Introduction
Positive and visible Board level support for protective security is vital to demonstrate to staff the value placed on personnel and people security policies and procedures. As part of an overarching protective security strategy, strong security governance will:
- Deter employees who may wish to harm your organisation by creating an open and transparent organisational framework where security is actively promoted as the responsibility of all staff whilst providing appropriate resource and support in implementing a proportionate, multi-disciplinary approach to countering insider threats.
Strong security leadership, at all levels across your organisation will:
- Ensure consistency and clear lines of responsibility for the management of security risk
- Foster a multi-disciplinary approach to countering the insider threat
- Ensure proportionate and cost effective use of resources
- Provide essential management information for the purposes of security planning and people management
- Provide a strong example that both develops and underpins an effective security culture.
NPSA research has identified that a single accountable board level owner of security risk and a top-down implementation of security policies and expected behaviours is likely to promote a more compliant and consistent approach across your organisation.
Inadequate corporate governance structures and a lack of awareness of insider threat at a senior level can undermine effective security strategies and make it harder to detect, investigate and prevent insider activity.
Holistic Management of Employee Risk (HoMER)
Holistic Management of Employee Risk (HoMER) guidance is to help you manage the risk of employees' behaviour damaging your business.
The holistic use of targeted security measures and interventions (eg information, personnel and physical) will help you spot high-risk workplace behaviour and reduce the potential of employees carrying out malicious attacks.
This guidance is for board members and the managers of risk in your organisations. A Holistic Management of Employee Risk (HoMER) Executive Summary is also available.
Personnel Security Animations
NPSAs Personnel Security films are one-to-two minute, light-hearted animations, for people new to personnel security. The first three are aimed at managers, the next two are for all staff; and the last is for anyone making strategic decisions based on people-risk, such as HR, IT and security managers. Upload the films to your intranet or internal message boards or show them on management, security or induction training courses.
Communicating personnel security messages further explanations is also available.
Fly in the Ointment
View Video Transcript
Personnel security fly in the ointment management responsibility for employee risk.
Managers are responsible for all aspects of risk in their organisations. Take Sally, a new manager in a cosmetics company.
On familiarising herself with the organisation she begins to see cracks in its personnel security.
From the outside, everything looks good. State of the art, Physical and information security measures were in place to protect the company assets from outside threats.
But she wondered about the likelihood and impact of threats from insiders. People exploiting their legitimate access for unauthorised purposes. The flies within the ointment.
She discovers that a personnel security risk assessment has never been carried out.
When visiting one of the research labs, she meets some temporary workers, all wearing visitor passes.
Why not staff passes she asks?
She's told that their pre employment screening isn't yet complete, but due to a tight deadline, the lab manager decided to let them work regardless.
Later, during the same visit, a chemical engineer turned marketing manager uses his old password to log into current research. Sally wonders why his rights weren't removed when he changed roles.
On the company social Network, she sees sensitive information being leaked by staff.
Concerned that the staff don't seem to understand the consequences that could result from their actions such as loss of operations, reputational damage and dropping share prices.
Sally recognises that she needs to lead by example and work to improve the company security culture.
Are you as a manager asking the right questions and can you say no flies on me when it comes to personnel security?
See our flyer on holistic management of employee risk on the CPI website.
Fly in the Ointment
Personnel security fly in the ointment management responsibility for employee risk.
Managers are responsible for all aspects of risk in their organisations. Take Sally, a new manager in a cosmetics company.
On familiarising herself with the organisation she begins to see cracks in its personnel security.
From the outside, everything looks good. State of the art, Physical and information security measures were in place to protect the company assets from outside threats.
But she wondered about the likelihood and impact of threats from insiders. People exploiting their legitimate access for unauthorised purposes. The flies within the ointment.
She discovers that a personnel security risk assessment has never been carried out.
When visiting one of the research labs, she meets some temporary workers, all wearing visitor passes.
Why not staff passes she asks?
She's told that their pre employment screening isn't yet complete, but due to a tight deadline, the lab manager decided to let them work regardless.
Later, during the same visit, a chemical engineer turned marketing manager uses his old password to log into current research. Sally wonders why his rights weren't removed when he changed roles.
On the company social Network, she sees sensitive information being leaked by staff.
Concerned that the staff don't seem to understand the consequences that could result from their actions such as loss of operations, reputational damage and dropping share prices.
Sally recognises that she needs to lead by example and work to improve the company security culture.
Are you as a manager asking the right questions and can you say no flies on me when it comes to personnel security?
See our flyer on holistic management of employee risk on the CPI website.
Management responsibility for employee risk
This film illustrates how personnel security issues can damage an organisation, its operations, reputation and profit. It gives the message that managers are responsible for dealing with staff security issues, should lead by example and take any necessary action to deal with such issues.
You Choose
View Video Transcript
Personnel security you choose. Effective management is the key to good security.
Mike is a manager under pressure.
He has a deadline.
Gina has been chasing Mike, her senior manager, with what started off as a small grievance against her line manager.
She has been trying to have a meeting for a while, but Mike thinks now isn't the best time.
Does he tell her to get over it or take it seriously?
Stop, let's look at the possibilities.
Gina is frustrated and has had enough. She decides to quit.
But first, in order to secure a job elsewhere, she provides key information to a competitor.
She has a draught of the pitch and a great relationship with the client.
Mike's company, after months of work, is outbid by the competitor and the company's future is in question.
Mike addresses the issues, and Gina's grievance is resolved.
She is ready to do what it takes to protect the company that treats its employees fairly. She has no reason to leave. Look for a new job or undermine the company bid.
Disgruntled employees can be disloyal.
They're more likely to steal damaged company property as well as damage its reputation.
More than half of existing employees take data when they go emails customer contact lists, even technical plans, are often given to competitors.
Good employee welfare extends beyond responding to grievances. People vulnerabilities outside of the workplace can impact on their professional lives.
For productivity professionalism and loyalty, having well managed people pays off.
Which option would you choose?
For further information on personnel security, visit the CPI website.
You Choose
Personnel security you choose. Effective management is the key to good security.
Mike is a manager under pressure.
He has a deadline.
Gina has been chasing Mike, her senior manager, with what started off as a small grievance against her line manager.
She has been trying to have a meeting for a while, but Mike thinks now isn't the best time.
Does he tell her to get over it or take it seriously?
Stop, let's look at the possibilities.
Gina is frustrated and has had enough. She decides to quit.
But first, in order to secure a job elsewhere, she provides key information to a competitor.
She has a draught of the pitch and a great relationship with the client.
Mike's company, after months of work, is outbid by the competitor and the company's future is in question.
Mike addresses the issues, and Gina's grievance is resolved.
She is ready to do what it takes to protect the company that treats its employees fairly. She has no reason to leave. Look for a new job or undermine the company bid.
Disgruntled employees can be disloyal.
They're more likely to steal damaged company property as well as damage its reputation.
More than half of existing employees take data when they go emails customer contact lists, even technical plans, are often given to competitors.
Good employee welfare extends beyond responding to grievances. People vulnerabilities outside of the workplace can impact on their professional lives.
For productivity professionalism and loyalty, having well managed people pays off.
Which option would you choose?
For further information on personnel security, visit the CPI website.
Effective management
This film focusses on the link between insider activity and disgruntled employees, lifestyle vulnerabilities and poor organisational factors. Good managers are more likely to intervene before an insider act occurs.
One Small Step
View Video Transcript
Personnel security one small step.
Security measures needn't cost the earth.
In July 1969, the world stopped to watch Neil Armstrong take one small step.
Steps have been made in physical and information security too.
But there is still progress to be made, especially in personnel security.
Without simple precautions, your assets may be at risk.
There are risks from within, from disgruntled employees or security careless workers. There are steps you can take to mitigate these.
Carry out pre employment screening. Cheques on all job applicants.
Job roles and people can change over time, so don't forget about carrying out ongoing routine cheques on staff in sensitive roles.
Create physical and digital no go zones to limit access to assets to those who really need it.
Don't attach unauthorised or unfamiliar media to your computer, it may contain malware.
Eliminate tailgating. Why let people through expensive security doors with just a smile?
When it does have to be printed, shred any private material.
Don't let people bypass your firewall by going through your bin.
Appoint an accountable person for personnel security.
Prevent information silos by bringing departments together.
These steps shouldn't be alien to you, and they needn't cost the earth.
If you want more information on personnel security, visit the CVE website. It's in cyberspace.
One Small Step
Personnel security one small step.
Security measures needn't cost the earth.
In July 1969, the world stopped to watch Neil Armstrong take one small step.
Steps have been made in physical and information security too.
But there is still progress to be made, especially in personnel security.
Without simple precautions, your assets may be at risk.
There are risks from within, from disgruntled employees or security careless workers. There are steps you can take to mitigate these.
Carry out pre employment screening. Cheques on all job applicants.
Job roles and people can change over time, so don't forget about carrying out ongoing routine cheques on staff in sensitive roles.
Create physical and digital no go zones to limit access to assets to those who really need it.
Don't attach unauthorised or unfamiliar media to your computer, it may contain malware.
Eliminate tailgating. Why let people through expensive security doors with just a smile?
When it does have to be printed, shred any private material.
Don't let people bypass your firewall by going through your bin.
Appoint an accountable person for personnel security.
Prevent information silos by bringing departments together.
These steps shouldn't be alien to you, and they needn't cost the earth.
If you want more information on personnel security, visit the CVE website. It's in cyberspace.
Security measures needn't cost the Earth
Also focussing on the insider threat, this film shows managers that small, inexpensive changes to organisational culture can significantly improve the effectiveness of existing security measures.
Your Company Needs You
View Video Transcript
Personnel security your company needs you.
Security is everybody's business.
Who is responsible for security in your organisation? The security guards.
The security manager.
The IT department.
Or does the buck stop with the CEO?
The answer is all of the above, but they can't do it alone.
Your company needs you.
As security technology improves, another way to attack an organisation is from the inside.
This makes you a potential target.
Lock away sensitive documents. Do not open email attachments from an unknown sender.
Be careful with what you post to social media sites.
And report anything suspicious.
This might not seem like much and you won't always see the effects.
But actions like these are what make the difference and keep your organisation safe.
Don't be the weak link.
Act now.
Be smart, be secure.
Together, we've got it covered.
If you don't know where to start, contact your organisation, security department or speak to your manager.
Your Company Needs You
Personnel security your company needs you.
Security is everybody's business.
Who is responsible for security in your organisation? The security guards.
The security manager.
The IT department.
Or does the buck stop with the CEO?
The answer is all of the above, but they can't do it alone.
Your company needs you.
As security technology improves, another way to attack an organisation is from the inside.
This makes you a potential target.
Lock away sensitive documents. Do not open email attachments from an unknown sender.
Be careful with what you post to social media sites.
And report anything suspicious.
This might not seem like much and you won't always see the effects.
But actions like these are what make the difference and keep your organisation safe.
Don't be the weak link.
Act now.
Be smart, be secure.
Together, we've got it covered.
If you don't know where to start, contact your organisation, security department or speak to your manager.
Who's responsible for security?
This film shows that everyone is responsible for security. It highlights some common physical, IT and personnel security weaknesses, and suggests seeking more information from your own security team.
People, People, People
View Video Transcript
Personnel, security, people, people, people. You are your company's greatest asset.
14 and a half £1,000,000 worth of diamonds were stolen in 2007 from a bank by a lone unarmed thief.
Despite high tech security systems, no alarms were triggered.
Using a stolen passport and charm, he appeared to be a convincing and trustworthy diamond trader.
Over the next year he visited the bank frequently.
The employees became his friends, trusting him as one of the team.
Eventually they gave him the access he needed and then one night he walked out unchallenged with the bag of diamonds.
All he had to do was make friends with the right group of people.
The employees had unwittingly fallen victim to social engineering.
Personnel security is just as important as physical and information security. When guarding against insider threats, such as theft or leaking of sensitive company information.
Insiders can act deliberately or be the victim of manipulation.
Many security incidents simply occur through carelessness, even if it's only loose talk. One person brain contains at least 1,000,000 gigabytes of data. Surely that's worth protecting.
You are your company's greatest security asset. Don't be naive, it does happen.
The solution isn't complex, it's us together. We've got it covered.
If you don't know where to start, contact your organisation, security department or speak to your manager.
People, People, People
Personnel, security, people, people, people. You are your company's greatest asset.
14 and a half £1,000,000 worth of diamonds were stolen in 2007 from a bank by a lone unarmed thief.
Despite high tech security systems, no alarms were triggered.
Using a stolen passport and charm, he appeared to be a convincing and trustworthy diamond trader.
Over the next year he visited the bank frequently.
The employees became his friends, trusting him as one of the team.
Eventually they gave him the access he needed and then one night he walked out unchallenged with the bag of diamonds.
All he had to do was make friends with the right group of people.
The employees had unwittingly fallen victim to social engineering.
Personnel security is just as important as physical and information security. When guarding against insider threats, such as theft or leaking of sensitive company information.
Insiders can act deliberately or be the victim of manipulation.
Many security incidents simply occur through carelessness, even if it's only loose talk. One person brain contains at least 1,000,000 gigabytes of data. Surely that's worth protecting.
You are your company's greatest security asset. Don't be naive, it does happen.
The solution isn't complex, it's us together. We've got it covered.
If you don't know where to start, contact your organisation, security department or speak to your manager.
You are your company's greatest asset
This film, also for all staff, tells the true story of a diamond thief, who used social engineering to undermine physical security measures. An employee's behaviour can strengthen or weaken security.
Risky Business
View Video Transcript
Personnel security risky business proportionate response to risk.
You're off on holiday leaving your teenage son home alone.
He plans a party which spirals out of control. Thousands of pounds worth of damage is caused, and your family's previously good reputation in the neighbourhood is ruined. Raising a teenager can certainly be a risky business.
Now imagine if it was your business. Would you allow your staff to work without adequate management? It happens.
In 2012, thousands of customer health records were stolen from a private clinic and sold by an employee.
Personnel security, like parenting, is about assessing the risks and preparing proportionate responses.
Before going away, perhaps setting some ground rules would have deterred the teenager from hosting a party, whereas an armed guard on the front door would have been too much.
In the office, tight controls on external data transfer are appropriate where ask cameras on every desk would be over the top.
You don't want to stifle the business with disproportionate security measures, but you do want to make sure your most valuable assets are protected.
By conducting a personnel security risk assessment, the private clinic would have identified customer health records as key assets vulnerable to theft by employees.
If you don't want to be running a risky business, see our guidance on personnel security risk assessment. Visit the CVE website.
Risky Business
Personnel security risky business proportionate response to risk.
You're off on holiday leaving your teenage son home alone.
He plans a party which spirals out of control. Thousands of pounds worth of damage is caused, and your family's previously good reputation in the neighbourhood is ruined. Raising a teenager can certainly be a risky business.
Now imagine if it was your business. Would you allow your staff to work without adequate management? It happens.
In 2012, thousands of customer health records were stolen from a private clinic and sold by an employee.
Personnel security, like parenting, is about assessing the risks and preparing proportionate responses.
Before going away, perhaps setting some ground rules would have deterred the teenager from hosting a party, whereas an armed guard on the front door would have been too much.
In the office, tight controls on external data transfer are appropriate where ask cameras on every desk would be over the top.
You don't want to stifle the business with disproportionate security measures, but you do want to make sure your most valuable assets are protected.
By conducting a personnel security risk assessment, the private clinic would have identified customer health records as key assets vulnerable to theft by employees.
If you don't want to be running a risky business, see our guidance on personnel security risk assessment. Visit the CVE website.
Proportionate response to risk
This film illustrates the importance of making proportionate risk management decisions by undertaking personnel security risk assessments.