Insider Prevention and Response: A virtuous circle
When I worked in Government Security, I was involved in numerous investigations into poor behaviour by civil servants and security clearance holders. By contrast, at Blacksmiths, my focus has been much more on preventing insider incidents than on investigating them. However, we did recently get involved in an investigation which contained some useful and interesting insider prevention and response lessons for companies and their security teams.
Over the last few years, we have been working with a multinational client to help them improve their security capability. The investigation was triggered when the company received an anonymous communication containing an audio recording of a senior leader addressing an internal audience. The recording had been edited to make the content appear controversial. There was deep concern in the company, and pressure to act quickly, but they knew that they also had to be careful.
Responsibility for investigations tends to vary between organisations. In this case, it lay with the security team, and a thoroughly good job they did too. The Blacksmiths input came from our behavioural science team who were able to provide insight into how potential culprits might respond in various scenarios, for example, if questioned, confronted, or ignored.
There are insider prevention and response lessons in this case for senior leaders in organisations. It demonstrates how easy it is for anyone to record private discussions, and how terminology and phraseology matter, because meanings and intent can easily be misconstrued or manipulated.
But the case also sent a message to any would-be insiders about the risks they run with such activity. Investigators were able to work out precisely which meeting the recording was made at, where the insider would have had to be sitting to make it, and who in those seats had the motivation and mindset to do it. It was a short step from there to identifying the culprit. In future, of course, AI-based deepfake technology might make such recordings unnecessary for the potential attacker – but that’s a conversation for another article.
Success, in this case, relied on the company acting swiftly, decisively and discreetly. Discretion was necessary to avoid alerting the perpetrator to the actions that were being taken and to ensure that any suspects were handled appropriately. Speed was necessary because, unfortunately, discretion all too often has a short shelf-life, as was apparent in the recent case of alleged misconduct by TV presenter Huw Edwards. In that case, the BBC came under huge pressure from the media, politicians and the public to identify the alleged wrong-doer while it was still carrying out its internal investigations. Quite aside from considerations of ethics and best practice, the BBC was reluctant to do this, understandably so, given the furore that had surrounded their coverage of the ‘outing’ of prominent individuals falsely accused as part of Operation Yewtree (the Metropolitan Police investigation into accusations of child sexual abuse). If there is a lesson for the BBC, perhaps it is that discretion on its own is not enough – investigations also need to be prompt and swift. In real life, of course, this is often a lot harder than it sounds.
The virtuous circle
Ideally, companies should be thinking about their response to these kinds of events before they actually happen. With another client, we spent a happy morning with a former investigative journalist and a leak investigator exploring how the journalist might exploit insiders and how the investigator might figure out who they were. We came away with lots of useful ideas that the client subsequently worked into their security strategy.
Those of us focused on insider prevention do well to learn from investigations. Lessons learned can be fed back into new insider prevention controls and new ways of working, making it more likely that future events can be stopped. Would-be perpetrators meanwhile may take note when an organisation acts decisively to identify and deal with insiders and may be less likely to act in the first place. Both effects will reduce your insider risk. It’s a virtuous circle.
Blacksmiths can work with your security team, management, and HR to ensure this circle is complete, helping you to prevent future insider acts while learning from those few that will inevitably occur.
About the author
Malcolm Sparkes is head of the insider risk consultancy in Blacksmiths group. He previously held a number of senior security roles within UK Government, including running vetting within the FCDO.