People are an organisation's biggest asset, however, in some cases they can also pose an insider risk. As organisations implement increasingly sophisticated physical and cyber security measures to protect their assets from external threats, the recruitment of insiders becomes a more attractive option for those attempting to gain access.
From May 2023 onwards NPSA will be utilising the following definitions through our various advice delivery and communications channels:
Insider - Any person who has, or previously had, authorised access to or knowledge of the organisation’s resources, including people, processes, information, technology, and facilities.
Insider Risk - The likelihood of harm or loss to an organisation, and its subsequent impact, because of the action or inaction of an insider.
Insider Threat - An insider, or group of insiders, that either intends to or is likely to cause harm or loss to the organisation.
Insider Event - The activity, conducted by an insider (whether intentional or unintentional) that could result in, or has resulted in, harm or loss to the organisation.
Please read the NPSA Changes to Insider Risk Definitions document for further information.
What is Personnel Security?
Personnel security is a system of policies and procedures which seeks to:
- Reduce the risk of recruiting staff who are likely to present a security concern
- Minimise the likelihood of existing employees becoming a security concern
- Reduce the risk of insider activity, protect the organisation's assets and, where necessary carry out investigations to resolve suspicions or provide evidence for disciplinary procedures
- Implement security measures in a way that is proportionate to the risk
Employees may also inadvertently trigger security breaches through ignorance of rules, or deliberate non-compliance (due to pressure of work). Our guidance is also relevant to mitigating these threats.
NPSA has developed a wide range of guidance and products across seven key areas to help organisations make informed decisions about the level of personnel security risk they manage. More information on these key areas is provided below.
Insider Risk Mitigation Framework
The Insider Risk Mitigation Framework is NPSA's recommendation for developing an Insider Threat programme which aims to reduce insider risk.
The implementation of this will facilitate an objective review of security posture and allow measures to be updated or deployed in a risk based manner.
This will ensure proportionate spending on any measures posed and make the cost benefit argument to support recommendations for security. It will also support organisational security development through the best use of insider risk mitigation methods to further mature a protective security stance.
Insider Data Collection Study
NPSA has reviewed and analysed cases of insider acts from the UK and overseas to understand how and why these events occurred, and what could have been done to prevent them. The Insider Data Collection Study report provides NPSA's main findings.
NPSA has used this data, and our relationship with the CNI to test, refine and embed personnel security into protective security measures. The output from that learning has helped us develop effective strategies to assist you in reducing insider risk.
Communicating Insider Events
Effective communication can help reduce the impact of insider events. It goes so so much further than managing reputational risk. It can make an organisation less vulnerable to an event, and should one occur, enhances how well it recovers relational trust, internally and externally. Insider events: A communications guide to reduce their impact outlines best practice for communicating before, during and after an incident, as well as giving advice on how to communicate during different types of insider event.
Insider Crisis Simulations
Regularly testing your crisis communications ahead of an insider event helps builds collaboration and resilience. To help teams do that in a safe environment, NPSA has created immersive crisis scenarios for different types of insider event.
Personnel Security Maturity Model
We have developed a Personnel Security Maturity Model based on seven core elements of effective personnel security processes, as identified through our insider data study and research and development programme. These are listed below, with links to more information for each element:
- A. Leadership and Governance
- B. Insider Risk Assessment
- C. Employment Screening
- D. Ongoing Personnel Security
- E. Monitoring and Assessment of Employees
- F. Investigation and Disciplinary Practices (Response)
- G. Security Culture and Behaviour Change
There is also an infographic on personnel security measures your organisation should consider.