In this edition of our Insider Risk Digest for weeks 45-46, we highlight a disturbing case of workplace violence, and the role that organisational culture plays in mitigating and responding to insider risk. We will also explore national security implications and the growing threat of Insider Risk, and what legislative countermeasures can be put in place to help organisation defend their critical assets. Stay updated with the intricate world of insider threats as we provide insights and analyses on these pressing issues.
In June of 2023, the BBC launched an investigation over reports and claims brought forward by McDonald’s employees in the UK over sexual assault, harassment, racism and bullying. And now, in November, the BBC states that more than 160 people have approached the BBC with further allegations since the publication of the investigative article in June earlier this year. Disturbing details are also being brought forward by individuals, with some even underage, planning to take legal action against the firm, accusing it of failing to protect them. Whilst most workers are not directly employed by the firm, as McDonald’s makes use of franchise systems, the individual operators are required to ensure “uniformity and commitment” to the brand’s rules. Questions naturally arise over how McDonald’s can ensure thorough oversight over their franchises in order to improve their worker’s conditions, root-out disturbing workplace violence, and help protect their reputation.
A recent article written by Ars Technica has raised questions about where the line should be drawn in relation to specific insider acts. When individual employees commit an unintentional insider act, are they really those at fault, or is the wider lack of direction given by senior management to blame? For reference, Okta published a report concerning a recent data breach that gave hackers access to some of the accounts of Okta customers. According to the report, the customer support system was accessed by hackers due to an employee signing into their personal email on their company laptop, with a high likelihood that his personal credentials had been previously compromised. Whilst it’s clear that the employee breached company policy, Ars Technica seek to outline Okta’s failures in the design of access controls and system/network protection, and ensuring company policy is formally communicated. This case underscores the importance for senior management to implement thorough countermeasures to reduce the impact and likelihood of suffering an insider incident. Whilst the act originates from an individual’s error, the correct counter measures were not in place to mitigate the incident.
On the 7th November, a former UBS employee had been sentenced for seven years over stealing almost $2 million from his employer and laundering the illegal proceeds through luxury purchases during the pandemic. While supervising a compensation scheme to reimburse overcharge clients, the culprit endorsed 46 transactions to either himself or retailers of high-end products. When pleading guilty, the individual attributed his acts to job insecurity that grew throughout the pandemic, with the crime involving a serious breach of trust. The recurrent cases concerning financial institutions, also discussed throughout previous digests, highlight a worrying trend in the sector. Internal monitoring measures are clearly lagging behind, when we consider that such actions go undetected for so long. Furthermore, with this flurry of cases affecting financial institutions, questions must be raised on the amount of support employees are provided with, and the wider organisational culture running through the sector.
Officials in South Korea have been calling for harsher sentencing against individuals compromising the proprietary information of leading South Korean organisations like Samsung. With cases of industrial espionage rising rapidly, South Korean prosecutors have been struggling to deter further cases due to the soft punishment that is currently in place for cases of industrial espionage. Indeed, over 1,300 cases of industrial property theft cases since 2019, with none of the culprits given prison terms of more than six months. The theft of the advanced technologies in semiconductors, for example, can significantly hurt a country’s national security. In the U.S., for example, technology theft crimes can be punished with up to 15 years of imprisonment. This underlines the importance of legislative safeguards protecting critical national players from losing their intellectual property to strategic foreign competitors.
November saw the first edition of the Australian Government’s Critical Infrastructure Annual Risk Review. This report aims to provide a summary of the key risk-driven issues that have been affecting the security of Australia’s critical infrastructure over the last year. One key takeaway is that espionage and foreign interference have supplanted terrorism as the principle national security concern of the Australian Security Intelligence Organisation. The Australian Critical Infrastructure represents a target that offers various opportunities for foreign adversaries, such as obtaining critical research and proprietary information. This position highlights the growing trend seeing organisations, both public and private, taking the new front line of the state, calling for further action to safeguard their vital assets.