Introduction
Our second edition of 2024’s Insider Risk Digest is here. Now a monthly edition, we bring you the key pieces of news and developments in the realm of insider risk. This month has seen a broad range of cases, blurring the lines of the public and private sectors, making insider threat an increasingly recognised key national security threat.
A Nuclear operator at Ontario’s Power Generation has been charged with leaking “safeguarded” information, which could pose a critical harm to Canada. The company operates two plants, reliant on sophisticated technology and intelligence capabilities to safeguard the facilities and keep adjacent communities safe. Evidence has suggested that the operator had acted intentionally, in an effort to put Canadian critical infrastructure at risk of sabotage by external actors. This included the public unauthorised disclosure of security vulnerabilities online.
Canada has experienced numerous high-profile insider incidents in the last year, whilst also leading the efforts to protect their academic institutions from possible knowledge security breaches. Indeed, insider risk is receiving growing attention and is being treated as one of the country’s biggest national security threats. Below you will find the opinion of a former CSIS manager on insider risk’s importance following the alleged nuclear plant leaks.
Private organisations are playing an ever-increasing role in national security. Whether this concerns universities or contractors, insider risk permeates the private-public lines. In early February, an arrest took place in the U.S. where an engineer was arrested on federal charges of stealing trade technologies developed by an un-named company on behalf of the U.S. government. The theft concerned technologies aimed at detecting nuclear missile launches and the tracking of hypersonic missiles. The engineer, a Chinese native, transferred more than 3,600 files from his professional to personal devices. More than 1,800 of these had been forwarded to a competitor organisation, which he was set to join in April. This included blueprints on the sensor designs used to detect nuclear missiles launched and to detect incoming heat-seeking missiles. The engineer had also attempted on numerous occasions, starting as early as 2014, to apply to the talent programmes to aid his home nation’s economic and military development. The lax insider risk countermeasures not only cost the victim organisation hundreds of millions in lost research & development but could greatly compromise the U.S. government’s defensive capabilities. Clear shortcomings can be detected, with technical and human safeguards not strong enough to protect the highly sensitive information.
A Canadian scientific lab treating infectious diseases has also experienced a similar case in February, with a scientist sharing confidential information with China, in an effort to help the country improve its capabilities to fight complex pathogens. This not only compounds Canada’s struggles to fight insider risk as outlined in the case above, but serves as a reminder that national competition is transpiring into more and more sectors, with insider poised to do the most damage.
The highly respected university of TU Delft has been accused of not doing enough to guarantee the social safety of its workers. The Dutch “Onderwijsinspectie”, or the Education Inspectorate, released a report detailing that employee wellbeing had been largely neglected at a board level. The inspection had received almost 150 reports from employees, including incidents of intimidation, discrimination, and harassment. It seems that in the majority of cases, the victims had suffered these acts from individuals higher up within the organisation. Incidents of ‘workplace violence’ can cause important direct and indirect costs, ranging much deeper than the compromised safety of the workforce, but also compromising reputation, access to information, and the retention of talent and knowledge, an increasingly sensitive challenge in the academic environment.
TU Delft has responded through a press release, emphasising the need for permanent improvement in social safety. Nevertheless, TU Delft however considers the Inspectorate’s findings inadequate, incomplete and unsubstantiated, causing important reputational damage to the organisation and its people. What remains evident is that TU Delft and other educational institutions can do more to protect their worker’s well-being, calling for attention spanning the whole workforce on fostering a more positive, inclusive, and productive environment.
The monitoring of employees can relay metrics measuring performance and help identify suspicious behaviour which may indicate security threats. The increasing digital harmonisation between processes has made these metrics easier to collect than ever before. However, some organisations have overstepped boundaries in the search for greater performance indicators. Amongst these are Amazon, fined €32 million for excessive surveillance of its workers in France. Following complaints by employees and media coverage of the working conditions at Amazon France Logistique, France’s data protection agency found that numerous areas where Amazon breached the GDPR directive. The data collection was so broad in scope that employees were even measured through their handheld scanners so precisely that workers had to justify each breach. For example, an alert could be triggered if an employee scanned two items within 1.25 seconds, increasing the risk of error.
Similar to the balance needed to be struck between worker’s flexibility and their productivity, a delicate balance must be found between privacy and security. Monitoring employees can be an incredibly useful tool not just to measure productivity, but also to identify indicators indicating the potential occurrence of insider acts. Overly invasive practices however, can alienate employees alongside exposing organisations to large litigation costs.
Cepa 21 winery incurred losses amounting to more than €2.5 million following a sabotage at the winery’s grounds. 5 tanks containing 60,000 litres of the winery’s two most expensive varieties were opened at 3 am. The intruder had a perfect knowledge of the winery’s layout and knew how to swiftly sabotage the tanks, something only an individual who was familiar with the winery could execute, but the identity of the culprit is yet to be disclosed. It is certain however that the insider must have had experienced grievances and shown signs of frustration prior to this incident. Fortunately, only three of the five tanks he had opened contained wine. This incident goes to show that any industry and any organisation can suffer incredibly costly incidents due to negligence on insider risk. Physical access management should in fact not be considered any less important than digital safeguards.
Take the Next Step in Insider Threat Mitigation
Concerned about insider threats within your organisation?
Book a meeting with our experts today to develop a tailored strategy that safeguards your organisation's integrity and intellectual property
Book a Meeting