Insider acts by employees and contractors happen on an industrial scale every day. Many of these are relatively run-of-the-mill – employees nicking a stapler, adding some miles to their expense claim, or taking their know-how and contacts from one job to the next. Some incidents are picked up and dealt with; most are not. But every now and then, an insider event occurs that really hits the headlines. For example, in pharmaceuticals, revelations of false promotion, kickbacks and the manipulation of data hit Pfizer in 2009 and GlaxoSmithKline in 2012. In national security there was Edward Snowden and in UK policing, Wayne Couzens.
After each case, a review is conducted, legislation is enacted, and regulations are tightened. Regulatory bodies are created or reformed and often given powers to levy hefty fines to ensure that it can never happen again. In the UK, we have the FCA to regulate the financial industry, the MHRA for pharma, the GSG overseeing security across UK Government and HMIC for police. And there is no doubt that these measures have been effective.
But there is a downside.
The regulatory rabbit hole
At Blacksmiths, we provide advice on protective and cyber security. The first question we ask any new client is, ‘What are you most concerned about?’. Interestingly, in most cases, the answer is not ‘being defrauded’ or ‘losing intellectual property’ – it is ‘being found in breach of the regulations’. We find compliance teams working flat out to ensure that all standards are met to the letter. And quite often, our recommendations for reducing the risk of a major security incident do not fly if there is no regulatory requirement for them.
I have much sympathy for the regulators here. I remember talking to the FCA team when they were seeking to implement the Senior Managers and Certification Regime in 2016. They were under a lot of pressure to stipulate precisely which roles should be included and exactly what measures should be applied. The FCA felt this was not realistic as they could not know the particularities of each organisation, and they favoured a more ‘principles-based’ approach instead. They also recognised the perverse effects that over-strict regulation can have.
‘Unregulated’ roles can pose the greatest insider risk
In insider risk, one of the key controls is role-based security: the principle that people in roles with particularly high levels of access to sensitive material should be subject to additional control measures. Many organisations apply role-based security purely based on regulatory standards. Typically, this means that board members and people with access to client financial data face additional vetting requirements, increased requirements to declare interests and greater management and system oversight. Meanwhile, other ‘unregulated’ people with access to highly sensitive information, such as IT system administrators, personal assistants and even members of security teams, are not subject to any measures at all.
The limitations of security standards in addressing insider risk
Of course, there are security standards such as ISO27001, the NCSC Cyber Assessment Framework and NIST. While they tend to focus predominantly on information and technical security, they are extremely useful and increasingly, companies are being required to get accredited. Unfortunately, these frameworks lack detail on insider risk measures, so Blacksmiths plans to produce its own. But the concern remains that such frameworks can incentivise the user to focus on unthinking compliance with a general standard rather than understanding and addressing the actual risks they face.
If regulation means that businesses cease to properly assess risks across their whole organisation and take the steps necessary to reduce them, then a company’s biggest risk might be finding that it is at the centre of the next big scandal, and the birth of yet more regulation.
About the author
Malcolm Sparkes is head of the insider risk consultancy in Blacksmiths group. He previously held a number of senior security roles within UK Government, including running vetting within the FCDO.