Security begins within
Organisational success relies on the relationship of trust it has with its people (staff, contractors, stakeholders, suppliers and customers)
When trust breaks down, organisational vulnerability to insider activity increases. Creating the right environment where people adopt good security behaviours is key to reducing insider risk.
Physical, Cyber and Technical security are the visible artifacts of a secure environment.
Personnel security is the embodiment of a psychological security contract to establish trust between the organisation and the individual, determining how staff think, feel and act. This is why security begins within, both at organisational and individual levels.
Circle of trust
Managing the trust you give people requires an enterprise-wide approach. The coordination of organisational controls is required to identify, reduce and recover from insider activity.
It can be helpful to think of this as a circle of trust, where you identify controls that help establish, enable, maintain and regain trust throughout the employee lifecycle.
As an organisation you can:
Establish trust
Initiate trust in the relationship:
Understand the organisational insider risk landscape to enable proportionate and necessary strategic decision making.
Identify and integrate insider risk mitigations into existing policies.
Assess insider risk against the organisation’s assets and business functions.
Adopt risk-based pre-employment screening for all personnel.
Enable trust
Encourage the right security behaviours
from the start:
Run induction programs outlining employer expectations for all personnel.
Coordinate governance, policy and process for managing and monitoring insider risks.
Form strategic insider risk working groups to set thresholds, define terms, and track risk trends.
Embed security culture into wider organisational culture activities.
Maintain trust
Continue good security behaviours as personnel
move through the organisation:
Run security awareness training for all managers.
Enable personnel to report security concerns.
Align protective monitoring to key business and security risks.
Consequence management - Clear disciplinary policies.
Regain trust
Take action when things go wrong to prevent
repeat incidents:
Ethical investigations: Confidential, fair, and transparent.
Audit and assurance programs for insider risks.
Targeted interventions to reduce repeat incidents.
Communication strategies following major insider risks.
Key services
The most impactful defence for insider risk is often about making better use of existing controls (security and non-security) in a more coordinated and structured way. Au Security can help your business through a range of services.
-
Get teams across your organisation up-to-speed on what Insider risk and personnel security is, and what needs to be done to create a circle of trust programme
-
Workshops helping you understand why and where your organisation carries insider risk
Consultancy-led asset and role-based insider risk assessments
-
Help your organisation understand its current level of insider risk maturity, identify gaps in your current security setup, and create a mitigation plan that coordinates and strengthens existing controls
-
Build knowledge and resilience across your organisation through bespoke workshops covering all activities in the circle of trust programme
-
Working alongside your organisation as your insider risk programme matures to provide benchmarking assurance and critical friend roles
