Enquiries Email: membership Tel: +44(0)131 473 7777
Insider Threat: How to help the Whistleblowers
Many frauds are perpetrated by employees who pilfer passwords, access sensitive records or intercept confidential information. But, in fighting this threat, KEVIN DOHERTY warns ‘there’s no silver bullet’.
It’s difficult to appreciate what makes an employee engage in activity that might damage an organisation. Commonly referred to as the ‘insider threat’, the behaviour often results from a complex set of problems – conflicts and disputes or a crisis in the individual’s personal life, coupled with motive and opportunity to cause damage. Many financial institutions now realise that, whatever the cause, the risk cannot be ignored.
Businesses increasingly understand the risk from the ‘insider threat’. Deloitte’s Financial Services Global Security Survey 2010 found that 19% of organisations had experienced one or more breaches of information originating from inside an organisation instigated by an employee. Research by the Centre for Protection of National Infrastructure found that ‘85% of the insider acts were carried out by permanent employees rather than by contractors, consultants or agency staff’.
Not all staff roles offer the same opportunity to cause damage. So, imposing blanket security arrangements across an organisation can be both costly and restrictive to business and inefficient.
Conducting a risk assessment will identify which roles offer the greatest potential for damage. However, the responding mitigation will need to be comprehensive and involve personnel, physical and IT security measures to be effective. There is no ‘silver bullet’.
A frequently offered rationalisation by staff who breach security is that ‘nobody notices anyway’, and that security is not taken seriously in their workplace.
When employees have been discovered engaging in damaging activities, colleagues and managers often remark that it has come as no surprise. That suggests an organisation’s culture – the development of policies and procedures and raising the profile of security – is an important element in mitigating the ‘insider threat’.
However, that’s only one way of minimising the insider risk. Solutions should encompass the whole employment lifecycle, during recruitment, employment and termination. In combating the wider external threat of organised crime, companies should recognise, for example, that social engineering techniques along with extortion are increasingly being used to coerce staff into providing sensitive information.
But, when staff have been found to have damaged their organisation or to have been involved in criminality, colleagues and managers will often voice long-standing suspicions that they were ‘up to no good’. And they’ll admit, at the same time, that they didn’t report their concerns earlier, either because they were uncomfortable doing so or because there was no identifiable reporting channel they regarded as trustworthy.
So, while financial services companies have a requirement to have formal whistle blowing policies in place, these policies should be actively monitored to ensure that they’re fully effective in covering the range of activities applicable to ‘insider threats’.
Contrast this with safety management, for example, where there’s often a wellestablished process for staff reporting colleagues who take unnecessary risks, breach safety rules or behave in a way that poses a danger to others. Such reporting is culturally acceptable and facilitated by good communication channels which can protect the identity of the person making the report.
Organisations should consider replicating these arrangements as part of their security response to the ‘insider threat’, as well as employee assistance programmes that can often be used to support staff experiencing difficulty.
The organised use of the workforce as the ‘eyes and ears’ of security is an innovative idea which can sometimes be seen as controversial. However, formal reporting channels can be augmented with technology or security hotlines. Anonymity needs to be protected and the response to reports must be managed carefully.
Few organisations have yet to achieve it, but moving a workforce from being security aware to being able to recognise and refer suspicious behaviour could make a big difference in reducing the risk from the ‘insider threat’.
Back to Special Report contents page Back to Magazine contents page
Chartered Banker - the premier qualification for professionals in financial services
Chartered Banker is the most prestigous qualification in the world for bankers and financial professionals.
Specialised Certificate Level Courses - dedicated learning for all levels of experience.
Professional advancement across selected areas of expertise in key banking and financial services sectors.
Specialised Diploma Courses - qualifications of choice for individuals and organisations.
Market-leading knowledge and skills across the banking and financial services industry.
Diploma in Financial Services - a measure of advanced professionalism.
A comprehensive qualification universally recognised as a sign of enhanced tactical expertise.
Regulatory Qualifications Framework - delivering accredited expertise
Qualifications to meet compliance requirements and advanced professional and ethical standards.
We need to make sure our people have the opportunities to learn and qualify right across the full range of disciplines.
Graeme Hartop, Managing Director, Scottish Widows Bank
The Chartered Banker programme provides broad, flexible skill sets and a wide range of ways to achieve the qualification.
Philip Grant, Managing Director, UK Private Banking at Lloyds Banking Group
“The syllabus is very good for the banking industry.It fully recognises the changes in the way financial services are put together and the skills and expertise that are required.”
“We rely on the broad range of skills that the Institute provides.”
Jim Lindsay, General Manager, Airdrie Savings Bank