personnel security – insider threat awareness · personnel security guidance and tools can be...
TRANSCRIPT
Personnel Security –
Insider Threat Awareness
DC Ric Scott GCGI GCGI MSc MSyI
Counter Terrorism Security Advisor
© Crown Copyright
Learning Outcomes
To Provide you with:
An awareness of Personnel Security.
An awareness of the Insider Threat and of how to
mitigate it.
Awareness of CPNI products to counter the Insider
Threat and where to find them.
© Crown Copyright
Personnel Security – What is it?
“Personnel security is a system of policies and
procedures which seek to mitigate the risk of workers
(insiders) exploiting their legitimate access to an
organisation’s assets for unauthorised purposes”.
- CPNI
© Crown Copyright
Why is Personnel Security important?
Reduces vulnerability to the
insider threat.
Without it, effectiveness of
physical and information security
measures can be undermined.
Advances in physical and
information security measures
can make insiders more
attractive.
© Crown Copyright
The adoption of good personnel
security practices will help
organisations reduce the risk
posed by an insider.
© Crown Copyright
So what is an ‘Insider Threat’?
© Crown Copyright
Definition of an Insider…
“An insider is a person who exploits, or has the
intention to exploit, their legitimate access to an
organisation’s assets for unauthorised purposes”.
- CPNI
© Crown Copyright
An Insider
An insider could be a full time or part-time employee, a
contractor or even a business partner.
An insider could deliberately seek to join your organisation
to conduct an insider act, or may be triggered to act at
some point during their employment.
Employees may also
inadvertently trigger security
breaches through ignorance
of rules, or deliberate non-
compliance (due to pressure
of work).
© Crown Copyright
Types of insider
Volunteer/
self initiated
insider
Recruited/
Exploited
insider
Deliberate
insider
Unwitting/
unintentional
insider
Ex-employee
© Crown Copyright
What can you protect against?
Use of insiders by:
o Terrorist organisations.
o Foreign Intelligence
services.
o Commercial competitors.
Single-issue groups.
Organised crime groups
The media.
Disaffected employees
seeking revenge.
Reputational
Damage
Financial
Damage
Operational
Damage
© Crown Copyright
Insider activities …..
Facilitation of 3rd
party access to
sites/information
Direct sabotage
(electronic or
physical)
Theft of materials
or information
Financial &
process corruption
Unauthorised
disclosure of
information
© Crown Copyright
So why might an employee engage in
insider activity?
To support a cause.
For financial gain.
Loyalty to family, friends
or country.
For emotional gain
(recognition/kudos).
To enact direct revenge
upon/demonstrate
disapproval with an
organisation.
© Crown Copyright
Case study – Edward Devenney
• Royal Navy Petty Officer.
• More than 10 years service.
• Single.
• Communications specialist
with DV clearance (giving him
access to extremely sensitive
information).
© Crown Copyright
Case study – Edward Devenney
• Devenney served as a
member of the Royal Navy’s
Submarine service.
• Arrested by British
Intelligence in 2012 in a sting
operation, trying to sell UK
National Security secrets to
the Russian security
services.
© Crown Copyright
So who are CPNI?
CPNI is the government authority for protective security
advice to the UK national infrastructure.
Their role is to protect national security by helping to reduce
the vulnerability of the national infrastructure to terrorism
and other threats.
They are accountable to the Director General of MI5.
© Crown Copyright
How can they assist with Personnel
Security?
Personnel and People Security
Effective protective security requires the integration of:
Physical.
Personnel and people.
Cyber security measures.
There is almost always a human element (direct or indirect)
at a point of security failure.
Therefore CPNI provide a range of advice and tools
focusing on the personnel and people aspect.
© Crown Copyright
CPNI approach
The CPNI approach to good personnel and people security is
focussed on three main strands of activity around the people
element of protective security:
Reducing Insider risk - this strand helps organisations to
reduce the risk of an insider by undertaking good personnel
security practices.
Optimising people in security - this strand helps
organisations understand the importance of building a good
security culture and how to undertake staff behaviour change
campaigns.
Disrupting hostile reconnaissance – this strand looks at
how to mitigate the external people threat by understanding
the mind-set and activities of those undertaking attack
planning and hostile reconnaissance.
© Crown Copyright
Some examples of CPNI products...
The CPNI PerSec maturity
model has been designed to
specifically assess an
organisation’s personnel
security maturity. This is a
key factor, in addition to
physical and cyber security
measures, in strengthening
an organisation’s resilience
to insider and wider external
security threats.
Personnel Security Maturity Model
© Crown Copyright
Some examples of CPNI products...
The model is based on
comprehensive and robust
research into insider acts,
and extensive CPNI
experience in personnel
security mitigations (research
and development
programmes and close
working with the CNI and
overseas partners to test,
refine and embed personnel
security initiatives).
Personnel Security Maturity Model
© Crown Copyright
Personnel Security Maturity Model
The benefits of using the CPNI model are:
A starting point for developing a measurable personnel
security improvement programme using the CPNI tools
and guidance which are appropriate to the organisation's
current level of PerSec maturity.
A common and consistent benchmark for personnel
security performance across the critical national
infrastructure (CNI), which will enable individual
organisations to compare themselves with the rest of their
sector.
© Crown Copyright
Personnel Security Risk Assessment
Insider Risk Assessment
Understanding what security
risks your organisation faces
is essential for developing
appropriate and proportionate
security mitigation measures.
The risks that are identified
are then used to inform the
security mitigations that you
implement.
© Crown Copyright
Personnel Security Risk Assessment
CPNI has developed a risk
assessment model to help
organisations centre on the
insider threat.
The process focuses on
employees (their job roles),
their access to their
organisation’s critical assets,
risks that the job role poses to
the organisation and
sufficiency of the existing
counter-measures.
On Going Personnel Security
CPNI’s collection of on going
personnel security guidance
and tools can be used to help
an organisation develop and
plan effective practices for
countering the insider threat
and maintaining a motivated,
engaged and productive
workforce.
On Going Personnel Security
The application of good on
going personnel security
principles adds huge value
to physical and technical
security measures in a
cost effective manner,
promoting good leadership
and management and
maximising people as part
of the security solution.
© Crown Copyright
It’s OK to Say Education Programme
CPNI research and
partnership working has
frequently highlighted the
issue of under-reporting or a
lack of intervention by
employees when counter-
productive and/or unusual
behaviours are observed in
the workplace. Such
behaviours have often been
seen to be pre-cursors to
insider activity or welfare
issues.
© Crown Copyright
It’s OK to Say Education Programme
The materials provided as part of the ‘It’s OK to Say’
education programme are intended to support
organisations with educating staff on identifying and
reporting unusual or concerning workplace behaviours,
and in setting up mechanisms to promote the
appropriate intervention.
Education on these behaviours will help to build
resilience to insider risks and a stronger security
culture for the organisation and its people.
It’s OK to Say Education Programme
© Crown Copyright
CPNI products via their website ...
www.cpni.gov.uk
© Crown Copyright
Or….
To obtain more information on Personnel Security advice
and guidance:
Contact your CPNI sector adviser.
Contact your local CTSA.
Complete a general enquires form via the CPNI website
(under the contact page.)
www.cpni.gov.uk
© Crown Copyright
Questions
© Crown Copyright
CTSA Contact Details
DC Ric Scott
01463 720 233
Counter Terrorism Hotline – 0800 789 321
© Crown Copyright