Personnel Security Guidance in Response to the Situation in Ukraine

This guidance can help keep you and your organisations safe during this time of conflict

Last Updated 03 February 2023

Insider Risk Assessment

Organisations are strongly encouraged to undertake a review of their existing risk assessment to understand any heightened insider risks your organisation may face in view of the current situation. This review will help shape a proportionate response to managing insider risk within your organisation.  

Guidance
Insider Risk Assessment
Understanding what security risks your organisation faces is essential for developing the appropriate and proportionate security mitigation measures
Guidance
10 Steps to Effective Insider Risk Assessment
10 important steps organisations can take to enhance personnel security measures to mitigate insider risk

Vetting

For personnel who hold national security vetting, it is important to remind staff of their responsibilities in maintaining their vetting status. Personal connections within states of concern should be disclosed via the organisation's vetting department. Staff holding NSV who are planning (or have recently travelled) to the region should inform or seek authorisation for travel from their security department.  

Security Communications

Whilst there continues to be a regular feed of media coverage relating to the heightened political tensions, Organisational Seniors are encouraged to communicate with the workforce about the current situation, the potential threat to the organisation and importantly use this as an opportunity to reinforce key security messages that you want the workforce to follow to keep themselves, their colleagues, and the organisation safe.  

Organisations should also seek to utilise their external communications channels to promote their security posture to deter hostile states with malicious motivation.

Staff Vigilance and Reporting

Linked to effective communications, consider what security campaigns you currently deploy across your organisation to educate staff on how state actors target individuals employed in high-risk roles within an organisation. NCSC's recent new guidance highlights that spear phishing is a technique known to have been exploited by State Actors to gain access to networks. Consider temporary mitigations such as implementing a security alert for all incoming emails highlighting the security situation to reduce susceptibility to this type of attack. Organisations may also consider enforcing a password update for all staff and systems to help protect against an existing compromise of systems and which aims to secure networks from further compromise. 

Staff should also be savvy regarding how state actors utilise social and professional networking platforms to target personnel in key roles and what a malicious approach looks like, how staff should respond and how to minimise the risk of being targeted in the first instance. Organisations should recommend staff who utilise social media, check and update their privacy and security settings. 

It is important to ensure that clear mechanisms are in place and understood for staff to report unusual activity or concerns. Senior endorsement to encourage this action is highly recommended. 

Campaign
It’s OK to Say
Identify and report unusual or concerning workplace behaviours, and promote the appropriate intervention
Campaign
Don’t take the bait!
This guidance contains advice on how organisations can defend themselves against malicious emails that use social engineering techniques
Campaign
Social Engineering
The campaign aims to raise awareness about what social engineering is and how staff can better protect themselves against this type of threat.
Campaign
Think Before You Link (TBYL)
NPSA's innovative app allowing users of social media and professional networking sites, to identify the hallmarks of fake profiles used by foreign spies and other malicious actors.

Wellbeing Channels

Organisations should be cognisant of the fact staff may hold differing political views on the current situation. Ensuring wellbeing support channels and provisions to ensure all staff feel safe and are not subject to any workplace violence or intimidation should be considered. These open channels can also be utilised to remind staff of confidential reporting mechanisms should staff wish to report security issues.  

Personal or Official Travel to Ukraine or Russia

Organisations are encouraged to review existing policies relating to official and personal travel to Ukraine or Russia during these heightened political tensions. Organisations and employees should refer to any guidance issued by FCDO whilst planning any personal or business travel to countries likely to be impacted. At the very minimum, processes whereby staff are required to engage with the Security Department prior to travel to these countries are strongly encouraged.  

Business Continuity Arrangements

Review your organisation's existing business continuity arrangements to minimise disruption as far as practically possible to allow your organisation to return to 'business as normal' in the quickest possible time should a security incident occur.  Consider which staff, systems and I.T is vital to your business continuity, how you communicate your business continuity arrangements and what alternative resources are available to your organisation in the event of an incident. 

Did you find this page useful? Yes No

Related Pages