personnel management processes can foster a working environment conducive to insider threats: employees feel undervalued, unsupported, or treated unfairly. Conversely, good culture and processes can mitigate insider threats. So, what can be done?
At Providence we have developed an integrated approach to ITP which is delivered through seven steps:
1. Conduct a security risk assessment
- determine risk tolerance of an organisation as a necessary precursor to tailoring an ITP to address specific needs, threat types, and unique culture of the organisation.
2. Establish multi-disciplinary governance
- break down data silos, build collective understanding of security objectives and enable information sharing.
3. Introduce an in-house workforce security risk-based screening
- determine the level of screening to be proportional to the level of risk posed by that role to organisational objectives, processes, and business impact.
4. Develop an ITP foundation
- establish and clearly communicate personnel security policies, procedures, education, and training.
5. Enable access and technical controls
- link existing physical and IT security access and technical controls.
6. Empower robust virtual and non-virtual behavioural monitoring
- roll out reporting mechanism for employees to express their concerns to prompt an investigation capability.
7. Data analysis and reporting using advanced open-source intelligence capabilities
- advanced analytics tools provide automated analysis and reporting based on a risk algorithm that aligns with a risk tolerance of an organisation.
- Providence’s approach to an ITP will also equip your organisation to:
- bolster wellbeing, employee performance, staff retention and workforce diversity
- establish an effective proportionate organisational response to incidents thus mitigating insider threat
- enhance employee loyalty and organisation’s security culture.
People. Your greatest assets, sometimes your greatest risk. Adopting a cost-effective method of mitigating insider threat will enable access to new sources of talent and enable you to attract and retain the valuable human capital needed to deliver critical national security outcomes.
Tim Slattery is Senior Director, Enterprise Protective Security, at Providence Consulting Group with 35 years’ experience of the national security and intelligence communities.
Marina Maydanov is the Critical Infrastructure Security Practice Lead at Providence Consulting Group with extensive experience in the national security, infrastructure, and transport sectors.