Many years ago, a good friend of mine was a trainee British Gas showroom manager. In those days these showrooms were where people would go to pay their gas bill or buy a new gas appliance, such as a cooker or gas heater. Most people paid in cash. The manager was a popular guy with all the staff and customers. He worked very hard. So hard he never seemed to take a day off.
One day the regional manager insisted he took some holiday. Whilst the showroom manager was away it was soon discovered that for years he had been syphoning off large amounts of cash. The reason he had never taken a day off was because it would have become obvious to whoever took over the books that something was very wrong.
I now know this is just one example – albeit a small example – of what we call ‘insider risk’. Insider risk was the subject of the CIPR Crisis Communications Network’s seventh event for 2023. We learnt that insider risk can sadly be a lot more damaging than just missing money. It is also very much on the rise and requires its own crisis communications approach in terms of detection, mitigation, and reputation recovery.
Launch of new insider risk guidance
The backdrop to the Network’s event was new guidance from the National Protective Security Authority (NPSA). In fact, the webinar was chosen by the NPSA – the UK’s National Technical Authority for physical and personnel protective security – to launch its new insider risk guidance. NPSA works with a range of other HM Government agencies, the Security Service and the Government Communications Service to make the UK less vulnerable and more resilient to national security threats.
Given the sensitivity of NPSA’s work, the security expert on the panel could not be identified and could not appear on screen. This immediately brought home to the webinar attendees just how high the stakes are in dealing with this fast-evolving type of risk. The NPSA speaker began with a stark quote: “If you employ people, you have insider risk.” Organisations are often heard saying their people are their greatest asset, but it’s important to see the other side of that equation.
It is also crucial to realise that an insider event may not necessarily be a malicious act. Information can be disclosed in error. For example, access to organisational resources may be provided by employees seeking to be helpful to an outsider without realising the possible consequences. And it is not only existing employees who can constitute an insider risk. Past employees do not leave their corporate knowledge behind once they walk out the door. They may also take their long-standing grievances and misplaced desire for revenge with them as well.
Types of insider risk
The NPSA speaker outlined five of the most common types of insider risk: unauthorised disclosure of sensitive information; corruption or fraud; aiding third parties to gain access to organisational data or resources; sabotage; and, finally, violence against other employees or other stakeholders. The latter is more prevalent than was thought previously. This is the category into which the dreadful crimes of the nurse Lucy Letby would fit.
We were given some– anonymised – examples of insider risk manifesting as organisational crises: In 2021, an employee departing from a leading healthcare brand took with them confidential information about Covid-19 vaccines; a global technology company found its infrastructure the subject of sabotage from an employee, leading to tens of thousands of accounts having to be shut down and losses overall in the region of US$1m.
Insider risk on the increase
But these examples are not straws in the wind, as insider risk is on the increase. One of the panellists on the day to share her insights was Fiona Walters, Regional CEO, UK, and Ireland, at G4S. Based on interviews with 1,775 chief security officers or those in equivalent positions from 30 countries, G4S’s recent World Security Report revealed high levels of concern about insider risk. Indeed, 89% of Chief Security Officers said their company had experienced some form of internal threat in the last year and 92% expected an internal threat over the next 12 months. And yet 60% of organisations do not have a plan to manage insider risk appropriately, according to NPSA’s research.
The leaking of sensitive information is expected to be the biggest internal threat in the next 12 months according to 36% of respondents. Misuse of company resources or data was the most common internal, incident with 35% of companies having experienced this already over the last 12 months.
So, what is driving this increased risk? Certainly, as has been widely commented upon, there are hostile states looking to attack corporates and infrastructure. As the geopolitical environment takes yet another downturn this risk is likely to increase. Hostile external actors will often look for internal support to give them the access they need.
Organisations – just like individuals – are increasingly reliant on online, networked systems. Access to just one network can supply a huge quantity of data useful to those who wish to do our organisations harm.
Then there are the societal changes we have witnessed over the last few years. Working from home can mean employees become detached from the usual norms of office behaviour. Leaving laptops unattended and unlocked, for example. Clicking on that suspicious email without realising that you should have checked first with a colleague. Meanwhile the cost-of-living crisis has caused financial stress for many and will have undoubtedly increased the temptation for some to engage in behaviours that could be damaging to their employer.
Insider risk and corporate culture
Jenni Field, a past CIPR President and Founder and Director of Redefining Communications, had an interesting employee engagement perspective on the challenge of insider risk. Jenni talked about how organisations should seek to create a culture of psychological safety and how insider risk is as much a symptom of a rupture in the often-unspoken parts of the contract between employer and employee. A corporate culture where employees feel engaged, included, and comfortable to speak out helps reduce the likelihood of an insider event occurring.
In today’s working environment employees are often more transient and much less connected to their employer than the employees of old Gallup’s 2023 Employee Engagement survey revealed that as few as 23% of employees globally are actively engaged with their work. Strikingly, Jenni revealed that 1 in 6 employees may even actively be looking to tear their employer’s brand apart. It is obvious that employees who are indifferent to – or even hostile to – their employers are much more likely to go on to become insider risks.
Clearly part of the answer to managing insider risk must be positive employee engagement. As Jenni said, managers at all levels of the organisation need to be charged with creating trust. But trust requires transparency on the part of employers. It also requires leadership from the top in terms of modelling the correct behaviours. We can all think of CEOs recently whose behaviour has led to significant reputational damage to their organisations. A positive corporate culture always starts from those in leadership positions, and it helps if those senior leaders are evaluated in their demonstration of the behaviours the organisation values and expects. 360-degree performance reviews should perhaps be for everyone.
Overall, the event underlined how insider risk requires the flexing of the standard crisis communications playbook. Organisations dealing with an external threat can quickly come together and work as a team to deal with the situation. This is much more difficult when the crisis has been caused by one of our own.
The CIPR Crisis Communications Network returns to the theme of corporate culture and crisis with its last Webinar of the 2023: Could your corporate culture provoke your next crisis? The Webinar will be at 1.00pm GMT on Tuesday, November 28th and you can register to attend here: https://www.cipr.co.uk/CIPR/Events/Event_Display_Groups.aspx?EventKey=CN23112806&TrainingCode=CPD&WebsiteKey=0379ffac-bc76-433c-9a94-56a04331bf64
Author: Chris Tucker, Chair, CIPR Crisis Communications Network