THE INSIDE JOB – THE ‘COMMON VULNERABILITY’ OF MODERN DAY BUSINESSES
People are an organisation’s biggest asset; however, in some cases they can also pose an insider risk. As organisations implement increasingly sophisticated physical, procedural and cyber security measures to protect their assets from external threats, the recruitment of insiders becomes a more attractive option for those attempting to gain access.
The UK Government Centre for Protection of National Infrastructure (CPNI) defines an insider as “a person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes”.
An insider could be a full-time or part-time employee, a contractor or even a business partner. An insider could deliberately seek to join an organisation to conduct an insider act or may be triggered to act at some point during their employment. Employees may also inadvertently trigger security breaches through ignorance of rules, or deliberate non-compliance due to pressure of work. Official studies indicate that there are five main types of insider activity:
• unauthorised disclosure of sensitive information
• process corruption
• facilitation of third-party access to an organisation’s assets
• physical sabotage
• and electronic or IT sabotage
The most frequent types of insider activity identified were unauthorised disclosure of sensitive information (47%) and process corruption (42%). Noteworthy demographic information from the study indicated that significantly more males engaged in insider activity (82%) than females (18%) and 49% of insider cases occurred within the 31-45 years age category.
The study also revealed:
• Most insider acts were carried out by permanent staff (88%); while only 7% of cases involved contractors and 5% involved agency or temporary staff
• The duration of the insider activity ranged from less than six months (41%) to more than 5 years (11%)
• More than half of the cases were identified within the first year
• 60% of cases were individuals who had worked for their organisation for less than 5 years
• Most insider cases in the study were self-initiated (76%) rather than as a result of deliberate infiltration (6%); i.e. the individual saw an opportunity to exploit their access once they were employed rather than seeking employment with the intention of committing an insider act.
Financial gain was the single most common primary motivation (47%) and most closely linked to process corruption or giving access to assets.
Recruiting and ongoing managing of staff
Both mobile personnel (driver) and non-mobile personnel pose a potential security risk to your business. If they have been on-boarded with enough due diligence, full or part-time employees are arguably less of a security risk. Earning a regular salary should result in an increase in loyalty towards the employer and a reduced likelihood of theft risk.
Pre-employment screening seeks to verify the credentials of job applicants and to check that they meet preconditions of employment. When conducting checks, it should be established whether the applicant has concealed important information or otherwise misrepresented themselves. To this extent, pre-employment screening may be considered a test of character. The ways in which pre-employment screening is performed vary greatly between organisations.
The aim of pre-employment screening is to obtain information about prospective or existing staff (if promoted and/or changing jobs in the organisation) and use that information to identify individuals who may present security concerns. Pre-employment screening is the foundation of good personnel security. It allows you to confirm the identity and credentials of those you are granting access to your sites and information and reduces the likelihood of an insider harming your business. British Standard 7858 (BS7858) sets out recommendations for the security screening of individuals to be employed in an environment where the security and/or safety of people, services, personal data or property is a requirement of the employing organisation’s operations or where such screening is in the public or corporate interest.
Initial screening of personnel is a vital component to any business’s security management process. Effective screening satisfies several critical areas including confirmation that the person applying or presenting themselves to undertake a role is both qualified, capable, trustworthy and of good character. It is clearly important to know that the person can undertake the required task, from a competency point of view, however just as important, if not more so, is to ensure from a security perspective you are able to verify that they are who they say they are. Many identity documents can easily be fraudulently doctored, and operators should develop a process which allows for only a small number of key official identity documents to be used, for example a current drivers’ licence and a passport, that can be verified quickly and confidently through official channels.
At a minimum during pre-employment, screening operators should collect the following information that should, if the prospective candidate is subsequently hired, be regularly updated and maintained in an HR filing system:
• Home address
• Contact details, can these be verified?
• Proof of address and identity, utility bill?
• Copy of driving licence or operator’s licence for machinery
• Emergency contact details
• Employment/character references for the last 5 years – have a process to follow these up
• Criminal record checks for any countries lived in, in the last 5 years
• Consider running a credit check
Ongoing personnel screening
While pre-employment screening helps ensure that an organisation recruits trustworthy individuals, people and their circumstances and attitudes change, either gradually or in response to events. Studies indicate that over 75% of the insider acts were carried out by staff who had no malicious intent when joining the organisation, but whose loyalties changed after recruitment, in many circumstances the employee undertaking the insider act had been in their organisation for some years prior to undertaking the activity and exploited their access opportunistically.
Regular performance reviews should be undertaken. Whilst performance can obviously be more closely managed, it may be that a change in personal circumstances may be identified through a process such as but not limited to; a change of relationship status, change of address, change in financial circumstances, or a change in their ability to perform their role, such as having their driving licence revoked.
Whilst the above applies to all personnel, security staff in particular could become vulnerable where circumstances have changed – could their integrity be compromised through a bribe, for example?
Whilst our primary focus in this report is the risk of cargo theft, the identified principles should serve to highlight wider associated risks concerned with the theft of vehicles, trailers, chassis, containers, other CTUs, identity and fuel. Where mobile personnel are concerned, in practice you are allowing them full trusted access to:
• A vehicle (and trailer/container) or a very valuable asset <US$100,000
• Valuable information about your business/your customer/the cargo
• The cargo itself, often <US$100,000
• Your businesses reputation; they will be representing you to your customer
In any business there will inevitably be periods of peak demand where temporary personnel are required and often at short notice. These occasions are ones where the diligent operator must have robust processes in place. Commercial and operational time pressures should not supersede the need to perform full due diligence checks, specifically checking to see if their employment has ever been terminated by a previous employer to understand the reasons why.
Where an employment agency is used, ensure that you fully understand and are satisfied with their due diligence procedures. What are they checking and how? Are they able to satisfy some of your requirements prior to the temporary worker arriving at your site? What are the terms and conditions of the employment agency? Do they provide any liability cover if one of their temporary workers is either not capable of undertaking the task they are required to or causes loss through an act of negligence?
Clearly there exist specific critical areas of focus around recruitment where mitigation of this type of risk is concerned. Notwithstanding these, more general management controls also need to be considered. The risk emanating from everyday operational procedures may not be immediately identifiable; however, each breach of such management controls should be considered a near miss and could serve to weaken the entire security management program. Whilst not an exhaustive list, some of the key controls and considerations are:
• Do your employees have access to your customers’ premises, systems or data? To what extent is access required and granted and on what basis? Does your customer have security requirements, are you able to adhere, manage and control these requirements for the personnel deployed?
• Access to company uniform – it is often preferable to have both permanent and temporary personnel in company uniform. From a brand recognition and customer satisfaction perspective this can certainly be beneficial. Due consideration, however, should be given to control of the distribution of uniform. Could a temporary worker use the uniform to mis-represent themselves or others, posing as an employee of yours, allowing them access to premises, vehicles or cargo?
• Access to ID badges - Identification badges are implemented as a means of security control. Badges can allow access to restricted areas. Strict controls need to be considered to monitor and manage the distribution of such badges. Are people able to use each other’s badges? Do temporary personnel require a full access badge, or can their access be restricted?
Consider developing an anonymous reporting system to allow personnel to notify the operator of any security incidents, near misses or general concerns they may have. This source of information could be extremely valuable to the operator in better understanding the risks existing amongst the workforce.
Social Media and general communications
Social media is becoming an increasing, albeit less obvious, security threat. Especially amongst lone working mobile personnel, social media is frequently used as a means of keeping in touch with friends, family and colleagues. All posts, however, are location sensitive and therefore traceable and have the potential to divulge a series of valuable security data to organised criminals. Including the time, date and location, it can also - for example - illustrate that the driver is away from their vehicle.
Non-mobile personnel are also susceptible to this type of risk and are also capable of unwittingly sharing valuable data from a given site. Bragging to friends, for instance, that they are unloading a container of high value cargo or the latest video game has the potential to raise awareness amongst the perpetrators of theft.
Whilst it may be challenging to restrict personnel from using social media platforms to communicate, operators should consider providing awareness training outlining the risks of the information being shared and how it might be used in the wrong hands.
More traditional methods of communication should also not be forgotten in this regard. Awareness training of all personnel should consider the risks of unwittingly divulging what could be valuable information to strangers. Conversations with peers about the cargo you are handling or carrying at any given time, or perhaps a regular collection from a certain site or delays experienced at a certain site can all be valuable to the organised criminal. You don’t know who might be listening to your conversation!
Operationally, information as to what cargo/load is in what trailer or container in the transport yard should be protected where possible. This information is obviously hugely valuable. Whilst it may be convenient to have these documents easily to hand in the dispatch office, you don’t know who might be visiting and able to see this information. Nor do you know that their intentions are legitimate. This information and paperwork should be kept out of sight whenever possible.
Instructions, especially for temporary staff, are a critical part of your on-boarding and security management procedure. Whilst generally it may be prudent to provide the minimum information possible to complete the task at hand, clear instructions are required regarding but not limited to;
• Processes regarding documentation
• Processes and expectations regarding communications
• Company procedures regarding security
Provision of wider information, including information around security, should be avoided where possible. Information around the site CCTV coverage and usage, for instance, could be damaging. Information as to when security equipment is under maintenance or down time should be closely guarded. Any known weaknesses in terms of security - a damaged fence or an inoperable security gate - should also remain tightly guarded.
Information about the specification of the vehicles and equipment should also be closely guarded. For instance, the maintenance department unwittingly providing information about security technology fitted to vehicles could open vulnerabilities in the wrong hands. The location of items such as GPS tracking devices and their power source could be valuable to somebody with the intention of stealing a vehicle and cargo.
Where warehouse personnel are concerned, the risk profile changes slightly although many of the principles mentioned in other sections are applicable. Consider to which areas of the facility it is critical for personnel to access. Can this be restricted? From a security perspective, is it critical, for example, that temporary personnel are inducted to every area of the facility or just to that area in which they are going to be working? Knowledge of and access to cages within warehouse facilities storing high value or bonded cargoes should be severely restricted and where possible positioned away from external walls of the warehouse.
Where alarms are in place, the location of the control panel and alarm access codes should be closely managed. Codes for disarming alarms should be closely protected by persons with appropriate authority. An alarm system to which everybody knows the disarm code is not a secure one.
Periodic stock taking should always be undertaken by external independent personnel and audited accordingly. Cargo arrival and dispatch information may appear to be low value data, however it can prove extremely valuable to the perpetrators of theft. Divulging this type of information can result in perpetrators developing knowledge as to what cargo is loaded on which vehicles when they are leaving site and the likely immediate route to be taken, affording them the opportunity to track and target cargo for theft.
Restricting information will prevent individuals developing a sound understanding of your operations and make it increasingly difficult for perpetrators to circumvent your security measures. Where critical instructions are concerned, operators should consider potential language barriers. Where possible, pictorial instructions could be used to overcome certain challenges, however in the absence of any other practical options, then operators should strongly consider having instructions translated into several different applicable languages.
Consider access control, if security measures and access control systems exist, would it be better to chaperone temporary workers around the site rather than allowing them direct access?
Develop key control policies for all vehicles. Key management where vehicles are concerned should be managed closely. Keys should not be left on, in or around vehicles at any time when the driver is not present. Vehicle keys should be signed in and out by somebody with the appropriate authority within the business. An appropriate identification and escalation process should be in place if keys are not returned when expected. A policy should also be in place for when a vehicle, and therefore keys, arrive back at site out of normal working hours. Vehicles should always be locked when the driver is not present.
To read the full report and its recommendations, click here