June 11th, 2024 | Sterling

How to Help Mitigate Insider Threats In Your Organisation 

We all know that personnel security is central to good business. As part of the recruitment process, employers invest significant amounts of time and labour to find the best-fit employees for both the workplace and the requirements of the job role.  

This might mean looking for suspicious gaps in resume timelines, talking at length with phone references, and running a national police check. Some organisations might go to the extent of manually researching the candidate online to see what their electronic history reveals and even trawling through their social media feeds – this can be in violation of local employment laws, with organisations recommended to work with local screening providers to mitigate the risk of discrimination and unconscious bias. 

Finally, when it looks like the organisation is ready to commit, the candidate may be requested to sign a non-disclosure agreement upon acceptance of the position. If the hiring process has gone smoothly, the organisation should be all set for their new hire to start Day One.  

Unfortunately, sometimes your new employee can pose an unexpected risk 

According to statistics released by the Australian Information Commissioner’s Office (OAIC), 23 large-scale cyber-incidents were reported during the first half of 2023. Two breaches that affected over 5,000 Australians in this period were caused by a rogue employee or insider threat and theft of paperwork or a data storage device.  

Can your business withstand the financial and operational losses that a single inside threat could cause? This risk can easily go beyond reputational damage, as shown by the Latitude breach in 2023. This was one of Australia’s largest PII (protected personal information) breaches in recent history, following the Optus and Medibank data breaches of 2022 which resulted in the personal information of multiple customers being exposed to cyber attackers.  

Who and What Is An Insider Threat?  

According to the Australian Security Intelligence Organisation, an insider is defined as current or former employees or contractors who have legitimate or indirect access to your workplace’s people, information, techniques, activities, technology, assets or facilities.   

Insider threats are often difficult to detect because the individual may already have legitimate access to authorised information to perform their job role. In other words, there is no obvious security breach.  

Insider threats usually fall into two categories: intentional and unintentional, according to a guide from the Attorney-General’s Department. Insiders may engage in criminal acts either intentionally or unintentionally, and their motivations can be wide-ranging and often complex.  

In the guide’s foreword, Attorney-General of Australia Mark Dreyfus said that “Insider threat poses a significant risk to all entities due to the ability to bypass physical and electronic security measures through legitimate means…It is an important risk consideration for both government and the private sector.”  

On the other hand, unintentional threats are posed by insiders who don’t mean to do harm, but who also don’t know any better. For example, they may not fully understand what actually sensitive or non-disclosable information is. Or they might carelessly divulge confidential or proprietary information at a social gathering. 

The best way to help curtail such threats is to make sure all employees and contractors with access to potentially sensitive or confidential information are very clear on what’s considered non-disclosable information and why these measures are in place. Be careful not to just hand employees a contract and expect them to muddle through it: instead sit down with them and carefully explain what each clause means.  

Remember that past behaviour can be an indicator of future problems, but not always. Maybe an employee has been with your company for years, before you included police checks as part of your recruitment. Maybe their circumstances have changed and they’re under pressure to commit a corporate crime they wouldn’t usually commit?  

Regular rescreening of your established and trusted employees go part of the way to protecting against insider threats. But there are practices you can put in place to reduce the risk of a malicious insider in your organisation, and will help you with the extra reinforcement needed to help keep your organisation secure. This even extends to board members who should also be checked for bankruptcy, as past bankruptcy may affect their ability to make sound financial decisions.  

Don’t wait for a security breach to happen: instead, stop insider threats before they happen. Sterling can help you build a stronger security framework and help reduce your risk of fraud, theft, and violence.  

Contact us today to find out more.  

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.