The rise of ‘insider risk’ and what we can do to prevent it

Many years ago, a good friend of mine was a trainee British Gas showroom manager. In those days these showrooms were where people would go to pay their gas bill or buy a new gas appliance, such as a cooker or gas heater. Most people paid in cash. The manager was a popular guy with all the staff and customers. He worked very hard. So hard he never seemed to take a day off. 

One day the regional manager insisted he took some holiday. While the showroom manager was away it was soon discovered that for years he had been syphoning off large amounts of cash. The reason he had never taken a day off was because it would have become obvious to whoever took over the books that something was very wrong.

I now know this is just one example – albeit a small example – of what we call ‘insider risk’. Insider risk was the subject of the CIPR Crisis Communications Network’s seventh event for 2023. We learnt that insider risk can sadly be a lot more damaging than just missing money. It is also very much on the rise and requires its own crisis communications approach in terms of detection, mitigation, and reputation recovery.

Launch of new insider risk guidance

The backdrop to the network’s event was new guidance from the National Protective Security Authority (NPSA). In fact, the webinar was chosen by the NPSA –  the UK’s National Technical Authority for physical and personnel protective security –  to launch its new insider risk guidance. NPSA works with a range of other HM Government agencies, the Security Service and the Government Communications Service to make the UK less vulnerable and more resilient to national security threats.

Given the sensitivity of NPSA’s work, the security expert on the panel could not be identified and could not appear on screen. This immediately brought home to the webinar attendees just how high the stakes are in dealing with this fast-evolving type of risk. The NPSA speaker began with a stark quote: “If you employ people, you have insider risk.” Organisations are often heard saying their people are their greatest asset, but it’s important to see the other side of that equation.

It is also crucial to realise that an insider event may not necessarily be a malicious act. Information can be disclosed in error. For example, access to organisational resources may be provided by employees seeking to be helpful to an outsider without realising the possible consequences. And it is not only existing employees who can constitute an insider risk. Past employees do not leave their corporate knowledge behind once they walk out the door. They may also take their long-standing grievances and misplaced desire for revenge with them as well.

Types of insider risk

The NPSA speaker outlined five of the most common types of insider risk: unauthorised disclosure of sensitive information; corruption or fraud; aiding third parties to gain access to organisational data or resources; sabotage; and, finally, violence against other employees or other stakeholders. The latter is more prevalent than was thought previously. This is the category into which the dreadful crimes of the nurse Lucy Letby would fit.

We were given some – anonymised – examples of insider risk manifesting as organisational crises: In 2021, an employee departing from a leading healthcare brand took with them confidential information about Covid-19 vaccines; a global technology company found its infrastructure the subject of sabotage from an employee, leading to tens of thousands of accounts having to be shut down and losses overall in the region of US$1m.

Insider risk on the increase

But these examples are not straws in the wind, as insider risk is on the increase. One of the panellists on the day to share her insights was Fiona Walters, regional CEO, UK and Ireland, at G4S. Based on  interviews with 1,775 chief security officers or those in equivalent positions from 30 countries, G4S’s recent World Security Report revealed high levels of concern about insider risk. Indeed, 89 per cent of chief security officers said their company had experienced some form of internal threat in the last year and 92 per cent expected an internal threat over the next 12 months. And yet 60 per cent of organisations do not have a plan to manage insider risk appropriately, according to NPSA’s research.

The leaking of sensitive information is expected to be the biggest internal threat in the next 12 months according to 36 per cent of respondents. Misuse of company resources or data was the most common internal, incident with 35 per cent of companies having experienced this already over the last 12 months. 

In today’s working environment employees are often more transient and much less connected to their employer than the employees of old Gallup’s 2023 Employee Engagement survey revealed that as few as 23 per cent of employees globally are actively engaged with their work. Strikingly, Jenni revealed that 1 in 6 employees may even actively be looking to tear their employer’s brand apart. It is obvious that employees who are indifferent to – or even hostile to – their employers are much more likely to go on to become insider risks. 

Clearly part of the answer to managing insider risk must be positive employee engagement. As Jenni said, managers at all levels of the organisation need to be charged with creating trust. But trust requires transparency on the part of employers. It also requires leadership from the top in terms of modelling the correct behaviours. We can all think of CEOs recently whose behaviour has led to significant reputational damage to their organisations. A positive corporate culture always starts from those in leadership positions, and it helps if those senior leaders are evaluated in their demonstration of the behaviours the organisation values and expects. 360-degree performance reviews should perhaps be for everyone.

Overall, the event underlined how insider risk requires the flexing of the standard crisis communications playbook. Organisations dealing with an external threat can quickly come together and work as a team to deal with the situation. This is much more difficult when the crisis has been caused by one of our own. 

The CIPR Crisis Communications Network returns to the theme of corporate culture and crisis with its last webinar of the 2023: Could your corporate culture provoke your next crisis? The webinar will be at 1pm GMT on Tuesday 28 November. Register to attend.

Chris Tucker is chair of the CIPR Crisis Communications Network.