Professor rona s beattie and dr david bamaung glasgow caledonian university email for corresponding author


Figure 2: Circles of People Security applied to Enron (Beattie and BaMaung, 2015)



Download 137.08 Kb.
Page2/3
Date20.10.2016
Size137.08 Kb.
#6105
1   2   3

Figure 2: Circles of People Security applied to Enron (Beattie and BaMaung, 2015)
An example of the vulnerability of the supply chain can be seen in one of Beattie and BaMaung’s Financial Sector case study organisations. FinSuppCo provide ancillary financial services to major multinational players in the financial services sector, and have access to considerable amounts of sensitive personal financial data of the customers of these blue chip companies. FinSuppCo have very robust pre-employment screening processes in place, and fortunately have not had a major incident in recent years. However, their very participation in this study had made them realise that there are potential gaps in their overall people security strategy and as a consequence they are now reviewing the ongoing management of people security with established employees. The empirical research in this case is ongoing and will be reported in due course in future publications. However, an interesting recent development in this case has been a routine ISO review for their industry standard which is quite rightly exploring the company’s pre-employment screening practices, however even here the regulatory body does not appear to recognise the ongoing, longer-term people security issues and risks within their sector. It is proposed that a future phase of Beattie and BaMaung’s research will be to work with regulatory bodies as well as government agencies and individual employers, to help them build more robust people security KPIs into their respective regulatory and monitoring frameworks.


Figure 3: The Insider Labour Supply Chain (Beattie and BaMaung, 2015)
Having explored the complexity of the people security field we know move on to consider the types, risks and consequences of Insider Threats.

TYPES, RISKS AND CONSEQUENCES OF INSIDER THREATS
One of the key challenges we face in today’s complex and insecure world is gaining an understanding of the types, risks and consequences of Insider Attacks. However, the greater understanding we have of these issues then the more organisations and governments can be helped to develop strategies to mitigate against insider threat. By having greater knowledge and insight, organisations can develop people security strategies and practices, including relevant staff training and education, to address the particular challenges their sector, industry, organisation and workforce face. Ultimately, it is hoped that the practical application of this growing knowledge base will enable organisations to develop positive, proactive, and holistic security cultures. An attempt to provide some insight into this complex topic is provided by Beattie and BaMaung’s (2015b) model, developed through their empirical research, which provides an overview of the interaction between the types of insider threat and their consequences (see Figure 4). Several of these types of insider threat are discussed more fully by way of illustration.

Figure 4: Types and Consequences of Insider Threats (Beattie and BaMaung, 2015b)

THE UNWITTING INSIDER
An insider threat is perhaps the worst example of a ‘people security’ vulnerability for an organisation. While we refer to insider activity as having some element of deliberate motivation, unwitting or gullible behaviour by an employee, as seen in our model above (Figure 4) in relation to accidental disclosure, could potentially have the same catastrophic impact for an organisation. In 2012, two Australian radio DJ’s telephoned the King Edward VII hospital while the Duchess of Cambridge was pregnant with her first child. They purported to be the Queen and Prince Charles and were put through to the Duchess’s private nurse to obtain a medical update. The nurse who put the hoax call through subsequently committed suicide as a result of the media storm which ensued (Sawer, 2014). It could be argued that the nurse had been ‘socially engineered’ into a situation where she acted as an ‘unwitting’ insider.
It is becoming more common for criminal gangs or industrial/state sponsored espionage activity to use social engineering techniques to take advantage of human behaviour and our natural willingness to help our fellows in order to breach security procedures and gain access to critical information and systems within an organisation. Adrian Culley, a former police computer expert highlighted ‘social engineering’ as part of a multi-pronged strategy used by criminals.
“It is interesting that …….serious and organised crime gang deployed such a range of methods. The techniques they used included social engineering, backed up with caller-ID spoofing, hardware attacks …..” (Ring, 2014)

Suitable training is required for staff to minimise the likelihood of this happening (Johnson, 2014), however, the one issue that cannot be changed is that the attack vector on the organisation is ‘people’. Having an awareness of our ‘people’ vulnerabilities allows us to develop countermeasures to insider attack. The first port of call to counter these issues (in addition to the response to, and management of, deliberate and malicious activity by an employee) could arguably rest with the organisational HR function. Another vulnerability that social engineering exposes is an environment where poor procedures and processes are employed to maintain security. Examples of this could be sharing of system passwords, allowing tailgating through security barriers, failure to maintain a clear desk policy where sensitive documents are left unprotected, failing to wear identification badges, etc. These can easily be exploited through the ‘unwitting insider’.


One example of an organisation trying to limit ‘accidental disclosure’ of sensitive information is provided by the NHS in Scotland (NHSiS). They have been running an internal communication programme stressing to employees the need to avoid sharing confidential information about patients in public environments such as public transport and the use of mobile technology in public spaces. An example of one of their posters is presented below.
img_0026.jpg
Having discussed the unwitting insider we move on to the case of the malicious insider.

THE MALICIOUS INSIDER
Almost on a daily basis a scan of the quality media will reveal examples of malevolent actions taken by employees against their employers which have had far-reaching consequences including: reputational damage; financial costs; and even risks to the safety and wellbeing of fellow colleagues. Some recent examples of such people security breaches are provided below, and it is believed that this is only the tip of the iceberg, as many breaches are not reported for fear of the reputational damage that may arise.
Beattie and BaMaung (2015b) argue that this defensive reaction, whilst possibly understandable in the short-term, ultimately could be more damaging. By only explicitly confronting and dealing with such breaches, will employees realise that their employer is exercising both a proper duty of care to their workforce by minimising the risks to the organisation and their workforce, but are also signalling to any potential malicious insiders that their actions will not be tolerated. Offenders would also be subjected to due disciplinary processes, and in some cases, (as in their FinCo example referred to earlier), would be reported to the police for criminal investigations and proceedings to take place.
Some examples of malicious insider cases, culled from the internet media, are presented below.
Threat from Insider Fraud/Corruption
A former Criminal Prosecution Service (CPS) finance manager and her partner, who also worked for the CPS, (as well as working as a taxi driver), were jailed for 6 years regarding a fraud they committed over a 5 year period. They lodged claims involving non-existent taxi journeys and in total defrauded the CPS of £1,000,000 (|BBC News, 30/08/13).
Threat from Insider Espionage
Edward Snowden was employed by Booz Allen Hamilton as a defence contractor working for the National Security Agency. He leaked details of government surveillance programmes to the Guardian, including information about intelligence gathering conducted at GCHQ. Snowden saw himself as a legitimate ‘whistle-blower’ who was exposing illegal or questionable intelligence gathering practices by the US and UK. He is now wanted by the US, and has been granted leave to stay in Russia (CNN 10 June 2013).
Threat from Insider Malicious Disclosure
Unfortunately, even those employed to maintain law and order are not immune from being involved in criminal activities and insider attacks, as was very public revealed during the Leveson Inquiry into the relationship between the media and police. A further example of such corruption occurred in the previous Lothian and Borders Police Force, where a corrupt police offer was in the pay of an organised crime group. He maliciously leaked confidential police intelligence to his gang bosses on a regular basis. Leaked intelligence was subsequently used in the assassination of a rival gang boss (Alexander, D. in Daily Record, 4 May 2012).
Having explored the different types of insider threats and attacks we now move on to explore the role of HR, and more particularly, HRD in mitigating against insider threats.
HR’S ROLE IN MITIGATING AGAINST INSIDER THREATS
There is growing recognition (Beattie and Bamaung, 2015b) that there are parallels between people security and health and safety, with both bringing rights and responsibilities. As already indicated, people security should be treated as a duty of care, just as health and safety is. When people security fails, the consequences can be severe as seen in Figure 4. For example the illegal phone hacking committed by a small group of employees at the News of the World resulted in one of the UK’s oldest newspapers being closed, hundreds of employees losing their jobs, and severe reputational damage caused to the parent company, News International, and those public agencies whose employees colluded with the NoW including the Metropolitan Police (BBC News, 4 April 2012). Sadly, as recently as 24 March 2015 we have seen the worlds of health and safety, external security and the insider threat collide with the tragic crash of Germanwings flight 9525 (BBC News, 06/05/15). At this stage it is too early to draw firm conclusions, however sadly an emerging finding indicates that our, at times understandable, focus on external threats such as terrorism, can divert us from the threat within. In this case it appears that the post 9/11 cockpit security prevented the captain from re-entering the cockpit to prevent his co-pilot from crashing the plane.
Whilst as with other aspects of security it will never be possible to develop a 100% foolproof system there are a number of actions that organisations can take to reduce the potential for, the frequency of, and the severity of an Insider Attack. Beattie and BaMaung (2015b) have provided an overview of these based on the lifecycle of an employee and these stages are informed by the results of our empirical work as follows below.
Recruitment, Selection and Pre-Employment Screening
It is perhaps this stage that many organisations place most emphasis, albeit sub-consciously, on people security. By paying careful attention to identifying the desired behaviours both for the role to be undertaken, and to identify possible contra-indications in relation to security, organisations can then develop appropriate selection tools. These include psychometric tests, behavioural or competency based interviewing, and assessment centres. Another useful practice would be to employ successful candidates initially on a probationary period thus enabling managers and HR professionals to observe employees working in practice, and potentially facilitating the identification of inappropriate behaviours which can in the case of minor security breaches, result in retraining such as we found at FinSuppCo, or by using the ultimate sanction of dismissal. One organisation demonstrating ‘best practice’ recruitment and selections was found at PubOrg2, a unit within the UK NHS.
Given that PubOrg2 operates in the UK NHS, its staff are working with vulnerable people and there are many instances of their staff working on their own, particularly when working in the community outwith the sight of their direct line managers, it is vital they ensure as much as possible that their recruitment and selection practices, and ongoing people management practices are robust. This is particularly important given the concerns expressed about the quality of leadership and care in the Francis Report (The Stationery Office, 2013). It is therefore critical that NHS employers exercise due care when recruiting and employing staff both from the perspective of patient safety and the wider reputation of the NHS. Also the earlier example of the Glasgow Airport bomber shows the damage that can result from poor ongoing people management.
PubOrg2 is about to embark on a major recruitment exercise, recruiting over 200 clinical and support staff, as a result of an expansion of its services. To manage this extensive and challenging recruitment exercise PubOrg2 has adopted a very structured process. Firstly, recruitment adverts have been posted on the internet and intranet, and prospective candidates then register their interest on-line. Continuing to use e-recruitment processes candidates are then invited to complete an online application form, which contains a competency map for candidates to match themselves to; some individuals will self-select out at this stage. The application form also includes an equal opportunities form and personal data, which are separated from the material that goes forward for the shortlisting stage. Those candidates who are shortlisted are called for interview and for some roles may also have to undertake practical tests. Prior to the confirmation of successful appointment, those candidates being considered for appointment are subject to extensive security checks, including the identity and right to work checks required by UK law. These checks include: qualifications, licences, and references all of which are checked at the interview stage by HR staff who have been trained in qualification checking and who should, in most cases, be able to identify fraudulent documents. Yet this important activity is often, in many other organisations, left to the most junior HR assistant who simply photocopies the documents and files them without rigorous or expert scrutiny. Following successful interviews candidates are then subjected to police and protection of vulnerable groups’ checks. Whilst these checks can delay appointments they are a vital part of PubOrg2’s people security processes. A key lesson here for other organisations is not to short-cut these steps when they have urgent vacancies; such practices can create later security vulnerabilities. Here HR professionals may have to resist pressure from line managers desperate to reach operational strength. PubOrg2 are addressing this issue by providing their line managers not only with training in selection tehniques, but by also ensuring they have the relevant knowledge about the importance of pre-employment screening. They are also including in their training questioning techniques to help them identify potential behavioural issues, which may be indicators of future security problems. Finally, care must be taken when employing external screening agencies to ensure that they are actually competent and carrying out the work they have been contracted for; unlike the vetting agency used in the Edward Snowden case.
Whilst these steps are often well applied to the recruitment of staff at the first appointment stage we argue here that they should also be replicated when internal candidates are applying for lateral transfers or promotions. As we note from the literature above many individuals who go on to commit a hostile act against their employer had no such intention to do so when they joined the organisation. However, events, such as traumatic personal events, financial difficulties or conversion to extreme causes through radicalisation, can change people’s feelings towards their organisations and result in them committing hostile acts for personal gain or to satisfy some external organisation e.g. an organised crime gang or a domestic or international terrorist organisation. Here good performance management also plays an important role and this will be discussed next.
Ongoing People/performance management
Whilst many organisations have robust recruitment, selection and pre-employment strategies in place, this is often where their formal people security practices end. Even FinSuppCo which has robust pre-employment screening processes in place with operational managers recognises that more could be done in terms of ongoing people security management as part of performance management. Indeed a survey of employees whilst only revealing a few security breaches nevertheless identified some they themselves had committed including tailgating, and sharing computer passwords with peers. Indeed, more worryingly on occasion with their line manager, the latter whom should be setting an example regarding security culture. These are issues that should be dealt with by line managers effectively trained in performance management.
Another and more subtle performance management issue for line managers to address, supported by their HR colleagues, could be unusual changes in behaviour exhibited by an employee e.g. a normal extrovert becoming introverted, or someone changing their working patterns e.g. staying on late when the office is quiet. What action, if any, is taken by line managers if they observe any unusual changes in behaviour? Indeed have line managers been trained to identify and address such incidences? Beattie and Bamaung (2015b) argue that this would not only address people security concerns, (such as revealing an employee is under undue duress by an external party to engage in improper conduct), but may also reveal other issues such as stress or other health concerns which should be an implicit duty of care practiced every day by managers. The manager’s intervention and indeed awareness of such interventions may deter potential malevolent acts. This is another example of people security just being part of good management and HR practice.
A key challenge here is the multiple motivations at play as can be seen in various cases, some of which have been discussed more fully above e.g. money in the police and News International; ‘for the good cause’ by activists (an extreme example might be Bradley Manning of the US Army); disaffected employees; and whistleblowing. A major challenge that is appearing is attempting to discern the genuine whistle blower, rightly bringing wrongdoing to the right authorities’ attention, from other more malevolent motivations. Part of the research team’s future work will be to explore means for genuine whistle blowers to divulge information appropriately without fear of retribution. A potential framework are models based on the legal ‘duty of candour’ for doctors enacted as part of the Francis Report’s recommendations which is being rolled out across health professions and all care providers in 2015, and could be considered for other public sector and regulated workforces. However, careful evaluation will need to be made into the effectiveness of the duty of candour legislation, policies and practices.

Elaine Maxwell, assistant director at the Health Foundation, welcomed stating that:

‘At the Health Foundation, we support a duty of candour as it is clearly the right thing to do. We believe it should apply to all healthcare providers, whether NHS or private, and to sub-contractors including cleaning services. But we also believe that there are some potential pitfalls. Careful planning and preparation will be needed to avoid them and to create an open, learning culture which will both help individual patients who have been harmed and inform the design of service to improve safety for future patients. The effort required to implement the duty of candour effectively will be more than recompensed by the results’ (Maxwell, 2013).

It could therefore be argued that supportive and robust whistleblowing policies and practices could prevent the risk of people security breaches.



People Security Risk Assessment
It is perhaps here that the processes of people security have most in common with health and safety. Whilst as with Health and Safety it is impossible to foresee and prevent every unsafe or insecure event, it is possible to reduce that risk considerably by adopting robust people security risk assessment strategies. As seen in the example of PubOrg2 above, all employees should be subjected to pre-employment screening involving identity and qualification checks. However, further more in-depth measures may be required for some roles, which it would be unreasonable and uneconomic to apply to every organisational role. Organisations therefore need to identify which roles are critical in terms of business resilience and sustainability, such as Chief Executives and other senior managers. However, it is also necessary to consider those working at the vulnerable boundaries of the organisation and who may not necessarily be at a senior level of the organisation, including staff: with financial signatory powers, access to financial and personal data (as at FinCo and FinSuppCo), IT administrators, who have been identified as a major risk, and security staff, who have the ability to facilitate physical access. Further, as we saw at the London Olympics in 2012 the unacceptable level risk posed by trying to quickly fill the significant shortfall in security staff from contractors led to the military being drafted in to fulfil that function (Chan, 2013); a role they delivered with considerable professionalism. From the world of higher education the Chronicle of Higher Education (2014) recently reported significant financial losses and reputational damage caused by data breaches, caused not only by external hackers but also an ex-contractor at the University of Maryland, resulting in 309,079 student and personnel records, from 1998, being breached. A further risk of data breaches is presented by the increasing use of mobile technology, such as mobile phones and tablets, thus putting a physical and unspupervised ‘distance’ between employees and their workplace.
A key lesson therefore is that organisations need to undertake a critical role analysis of key positions as part of their job/role analysis process, prior to undertaking any recruitment and selections process.

Managing exits
Another key HR vulnerability is at the point of, and following, the exit of an employee or group of employees. Clearly their post-exit behaviour will be influenced by the nature of their exit, and line managers and HR managers need to ask some key questions to ensure employee exits are well managed. For example was it a natural retirement? In the case of voluntary or compulsory redundancy, was it a welcome release or did the individual feel pushed? Did the individual resign and if so what was the reason? Was it to gain promotion or did they leave due to disaffection with their current employer? Finally in the most extreme case was the individual dismissed and how was that process managed? As well as these preliminary questions we recommend other practices that organisations should follow including:


  • HR and/or line managers conducting exit interviews, which whilst primarily trying to identify the employee's feelings about their employment with the organisation, may also reveal concerns that require further investigation.

  • Ensuring all ID passes and keys are returned at exit.

  • Ensuring IT access, including remote, is removed immediately

The sight of individuals being dismissed or being made redundant with immediate effect, being escorted out of their office building without returning to their desk, seems on one level incredibly inhumane. However, it can be understandable at another if that individual has the potential to return to their computer and download confidential data or intellectual property that could be used for the benefit of a commercial competitor or for criminal gain.


Interestingly, it was recently reported to the authors that the responsibility for IT access and passwords in a key infrastructure sector is delegated to the HR, not IT, department, and they have the final responsibility for removing ID cards and IT access at the point of exit.
The role of training, organisational learning and education
Training
As can be seen from all of the above HR practices there is a need to ensure that line managers and HR staff have the skills and competences to effectively practice people security. Such training needs to be developed and delivered by HRD and HRM staff, however as we have seen in the introduction above, this is a key area neglected in their own training, which we explore further in the section on education below
In addition to line managers and HR staff other employees also need security training relevant to their role. For example all staff operating computers need to practice safe IT procedures such as not sharing passwords, not leaving pc’s unlocked when they leave their desks, and taking great care with mobile devices, including when using them on public transport. Also all staff, not just security staff, need to take care that security takes precedence of good manners by not keeping doors open and thus allowing people to tailgate through secure entries. Employees also need to be trained in what to do if they observe suspicious behaviours and also how to use whistleblowing policies effectively. Finally, the messages of such training should be constantly reinforced by employee communication practices such as the poster campaign (illustrated above) adopted by the NHS in Scotland.
Organisational Learning
However, it is not sufficient to have an organisational people security strategy solely based on the work of the HR function. Beattie and Bamaung (2015b) continue that there is a need to develop a holistic approach to people security. This includes contributing to a multi-departmental approach to security, which can help break down barriers between departments and ensure no gaps in security are left. The authors observed the importance of this when participating in a simulated security exercise in PubOrg1. Partly as a consequence of a recent structural re-organisation it soon became clear that former communication lines and working relationships within the legacy organisations no longer existed or had broken down due to role holders changing. This proved a valuable exercise for the organisation as it enabled those links to be re-established as well as identifying key gaps in the organisation’s current security framework. As a consequence Beattie and BaMaung (2015b) recommend that organisations undertake this type of simulation ideally on an annual basis to ensure the systems and role-holders in place are fit for purpose. They particularly stress the need for such exercises when organisations have undergone a major strategic change, particularly where that has involved significant structural change and changes in personnel so that organizational learning is preserved and indeed enhanced.


The role of education
As indicated in the introduction above there is currently no coverage of people security in current HRD and HRM curricula in the UK. To address this, the authors have developed an evidence base of the importance of this topic and they hope to convince HR Directors and HR faculty of the importance of addressing this increasingly important issue. Indeed we argue here that people security places HR right at the heart of organizational strategy and business resilience, and thus provides a way for HR to strengthen its case to be at the top table in organisations. In particular, in collaboration with other key bodies, such as the CIPD, we hope to explore not only joint research, but also to consider how people security can become embedded into the professional network of HR professionals, regardless of specialism, so that it becomes part of any educational programme accredited by the institute. In addition we are exploring the potential of developing a specialist award/s at the authors’ institution5for HR staff wishing to specialize in this field, which would also be open to related professionals in disciplines such as risk, business resilience, finance, cyber/IT and security. Indeed individual modules have the potential to be offered as CPD not just for these groups but also for senior and line managers, and also have the potential to be contextualized for key sectors such as finance, government, emergency services, defence, transport, and energy, as well as individual organisations. Given that individuals in these roles tend to have very busy and demanding workloads the proposed awards will be delivered through blended learning, combining weekend face to face teaching blocks on our various campus supported by our online learning platform.
Two key options are being considered. Firstly, a full Masters Degree in Management (People Security), and secondly, a PG certificate in People Security, which will include modules from the first but will cater for those students unable, to at least initially, make the full commitment to a Masters award. In the first instance these awards will only be open to part-time students, however access to full-time students considering a career specializing in this field will be considered. These awards will be discussed more fully at the conference.
The aim of the awards is to ultimately help students develop an integrated security culture in their organisations with people security providing a firm foundation (see Figure 5 below).

Figure 5: The aim and purpose of MSc Management (People Security)


The actual design of the degree builds on the university’s existing Masters Management suite whilst incorporating specialist taught modules in people security. In addition the students’ dissertations will be a critical investigation into a people security issue of their choice, rooted in their organisation or sector, which in turn will also add to the overall evidence base in this field.

Download 137.08 Kb.

Share with your friends:
1   2   3




The database is protected by copyright ©ininet.org 2024
send message

    Main page