Recent employee-on-employee incidents remind us of the importance of protecting workforce privacy and physical well-being. This article provides actionable mitigations across a variety of physical controls to protect your workforce while managing insider threat risk.
Are you concerned about how employee-on-employee incidents could affect your employees’ privacy or result in physical harm? Statistics show that fatal workplace shootings are becoming more frequent. Now is the time to evaluate how your enterprise insider threat program considers workforce protection against insider activities that violate privacy laws or cause physical injury.
Why would a trusted employee violate a team member’s privacy or attempt to harm them? Insiders have conducted nefarious physical activities due to perceived injustices committed by the enterprise, disagreements with co-workers, unrequited advances involving a team member, and more. In such cases, the insider’s motivation may include revenge, hate, other ideological objectives, or more.
In addition to helping sustain business operations, managing insider risk helps protect workforce privacy and prevent self-harm. Policy on recording devices and technology allowed in corporate spaces helps align employee privacy expectations with employer interests. The National Insider Threat Task Force cited in 2018 that federal insider threat risk management programs have successfully prevented multiple suicides.
What Can We Learn from FBI’s Camera Incident About How to Protect Your Workforce?
The recent insider incident involving an FBI contractor putting a camera under a female coworker’s desk is a sobering reminder that physical security threats should be included in insider risk management strategy. We lack specific details about the case. However, we can learn from it as we move forward with our insider and security risk management programs.
This was not a black swan insider event. This is not the first time a trusted employee has hidden an unauthorized recording device on corporate property and sadly it will not be the last. Physical security violations can be particularly challenging to identify. They are designed to take advantage of the employer-employee trust relationship and circumvent traditional, physical security controls.
Insider threat management requires more than a technical solution. A computer-based, network solution would have missed the unauthorized recording activity. Motivations aside, insiders targeting an organization’s data frequently rely on computers or technology to obtain the information. However, a team member was the target in this case. The following graphic highlights five additional types of insider activity:
Even well-resourced organizations with a cleared workforce struggle to detect insider incidents. We lack specific insights in this case, but it is likely that the suspect held a security clearance. Research indicates that nearly half of the organizations in one particular survey spend six percent or less of their security budget specifically on managing insider threat risk. One problem that we see is getting team members to report reliable and authentic threats. This is due in part to cultural norms. For example, resistance to ‘tattling’ on co-workers, hesitancy to get involved, and hoping the problem will resolve itself. Another problem is that employees lack trust in their management team. They are unsure whether management will be discreet and choose to act on the reported information. Conversely, when employees do report suspicious behavior or activity, it may be a veiled attempt to make them appear more promotable or frame a co-worker in a negative light.
Recommendations for Protecting Your Workforce from Insider Threats
The following recommendations can help protect your workforce from an insider attack, whether non-violent or violent in nature:
- Establish both anonymous and confidential reporting channels for suspected insider activity. Encourage employees to speak up who would otherwise say nothing. First, set up an anonymous reporting channel. Second, establish policies for ensuring discretion of information for employees that flag concerns. Then, weigh the benefits of incorporating a confidential reporting mechanism. Seek to demonstrate daily that your management team will listen and take employee concerns seriously.
- Set up cameras at all entrances/exits. We cannot assume that cameras will deter all actors. They may be worth considering as an unfavorable behavior deterrent for some though.
- Develop policies prohibiting employees from snooping or recording colleagues and other enterprise staff members without their consent. Confirm that your new hires are trained on these policies, understand, and accept them. Include a policy refresher for current employees.
- Develop and maintain facility access credentials. This helps prevent tailgating by insiders or outsiders into unauthorized areas. Ensure that your Security and Human Resources teams work closely during employee off-boarding to terminate badges, identification cards, or smart cards when access is no longer needed.
- Provide active shooter training for your workforce. This type of training has been proven to save lives in professional and public venues.
- Develop an insider threat risk management strategy. This can help your organization identify any gaps in physical or technology security controls, among others. It can provide prioritized recommendations for managing insider threat risk.
- Take Additional Physical Security Measures: Consider changing vehicle parking placards, door lock combinations, or badges regularly. Monitor outside the workplace area for casing behavior by former employees, especially those who have been terminated. Frequently, disgruntled employees will demonstrate repeated approach behavior before they follow through with an event. Depending on the size of your organization and security budget, issue new badges to all employees every two years. This is an alerting indicator if a current employee attempts to access unauthorized facilities or a former employee attempts to gain entry with an out-of-date badge.
Blend Traditional and Modern Risk Mitigations to Best Protect Your Workforce
Protecting your workforce from insider-initiated aggression and personal attacks should include traditional security approaches, such as gates, guns, and guards, and modern approaches, such as including motivational analysis in your risk management plan.
These are not the only methods to help protect your workforce from being involved in an insider incident. However, they help serve as a starting point for deeper discussion with your senior leadership team on what approach works best for your organization.
The challenge for you and your senior leadership team one of balancing trust and risk. Your organization has accepted a certain level of inherent risk in exchange for building employer-employee relationships, otherwise you would have no workforce to run your operations!
You must trust your workforce to some degree so that they can fulfill their duties for the sake of continuing business operations. You must accept a certain level of risk that they will bring harm to another team member or the organization. Inclusion and collaboration across all business units will help ensure that you understand the implications of your team’s risk management decisions.
Check out our latest tips for managing insider threat risk during employee offboarding here.
Contact GPSG at cyberteam@gpsg.co for a free consultation to enhance your ability to prevent, detect, and mitigate insider threats.
Disclaimer: This blog provides ever changing content, conversations, and insights on cyber threats and trending solutions that is accurate to the best of our knowledge. Although we are cybersecurity experts, we provide information which we hope is helpful, and do not endorse any specific products, tools, or solutions referenced herein. Consult with your cybersecurity team before taking any action.