Although most government employees in Australia demonstrate integrity, there have been instances where trusted individuals have engaged in unauthorised removal, dissemination, or mishandling of sensitive material.
This “insider threat” can undermine trust in Australia’s public institutions and potentially compromise national security.
The Australian Government has released a guide which provides an overview of how entities can understand, identify and prevent insider threat. This article explores the key considerations outlined in the guide.
What is insider threat?
Insider threat is when an insider intentionally or unintentionally uses their access to conduct activities that could cause harm or negatively affect a workplace.
An insider is a current or former employee or contractor who has legitimate or indirect access to a workplace’s people, information, techniques, activities, technology, assets or facilities. All government employees are considered insiders.
Types of personnel who become insider threats
Insiders who pose a threat can be categorised as “unintentional” or “intentional”. There are five different insider “personas” amongst these categories.
Unintentional insiders
An unintentional insider is someone who inadvertently or unknowingly betrays the trust placed in them.
There are two personas associated with being an unintentional insider:
- The accidental insider exposes an entity to loss or exploitation by mistake. This can be due to a lack of security training or awareness provided by the entity.
- The negligent insider exposes an entity through wilful carelessness. They are familiar with security and information policies, but they choose to ignore them, either because they are in a hurry or think they are irrelevant.
Unintentional insiders are not exempt from investigations or prosecutions for misconduct or criminal conduct.
Intentional insiders
An intentional insider is someone who deliberately or knowingly betrays the trust placed in them. This may be to cause harm, gain personal benefit, or advance the interests of another government, entity or individual. Intentional insiders can be malicious, self-motivated or recruited (willingly or through coercion) by a third party.
There are three personas associated with being an unintentional insider:
- The self-motivated insider acts by choice rather than pressure, influence, or direction by a third party. They carry out malicious actions or behaviours, and may groom other trusted insiders to facilitate desired action.
- The recruited insider is targeted by a third party to exploit their potential, current or former privileged access. This can be known as grooming. The insider may willingly assist the third party.
- The coerced insider is targeted by a third party to exploit their potential, current or former privileged access. The coerced insider cooperates due to pressure from the third party, often to avoid having private personal information exposed.
Types of insider acts
Insider threat can take various forms, most of which encompass corruption. Commonly recognised insider acts are unauthorised use or disclosure of information, espionage or foreign interference, abuse of office, fraud and theft, sabotage, and violence.
Unauthorised use or disclosure of information
Unauthorised disclosure is when an individual with access to privileged information discloses it intentionally or unintentionally to an unauthorised party. Disclosure can occur online, verbally or using physical information. Examples include sending privileged information to a personal email address, and having a sensitive discussion in a public place or around family members.
Abuse of office
Abuse of office can take many forms, and includes behaviours such as demanding or taking money or favours in exchange for services, misusing public money or granting public jobs or contracts to sponsors, friends and family, and bribing government officials to get lucrative deals.
Fraud and theft
Fraud involves dishonestly obtaining a benefit, or causing a loss, by deception or other means. Theft generally refers to the unlawful taking of another person’s property. The benefit gained or loss caused by fraud or theft is not just limited to money or assets. It can also include other resources such as information or intellectual property.
Sabotage
Sabotage is the deliberate action of an insider aimed at harming an entity’s infrastructure such as facilities, equipment, and information technology. Sabotage can be physical or virtual. An example is a disgruntled employee installing malware to damage systems.
Violence
Violence includes the threat of violence and other threatening behaviours that create an intimidating, hostile or abusive environment. An example is bullying in the workplace.
Espionage or foreign interference
Espionage is the theft of information by someone acting on behalf of a foreign power, or intending to provide information to a foreign power which is seeking advantage over Australia.
Foreign interference involves covertly shaping decision-making to the advantage of a foreign power, contrary to Australia’s national interests.
Espionage and foreign interference is a major focus of national security law in Australia.
Countering the inside threat
Countering the inside threat involves developing your approach, implementing prevention controls, recognising indicators of insider threat, and responding to an insider threat.
Developing your approach
When developing or evaluating your approach, consider the key elements in the Commonwealth Integrity Maturity Framework, key stakeholders in your entity, critical assets in your entity, risks to your entity, likelihood of these risks occurring, financial, reputational and operational impact to your entity if the risks occurred, existing management strategies and controls, and new strategies to reduce identified gaps or variables.
Prevention controls
Prevention controls are the most common and cost-effective way to stop insider threats. They include effective leadership to cultivate a pro-integrity culture, education and awareness programs, promoting a solid understanding of the legal framework, established and communicated reporting mechanisms, and protective security measures across personnel, physical and information security.
Recognising indicators of insider threat
Indicators of an inside threat can include personal predispositions (e.g. social skills issues), stressors (e.g. financial hardship), concerning behaviours (e.g. excessive travel inconsistent with one’s role), and problematic organisational response (e.g. doing nothing in response to concerns).
Responding to an insider act
It’s important for entities to plan ahead and know how they will respond to an insider act. The planned response should be documented, standardised, repeatable, and consistently applied. Consider identifying roles and responsibilities, developing event response processes, including gathering information and investigations, implementing reporting and escalation procedures, and making a referral decision tree.
Key takeaways
The Australian Government has released a guide to understanding and preventing insider threats. It categorises insider threats as unintentional or intentional and outlines various types of insider acts. Countering the threat involves developing prevention controls, recognising indicators, and implementing a well-prepared response plan.
