Plenty has been written about the real and present danger of insider threats. Political activists, members of criminal gangs, competitors and even journalists can have motives for trying to join a particular organisation. Once hired, they can exploit their legitimate access for a variety of purposes: unauthorised disclosure of information and criminal damage being the most common. Also, various factors -- ranging from political or religious ideologies, to revenge, status, disaffection, financial gain and coercion -- can influence and change the behaviour and actions of existing employees.A well-documented, easily understood data classification policy is essential before an organisation can justifiably discipline someone for inappropriately accessing or using data.
To combat such dangers, organisations need policies and procedures that cover personnel and security, not only at the point of hire, but also on an ongoing basis. The objective of these policies is to reduce the chances of employing anyone who's likely to present or become a security concern and to manage the risk of existing staff and contractors looking to exploit their legitimate access to your premises, assets or data.
The first and most obvious control is pre-employment screening, a fundamentally important element of any personnel security regime. The role of pre-employment screening is to establish that job applicants and contractors are who they claim to be, verify their credentials and check that they meet any preconditions of employment. These checks will also establish whether an applicant has concealed important information, misrepresented him or herself or presents a possible security concern. The main checks carried out should include the following:
- Verifying the individual's identity;
- Verifying his or her right to work in the UK;
- Confirming employment history and qualifications;
- Checking any unspent criminal records (The Rehabilitation of Offenders Act 1974 enables some criminal convictions to become spent or ignored after an appropriate rehabilitation period.)
If you want to base your pre-employment screening on a standard, use the HMG Baseline Personnel Security Standard (.pdf). This makes particular sense if you work with government agencies, as they may require such checks before allowing your staff entry to their premises. It aims to provide an appropriate level of assurance as to the trustworthiness, integrity and probable reliability of prospective employees or contractors. In addition to the verification of the four elements above, prospective employees are also required to give a reasonable account of time spent abroad for any significant periods, namely six months or more during the past three years.
In order to verify an applicant's identity and other claims before hiring them, you obviously need to ensure all the documentation presented is genuine. The proliferation of and easy access to forged documents means you need to establish the authenticity of every document a prospective employee provides, not just his or her passport or photo driving licence. A Good Practice Guide covering document verification (.pdf) is available from the Centre for the Protection of National Infrastructure (CPNI). It covers in detail how to ensure documents are genuine and that applicants are the rightful owners of them, and also outlines a document verification strategy.
It recommends designating a member of staff to act as an internal specialist on document verification: monitoring developments in detection techniques and documents, such as the new ePassport for UK citizens. It also advises that information about your document verification process should be provided as part of the recruitment process. Stressing how important document verification is right at the start of the recruitment process can act as a deterrent to individuals who might apply using forged documentation.
Although pre-employment screening plays an important part in the personnel security process, it is not a complete solution. Like all aspects of security, screening employees needs to be a continuous process; you can't treat it as a one-off event that only occurs when somebody is hired. People and attitudes can change, either gradually or in response to particular events. Malicious insider acts are often carried out by employees who had no malicious intent when joining the organisation, but whose loyalties and motives changed after recruitment. If you minimise your vulnerability to insider threats, your attention to personnel security must be ongoing.
Such ongoing personnel security measures require a holistic approach that involves a range of integrated methods including access controls, protective monitoring, establishing an effective security culture and screening. However, identifying the right combination of measures can be a significant challenge, because at stake is the relationship and level of trust between your organisation and its staff.
For example, you can easily remove temptation or the chances of an opportunistic attack by enforcing a clear desk and screen policy. However, introducing annual security appraisals in which line managers are asked to raise any security concerns about their staff could quickly damage relations if they're not handled with appropriate care and sensitivity. A less contentious approach would be to monitor email traffic, both for content and destination. This type of monitoring would need to be covered in employment terms and conditions and in your acceptable-usage policies, but it can resolve suspicions or provide supporting evidence for disciplinary procedures.
A well-documented, easily understood data classification policy is essential before an organisation can justifiably discipline someone for inappropriately accessing or using data. It's also an effective way of keeping security in the forefront of everyday tasks and helping to create a more security-conscious culture amongst staff. Unfortunately, no single set of countermeasures can guarantee protection against insiders, but if staff members know that personnel security doesn't stop once they've been hired, it will generally discourage all but the most determined.
About the author:
Michael Cobb CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.