People security
It’s important to mitigate any security risks related to people. People and personnel security comprises an integrated ecosystem of policies, procedures, interventions and effects which seek to enhance an organisation or site’s protective security by:
- Mitigating the risk of workers exploiting their legitimate access to an organisation’s assets for unauthorised purposes; this is known as 'insider risk’.
- Optimising the use of people (both workforce and, where appropriate, the public) to be a force multiplier in helping to prevent, detect and deter security threats.
- Detecting, deterring and disrupting external hostile actors during the reconnaissance phase of attack planning.
Insider risk
People are an organisations biggest asset. However, they can also pose an insider risk. The recruitment of insiders is an attractive option for hostile actors attempting to gain access to data centres and the data they hold.
NPSA defines an insider as a person who exploits, or intends to exploit, their legitimate access to an organisation’s assets for unauthorised purposes. Remember, an insider could be a full-time or part-time employee, a contractor, a supply chain business partner, or customer. In fact, it could be anyone who has been given rightful access to a data centre asset. An insider could seek to join your organisation to conduct an insider act. They may be triggered to act at some point during their employment, or after their employment officially ends.
Certain factors may increase an organisation’s vulnerability to insider activity, including:
- Ineffective leadership and governance structures to run an insider threat programme.
- Lack of role-based risk assessment to identify specific high-risk roles.
- Inadequate personnel security measures during pre-employment screening.
- Inadequate ongoing personnel security policies and procedures, limiting the organisation’s ability to monitor and investigate insider activity.
- Poor leadership and management practices, which may reduce organisational trust and erode employee loyalty and commitment.
- Ineffective security awareness and training, both at induction, throughout employment and exit.
- Lack of a strong security culture, resulting in the workforce not taking individual responsibility for security and reduced compliance with security procedures.
NPSA provides comprehensive guidance and frameworks on managing insider risk.
Security culture
Data centre operators will often have a relatively small number of their own staff onsite but will be joined by staff from other organisations. These may include staff from the data centre’s client organisations employed to provide security and engineering support to their own infrastructure – and other third-party contractors who provide services such as general site security, cleaning and maintenance.
The benefits of an effective security culture include:
- A workforce that is likely to be engaged with, and take responsibility for, security issues.
- Increased compliance with protective security measures.
- Reduced risk of insider incidents.
- Awareness of the most relevant security threats.
- Employees are more likely to think and act in a security-conscious manner.
NPSA provides a variety of materials to help organisations assess their security culture, and direct and shape their own security culture initatives.
Data centres should be able to demonstrate that they promote a good security culture by conducting:
Pre-employment screening processes
You should seek assurance that data centre operators screen prospective employees who may gain access to your critical assets. Employment screening is the process by which you check whether a potential candidate is suitable for your business.
Staff monitoring
While pre-employment screening helps ensure that an organisation recruits trustworthy individuals, people and their circumstances and attitudes change, either gradually or in response to events. Therefore continued staff monitoring throughout the duration of their employment is required.
Security training for staff
Dedicated, motivated and professional security staff are an essential component of any protective security regime to mitigate against the insider and external people threat.