NPSA's Insider Data collection study indicated that some organisations had not made regular or systematic use of their own technical or financial auditing functions to spot irregularities or unusual workplace behaviours.
In other organisations, counter-productive workplace behaviours were known in one part of the organisation, but this was not shared with other sections, resulting in delays in the organisation taking mitigating actions to reduce the risk, allowing insiders to act in the first place, or for some, to continue their activity without detection for longer than necessary.
NPSA advocates a holistic approach to protective monitoring where information about employee risks (physical, electronic audit and personnel data) are brought together under a single point of accountability and governance, to ensure a transparent, legal, ethical and proportionate protective monitoring capability.
The It's OK to Say programme has been developed on the basis of in-depth end-user research with large organisations across the critical national infrastructure and follows the principles of NPSA's 'Embedding security behaviours: the 5 Es'. A number of materials have been produced as part of this programme - organisations should take care to ascertain the pre-requisites before implementation in order to gain maximum impact. We would not, for example, recommend running the animation without setting the context of the threat.
