Channel stuffing fraud – a distribution problem

Posted on September 10, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

8 minutes

What is Channel Stuffing?

Channel Stuffing is also known as ‘trade loading’, and is where sales teams sell an abnormally large quantity of product to distributors at one time. These sales are usually at a significant discount, or on generous payment terms making it both attractive and financially viable to the buyer. Channel Stuffing increases earnings in the short-term, but you are effectively front-loading the next quarter’s sales, which makes it harder to achieve future sales targets.

Sometimes, Channel Stuffing can be fraudulent, such as where a sales person engages in Channel Stuffing to get a higher short term incentive (bonus) or commission knowing they intend to resign before the next quarter. In some cases, the buyer (e.g. retailer) is forced or coerced by the Distributor to purchase the extra inventory. This can damage the relationship and even impact the retailer’s financial viability.

To make it more attractive to sourcing and procurement teams in the retailer, the sales person attemping Channel Stuffing may offer bribes or kickbacks to the retailer’s staff to complete the Channel Stuffing transaction, or distributor sales staff and retailer procurement staff may be acting in collusion to perpetrate the scheme. An illustration of how Channel Stuffing works is shown below:

Companies that don’t have proper controls in place are likely to fall victim here – it’s worth pointing out that Channel Stuffing is an internal fraud, a type of insider threat which occurs in the distribution stage of the supply chain.

man operating silver machine for silver steel kegs — Photo by ELEVATE on Pexels.com

What industries are most exposed?

Industries most at risk of Channel Stuffing are those with high margins, because high margins can be discounted without overly impacting revenue. Those most likely to be impacted include:

Consumer Electronics
Tobacco
Automotive Industry
Pharmaceuticals
Fast Moving Consumer Goods (FMCG)
Technology, including software providers
Fashion and apparel
Industrial equipment
Alcohol and Distilled Spirits

As with many supply chain and distribution fraud schemes, it is hard to find reliable statistics on incident data so I have replaced a graph of losses with a more uplifting pic of something I enjoy – getting outdoors!

people riding on inflatable raft — Photo by Hilmi Işılak on Pexels.com

Who are the victims in Channel Stuffing?

There are two victims in channel stuffing fraud – that is, parties who incur a loss. First is the distributor (channel partner) itself which employs the sales team. This is commonly the case in fraud perpetrated by one or a small group of disaffected sales leads who are trying to engineer a good bonus and intend to resign in the near future to avoid any repercussions.

Where sales people have fraudulently engineered sales, the channel partner may need to engage legal support to claw back bonuses, and may also be subject to financial penalties from the manufacturer under the Distribution Agreement for having inadequate controls which allowed Channel Stuffing to happen.

The second victim is the manufacturer or business which creates its products and sells them to customers via its channel partners. This company is dependent on third party channel partners to execute the distribution agreements as agreed.

Impacts of Channel Stuffing include:

Financial: Depending on scale and materiality, Channel Stuffing will likely impact a manufacturer’s actual revenue against plan (forecast), artificially inflating revenues in the short term. For publicly listed companies or companies with Private Equity investors, if not detected material cases of Channel Stuffing could be misleading to investors and have regulatory impacts.
Customer Satisfaction: Customers of the distributor (i.e. retailers) may be forced or coerced to take on additional inventory, which can impact customer satisfaction, brand and reputation. Where products are easily substituted for a rivals, retailers may even stop offering a product and switch to selling other brands.
Inventory distortions: A large volume of unexpected sales (through Channel Stuffing) will result in excess inventory at a retailer, which could take months to clear and may even need to be discounted. This situation can also trigger a manufacturer to build more product, believing that market demand for their product is high. When Channel Stuffing is discovered, one or more parties will be left holding excess inventory, with all the associated implications.
Misrpresentation of sales and marketing campaign effectiveness: If a large incidence of Channel Stuffing occurs during a sales campaign or when A|B testing is underway, this may give a wrong impression that the sales are driven by marketing or advertising when they are actually fraudulent. This can cause manufacturers to spend thousands of dollars on marketing and advertising which isn’t actually working.

Returns: Some purchasing terms may include provisions for retailers to return excess inventory for a refund a few months after the sale was completed. Sales teams may walk away with a larger bonus, but the manufacturer will be left to unexpectedly refund some or all of the sale, and accept the additional inventory or alternately agree to the inventory being sold at a heavy discount to end users or offloaded onto the resale market. Either way, the manufacturer loses.

man falling carton boxes with negative words

How can you identify Channel Stuffing and what are the indicators?

Identifying frauds and insider threats like Channel Stuffing is really an intelligence and analytics problem. In order to detect fraud, we need to know what we are looking for. The most effective way of doing this is to build one or more typologies that captures how the fraud scheme would actually work in your business, and what to look for. If you’ve never heard of a typology, have a read of my previous article.

Typologies demystified – what are they and why are they important?

If you read Forewarnedblog.com regularly, you will know I frequently talk about the importance of keeping data on incidents – such as through an incident register. Use the details of a previous case (or public cases involving your competitors or similar industries) for Comparative Case Analysis which allows you to develop detailed fraud detection typologies.

Comparative Case Analysis: A powerful tool for typology development

Detecting any type of threat in your data involves identifying the patterns (behaviours, indicators), anomalies (unusual activity), and signatures (unique offender characteristics associated with how they perpetrate the fraud). Indicators of Channel Stuffing to look for in the data includes:

Unusually High Sales Volumes: Look for anomalies and spikes in sales figures, especially towards the end of reporting periods or bonus periods
Rising inventory: setting aside seasonable flutuations and sales trends, can inventory increases be reliably explained?
Extended Payment Terms: Do unusual sales volumes correlate with issuing of extended payment periods or more favourable return policies for retailers?
Excessive Discounts or Incentives: Is your business offering unusually high discounts, rebates, or incentives to distributors or retailers?
Returns and Chargebacks: (lagging indicator) Can abnormal rates of returns, chargebacks, or unsold inventory be observed in a period after indicators 1-4 were identified?
Abnormal Sales Patterns: Are there any anomalies such as consistently high sales in the last week of a reporting period?
Increased Distributor or Retailer Complaints: Are partners reporting concerns about pressure to accept more inventory than they can reasonably sell?
Unrealistic Sales Targets: Are they realistic, or are they impossible which encourages sales staff to resort to Channel Stuffing (especially where sales team compensation is commission-based)?

By paying attention to these indicators, you can help businesses detect and prevent channel stuffing, ultimately safeguarding their financial integrity and long-term relationships with distributors and retailers. Additionally, offering guidance on transparent and ethical sales practices will contribute to sustainable business growth.

Four things businesses can do to minimise Channel Stuffing risk

With an understanding of what Channel Stuffing is and the ways it can be identified, there are four key things businesses can do to mitigate the risk:

Develop typologies and use data analytics to continuously monitor for, and proactively detect Channel Stuffing
Implement transparent, detailed reporting that ensures visibilty of emerging trends and issues that allows early management intervention
Ensure appropriate reporting and audit rights are included as part of any distributor compliance program forming part of Distribution Agreements. Channel Managers need to consider this in the Channel Management strategy.
Implement programs to perform market surveillance and obtain customer (end user) feedback to understand what is actually happening and who is buying your product. This helps validate observations in data analytics

As with all fraud schemes, paying attention to your data and having a good understanding of your business can help deter and detect frauds early. The bottom lime is that proactively looking for Channel Stuffing can avoid significant downstream pain!

6 steps to improving security and integrity culture in the workplace

Posted on July 8, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Workplace Culture – a curious concept

Culture is a funny concept: It is neither tangible nor permanent, but rather develops and evolves over time and is a reflection of the members of that ‘tribe’. Organisations, groups and communities can all develop unique intrinsic cultures as a results of the collective actions, behaviours, norms and values of that organisation.

The fact that culture is not a tangible thing makes nurturing a ‘good’ culture hard for leaders to achieve, and very easy to destroy. Good workplace cultures can become self-perpetuating, attracting others of similar visions and values and contributing to a highly engaged workforce. In his 2013 article in the Harvard Business Review, Michael Watkins provides a great discussion on organisational culture, outlining different perspectives on what it is and how it permeates the modern workplace.

Culture is recognised as being one of the most important components of successful companies. According to James L. Heskett, culture “can account for 20-30% of the differential in corporate performance when compared with ‘culturally unremarkable’ competitors”, making understanding it essential for all leaders (HBR, 2013).

people sitting on chair — Photo by Rene Asmussen on Pexels.com

Seven dimensions of security culture

When applied to security, the concept of organisational culture is no different. According to Perry Carpenter in Forbes Magazine (2021), there are seven dimensions to security culture. I have taken Carpenter’s seven dimensions and adapted it to provide more context for risk leaders:

Attitudes: Employees have a positive view of security and understand why it exists. A positive culture of reporting security incidents is established
Behaviours: Employees conduct themselves in a manner that positively impacts overall security. Innocent, unintentional security breaches or accidents are not punished or perpetrators ostracised
Cognition: Employees know about security and have a high level of awareness of threats and security programs
Communication: Security is communicated clearly and regularly, with key messages being enforced in ways which are easily understood by all and which resonate with the workforce
Compliance: Employees comply with security policies voluntarily, not because they have to
Norms: Being conscious of security and the need for it, as well as the expected behaviours, becomes part of the organisation’s fabric. Employees who go against these norms are counselled by peers, not security, compliance or management
Responsibilities: Employees understand their security obligations and take them seriously. They know what to do and when, and comply with these rules and expectations

How does your organisation compare in relation to these seven dimensions? What about your previous employers? Reflecting and thinking critically about what we do and how we behave as leaders makes us think what else can we do better, and potentially enhance our culture in the process.

people sitting on green grass waving their hands — Photo by RDNE Stock project on Pexels.com

Six things leaders can do to improve security and integrity culture

Despite achieving a good security culture being hard to achieve, leaders need not despair. There are things we can do to improve security culture, it just takes time and effort. Listed below are six things I would encourage leaders to do to build or improve your security and integrity culture:

‘Tone from the top’ – what senior leaders say and do matters as just like pets or children, behaviours will be replicated. Leaders should continually demonstrate the importance of security and integrity within the business, and not just pay lip service.
Awareness training – regular training on security and integrity is important in the workplace. People need to know how they are expected to behave, and to understand the organisations policies and accepted practices. Ideally, not all training would be computer-based as people need time to talk through scenarios and learn from peers such as via interactive, discussion based forums.
Risk is part of the organisation’s DNA – thinking about risk does not mean being discouraging staff from taking risks. Taking risks is an important element of creativity and innovation, but ideally risk taking would be measured to avoid taking risks from which organisations or staff cannot recover. Thinking about what could go wrong (or right) and ways in which adverse consequences or likelihoods can be mitigated or proactively managed should ideally be part of the organisation’s cultural fabric.
Penalties are not applied for accidents, near misses or unintentional incidents – rather, a constructive approach that focuses on continuous improvement and lessons learned should be taken. Inquiries into organisations with poor risk culture found that poor organisational cultures are those where blame is apportioned, messengers are blamed, and where subordinates are too scared to tell the truth to senior management for fear of repecussions. Leaders cannot fix problems they know nothing about.
Staff feel comfortable speaking up about their peers – in my previous post on the critical path method and insider risk management, I spoke about the need for organisations to identify workers who are struggling (and may pose a security or integrity risk to the organisation by virtue of their situation). Peers who have a concern about a co-worker should ideally be able to confidentially raise these concerns without worry that the struggling co-worker will be fired or penalised, but rather supported.
Treating people fairly – where problems or allegations do arise, the workforce must know they will be treated fairly and that the principles of natural justice will be applied to the investigation and resolution of incidents.

Further Reading

Laker, J., Broadbent, J., and Samuel, G. (2018). Prudential Inquiry into the Commonwealth Bank of Australia (CBA) Final Report, Australian Prudential Regulatory Authority, www.apra.gov.au
Carpenter, P. (2021). The Importance Of A Strong Security Culture And How To Build One, Forbes Magazine, www.forbes.com
Coleman, J. (2013). Six components of a great corporate culture, 6 May 2013, Harvard Business Review, https://hbr.org/2013/05/six-components-of-culture
Curwell, P. (2022). Applying the critical-path approach to insider risk management
Watkins, M. D. (2013). What is Organizational Culture?, 15 May 2013, Harvard Business Review, https://hbr.org/2013/05/what-is-organizational-culture

Who are SOCI Act Critical Workers?

Posted on July 2, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

A recap on Australia’s SOCI Act

In 2022, Australia’s 2018 Security of Critical Infrastructure Act (SOCI Act or SOCI) was amended to strengthen the security and resilience of critical infrastructure. The number of industry sectors and asset classes deemed critical was expanded to eleven, and new legislative obligations were introduced for all Responsible Entities under SOCI.

Responsible Entities for a critical infrastructure asset are the bodies with ultimate operational responsibility for an asset.

A CIRMP is a Critical Infrastructure Risk Management Plan, as set out in the CIRMP Rules.

SOCI is a large, complex piece of legislation comprising the Act plus 5 Legislative Instruments (Rules). The CIRMP Rules, which became law on 17 February 2023, also require compliance with one of 5 accepted information security frameworks (although further time has been granted for organisations to complete these cybersecurity uplifts). To comply, Responsible Entities have 6 months to develop a CIRMP (i.e., by 18 August 2023).

In my opinion the focus of SOCI on uplifting national resilience is much needed in Australia and should be applauded, although it is noted that interpreting SOCI requires careful reading and research. Implementation is complicated by changes to legislation during the parliamentary processes which affects relevance of the guidance material.

scenic photo of water dam during daytime — Photo by Frans van Heerden on Pexels.com

How is a ‘critical worker’ defined?

Part 1, Divn 2, Section 5 of the SOCI Act

The term ‘Critical Worker’ means an individual, where the following conditions are satisfied:

(a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies (i.e., the asset is subject to a CIRMP);

(b) the absence or compromise of the individual:

(i) would prevent the proper function of the asset; or

(ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset;

Meeting all elements of the above test is required to be deemed a ‘Critical Worker’. Note that Element (b) applies both an insider threat and business continuity lens to identify those who could prevent the asset’s operation or cause significant damage.

Whilst not linked to personnel in the legislation, the way in which potential risk events could cause significant damage would ideally be via risk assessment based on residual risk ratings determined by the Responsible Entity.

What steps do I need to take to manage ‘Personnel Hazards’ under the Rules?

Identifying Critical Workers is only the start of the Personnel risk management process. Appropriate security measures and access controls must be implemented to ensure only Critical Workers who have passed the AusCheck (or comparable) processes gain access. Responsible Entities must also take reasonable steps to minimise or eliminate trusted insider risks (insider threats), including during the offboarding process.

Section 9 Personnel hazards

(1) For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:

(a) to identify the entity’s critical workers; and

(b) to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access; and

(i) arising from malicious or negligent employees or contractors; and

(ii) arising from the off-boarding process for outgoing employees and contractors.

Conceptually, getting your head around the idea that some positions in an organisation pose higher risks than others can take time. Some months ago, I wrote this primer on understanding high risk roles which may assist.

Understanding High Risk Roles

The High Risk Role concept is only one element of what SOCI calls Personnel Hazards. Whilst not mentioned in SOCI, a Personnel Security Risk Assessment is a broader activity used by the UK’s National Protective Security Agency and which provides the level of traceability and scruitiny needed to identify, assess and mitigate Personnel Hazards.

What is a Personnel Security Risk Assessment?

What are the implications for employers?

Employers of Critical Workers need to confront the fact that some employees or contractors (or those of their suppliers) may not pass the AusCheck process. Three options are likely for each individual:

Employees (or employees of a critical supplier) who meet the ‘critical worker’ test voluntarily submit to the AusCheck process, with no impacts to employee engagement or employment contracts
Employees (or employees of a critical supplier) with existing employment contracts object to participating in AusCheck along the grounds of ‘conscientious objections’ or the suspicion they may fail
Employees (or employees of a critical supplier) fail the AusCheck process

Conceivably, managing the legal, financial and workplace relations implications of people who object to, or fail, the AusCheck process could be onerous, especially for industries which have not historically employed rigorous workforce screening.

Designing your workforce screening program

Real dilemmas are likely to be encountered by smaller Responsible Entities’ whose operations are not big enough to separate their critical and non-critical operations. This may mean those employers cannot move employees who fail or object to AusCheck into non-critical worker roles as there may not be any available. One thing is clear: Employers need to be proactive and focus on what this could mean for their workforce as early as possible. Every new employment contract issued before August that does not adequately address this issue may need future remediation.

Workforce Screening Programs should include your suppliers

Posted on April 29, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Insider Threats are often overlooked when it comes to your supply chain, but suppliers are a key source of trusted insider risks.These risks need to be identified and incorporated into procurement decisions and sourcing contracts, inclusive of contractual obligations by suppliers to conform to your requirements. This may well incur additional costs, making it important for buyers to work collaboratively with their suppliers to agree an approach that is workable for all parties. This may mean buyers need to change their processes to mitigate a risk rather than transferring the management of this risk to a supplier.

Workforce Screening is a foundational element that should be included in any supplier agreements, but its application needs to be targeted towards the buyers material risks. This article explores this challenge, provides suggestions on good practice, and discusses the role of supplier assurance in relation to Workforce Screening Programs.

Many businesses are complex ecosystems with different parties - employees, contractors, suppliers, visitors - constantly interacting. — Photo by Ralph Chang on Pexels.com

We need to recognise that suppliers also pose trusted insider risks

Suppliers and Third Parties are a core part of the ecosystem for every business enterprise. By the nature of their roles and functions, many suppliers and other third parties have privileged access to their client’s (i.e. your organisation) information, systems and critical assets. Examples of trusted insider access by suppliers include:

Service providers with remote access to critical systems or networks, such as Programmable Logic Controllers (PLCs) or Operational Technology (OT) systems
Outsourced IT managed services
Managed data centres
Contract Manufacturers and Contract Research Organisations (CROs, CMOs)
Outsourced Clinical Trials Managers
Distribution Centres for order fulfilment
Repackaging and relabelling services
Recruitment, accounting, audit, consulting and law firms and insurance brokers
Corporate catering, cleaning services

Many more services can be added to this list: clearly, the breadth and scope of functions performed by suppliers today is nearly ubiquitous – this needs to be taken into account when identifying insider risks.

Suppliers, as outsourced service providers, often have direct and unsupervised access to a business' most critical assets without us realising.

Existing practices often fail to properly assess supplier-insider risks

Supplier-insider risks need to be managed with a degree of foresight given that supplier contracts are often multi-year agreements with the potential for extensions. This means that failing to incorporate the necessary provisions upfront may create a vulnerability for multiple years or even a decade.

Understanding the insider risk posed by your supplier’s workforce begins with identification of your High Risk Roles – are any of those outsourced? This information informs your Personnel Security Risk Assessment which qualifies the inherent risk and determines whether internal control coverage is adequate for your risk appetite.

The gap between inherent and residual risk where the risk actor is a member of your supplier’s workforce is what you may need to address through any Supplier Agreement using tools such as a Workforce Screening Program. This process justifies which members of your supplier’s workforce need screening and to what extent, and why based on their access to your organisation’s assets.

Suppliers should be contracted to implement your Workforce Screening program

Security and integrity is seen by many as a business enabler, but many businesses still see it as a cost and management overhead. It is not uncommon to find suppliers with either no security or integrity program, or that lack the requsite level of capability maturity required to manage complex risks that may arise in their customers’ business.

It goes without saying that buyers need to provide guidance to their suppliers on their expectations, just like any other aspect of the sourcing process. Considerations on leading practices for supplier-insider risk management include:

Imposing contractual obligations to maintain a risk based security and integrity program that conforms to your organisations standards and policies
Providing a copy of your current workforce screening standard and other continuous monitoring information to ensure your supplier knows exactly what they need to do to comply
As a buyer, performing continuous monitoring (insider threat detection) of your supplier’s interactions with your endpoints, network access and critical assets (including your most valuable information) – don’t rely on anyone else to do this
Incorporating requirements for a time-bounded escalation or notification mechanism obligating your suppliers to inform you of certain types of incidents within defined timeframes
Ensuring appropriate supplier assurance and supplier audit / investigations clauses are included in your contracts and don’t be afraid to use them

These practices could also be incorporated into your Supplier Integrity Framework.

checking information in documents — Photo by Alexander Suhorucov on Pexels.com

Workforce Screening should be incorporated into ongoing Supplier Assurance

Just because there is a contractual requirement to do something does not mean a counterparty will comply, or that they have the internal governance mechanisms to keep track of this. In some cases, counterparties start out with the best of intentions, but some years after contract signing business may get tough or management may change and contract compliance could slip as a result. Supplier assurance (vendor assurance) programs are intended to regularly monitor or reivew key aspects of a supplier’s compliance with contract.

Ensuring contract compliance with Workforce Screening and other Insider Risk obligations should form part of any supplier assurance program, however this should be supplimented with insights from period updates to your Personnel Security Risk Assessment, Register of High Risk Roles, and revisions to your Workforce Screening Program Guideline (standard) to ensure supplier practices correspond to your inherent risks and risk appetite.

Further Reading

ASIS International (2022). Preemployment Background Screening and Vetting, ASIS PSBV-2022, https://www.asisonline.org/publications–resources/standards–guidelines/preemployment-background-screening-vetting/
Curwell, P. (2022). Building your supplier integrity framework
Curwell, P. (2022). Third parties defined – what are they exactly, and how should these risks be managed?
Curwell, P. (2022). Understanding High Risk Roles
Curwell, P. (2022). Designing your Workforce Screening Program
Curwell, P. (2022). What is a Personnel Security Risk Assessment?
Standards Australia (2022). AS4811:2022 Workforce Screening, published 4 March 2022, www.standards.org.au

Designing your workforce screening program

Posted on April 1, 2023 by Paul Curwell, CPP, CFE, CISSP

Author: Paul Curwell

Executive Summary

Workforce Screening is an important function for any business today, however it cannot be developed on the fly and needs to properly balance the organisations’ risk and regulatory obligations against an employee’s right to privacy and the cost and operational burden created by the screening program itself. Workforce Screening should form part of a well-governed, risk-based program managed by HR and Security / Integrity comprising a range of policies, a personnel security risk assessment, and associated guidance to enable effective implementation. This article provides an overview of the key considerations when designing any workforce screening progam in Australia.

What is Workforce Screening?

The practice of Workforce Screening goes by many names – vetting, background checks – all of which are the same thing. In Australia, the term Employment Screening has been used since at least 2006 with the introduction of Australian Standard AS4811:2006. However, this standard was recently updated and republished as AS4811:2022 Workforce Screening.

A Workforce Screening Program comprises the specific checks performed on each employee or contractor to determine initial and ongoing suitability for employment and the associated processes and records to manage those checks. In many organisations there are a few key artefacts which comprise any Workforce Screening Program:

Employment Policies
Corporate Security and Integrity frameworks and associated programs
Workforce Screening Guideline

The Workforce Screening Guideline (or Standard) details what identity verification, security and character checks are required for employees, contractors, or consultants as a condition of employment and under what circumstances these checks will be performed, such as the risk posed by an employees’ role. The relationship between these documents, and how they are created is outlined below:

Graphic illustrating the various inputs to the Workforce Screening Program and the supporting Guideline and SOPs.

In our book Terrorist Diversion, Oliver May and I provide a detailed process map and overview of all forms of vetting, including insiders and suppliers.

When should workforce screening be performed?

Typically, workforce screening is performed periodically with four triggers:

During recruitment – ideally prior to the letter of offer being issued; and,
Periodically throughout employment; and,
In response to an incident; and,
Upon resignation – particularly important for employees involved in creating Intellectual Property or where potential Conflicts of Interest may arise post-separation.

Workforce Screening is different to Insider Threat Detection. Whilst there is a relationship between the two functions, screening is holistically focused on who the individual is (taking into account the ‘whole person’) whilst insider threat detection is focused on what the individual does once they enter the organisation. One is not a substitute for the other: they are different controls.

Screening is a legal requirement for some industries

Workforce Screening is a mandatory obligation in Australia for many regulated industries under a variety of legislation, including:

Financial Services – Anti-Money Laundering and Counter Terrorist Financing Act 2006 and Rules
Aviation – Aviation Transport Security Act 2004 and Regulations
Ports, Maritime and Offshore Oil and Gas Platforms – Maritime Transport and Offshore Facilities Act 2003 and Regulations
Commonwealth Public Service – Public Service Act 1999, Subsection 22(6) Security and Character Checks
Australia’a 11 declared Critical Infrastructure sectors – Security of Critical Infrastructure Act 2018 and Rules

Having the right team is critical to success in the workplace — Photo by fauxels on Pexels.com

What checks are typically performed in workforce screening?

There is a standard menu of checks which are performed across public and private sectors in Australia, including:

Identity verification
Citizenship and / or work rights
Credit rating and bankruptcy status
Education and occupational licences / trade certificates
Criminal history (National Police Check)
Sanctions and Adverse Media
Psychometric testing (in accordance with applicable employment policies)
Litigation history
Regulatory Actions pertaining to their profession
Internal employer database and record checks (for ongoing employees)
Candidate interview
Referee interviews

More intrusive checks permissible in Australia under certain circumstances include:

National Security Assessment – such as those required under the SOCI Act for ‘critical workers’ and here for an explanation of SOCI
Drug and alcohol testing
Health screening and medical examinations

Not everyone will pass workforce screening, potentially including ongoing employees. There are a number of considerations associated with any workforce screening adjudication process which will be addressed in a future article.

What’s the relationship between the PSRA and High Risk Roles in Workforce Screening?

Selecting which specific background checks to perform in your employment process should not be determined by way of a ‘lucky dip’. Many organisations require a ‘background check’ as a condition of employment, but fail to articulate why each check is necessary – such as where credit scores are used as a proxy for character tests.

Rather than ad hoc approaches, organisations need traceability from a regulatory obligation, personnel security risk, policy or similar instrument which establishes the risk and outlines how performing the respective background check will mitigate this risk. To provide this traceabiilty, the Register of High Risk Roles informs the Personnel Security Risk Assessment (PSRA), and the PSRA informs the design and implementation of the Workforce Screening Program as well as the Insider Risk Management Program.

The Register of High Risk Roles identifies:

Which positions pose a greater trusted insider risk due to a variety of factors, and therefore,
Which position numbers are most likely to require additional vetting and insider risk monitoring to mitigate inherent risks.

The PSRA identifies:

Suitable internal controls to manage the organisation’s inherent risk exposure (including that arising from High Risk Roles) to within risk appetite.
The specific trusted insider risks faced by an organisation and where these may arise by team, function, business line etc; and,

Cost and privacy are two important factors that also need to be considered: As with any security decision, there are tradeoffs. Workforce Screening is intrusive, expensive and has an operational impact, often delaying the commencement of new hires as well as reducing the total pool of candidates. The need for screening should be balanced against the PSRA to guide employers on what to check when, and why.

a mobile phone near the documents and laptop on the table — Photo by Leeloo Thefirst on Pexels.com

Mitigating risks from workplace sabotage

Posted on January 7, 2023 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Workplace sabotage as an insider threat

My post ‘Product Tampering: A form of Workplace Sabotage’ defines sabotage as “to damage or destroy equipment, weapons, or buildings in order to prevent the success of an enemy or competitor” (Cambridge Dictionary).

When I think about how sabotage can occur in the workplace I find it easier to decompose it into three categories (which align to targets) for the purposes of prevention, detection and response:

Physical sabotage – intentional damage to a physical thing, such as critical, infrastructure, or device

IT sabotage – involving international damage to IT equipment or networks, software etc

Data sabotage – intentional destruction or compromise of valuable information or data, such as Intellectual Property or research data

Sabotage is typically discussed in a wartime context where either enemy agents or special forces, or alternately sympathetic or compromised insiders, do something to benefit a foreign power (for further discussion on threat actors see my previous post). However, we are increasingly seeing acts of sabotage being performed in the workplace.

Malicious insiders are well placed to commit workplace sabotage

Acts of workplace sabotage can be perpetrated in person (on-site) or virtually (online). From an insider threat context, we are likely to see cases of workplace sabotage involving disaffected employees, such as:

Those on the critical path or who have been dismissed for mental health or performance related issues,

Insiders with some sort of grievance, workplace conflict, disagreements with supervisors, or disgruntlement, or,

Members affiliated with issue motivated groups.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Interestingly, in its 2006 study CERT refers to workplace IT sabotage as ‘trust betrayal’ and also places espionage in this category, however the paper is silent on including fraud. Fraud is probably the most common form of breach of trust in the workplace.

Don’t forget that workplace sabotage can also be perpetrated by staff members of your suppliers (see here)

To understand sabotage in more detail, we need to examine the elements of this offence.

Sabotage offences in Australia

Sabotage is a criminal offence in Australia at both the federal and state / territory levels. Under Section 82 of the Criminal Code 1995 (Cth), the main elements (abbreviated) of sabotage offences include:

Intentional damage, destruction or impairment of any thing, substance or material (‘article’) used in connection with Australia’s defence
Intentional or reckless conduct which results in damage to critical infrastructure with a nexus to a foreign government or its principal
Intentionally or recklessly introducing a vulnerability into an article, thing or piece of software that has a critical infrastructure or national security purpose which makes it (a) vulnerable to misuse or impairment or (b) capable of being accessed or modified by someone not entitled to do so
Preparing for, or planning, a sabotage offence
Any instances of the above with a foreign nexus, including financing, support, oversight or participation

Under Commonwealth legislation, damage to public infrastructure includes anything that: destroys, interferes, results in loss of function or becomes unsafe / unfit for purpose, becomes unserviceable, is lost, limits or prevents access, becomes defective or contaminated, results in a degradation in quality, or causes serious disruption of an electronic system. This definition is quite broad and all-encompassing.

Some offences involving specialist products, such as food, pharmaceuticals or medical devices, may be considered acts of sabotage to the layperson, however these are actually criminalised under various product tampering offences. You can read more about this in my previous post.

How to investigate alleged sabotage in the workplace?

Whilst there is increasingly more research into workplace sabotage, there is very little in the literature on how to actually investigate such offences. This is likely because the majority of similar cases have a nexus to national security and would not be publicly available. However, there is some publicly available US Government guidance which I have adapted below in the following investigative strategy:

Preserve all evidence as quickly as possible in accordance with local laws and regulations
Who – determine the person(s) of interest (POI), including those with means, motive and opportunity and any facilators. Was the perpetrator an individual or part of a group? Background investigations should be performed as required
What – identify the actual target and qualify the extent of damage, noting the affected asset may not actually have been the intended target
When – confirm the exact time and date of the incident (or as close as possible) and begin building a time-event chart to document developments
Where – be clear on the precise location and understand any surrounding activities which may have influenced choice of target
Why – try to understand the reasons or rationale for the incident and the intended target, including consideration of motive and opportunity
How – understand the type of sabotage involved and methods used. This will likely involve a combination of investigation, analysis and technical examination
Was there any communication with the media, social media or internal office communications (a) indicating the POI(s) planned or was planning the act of sabotage, or (b) claiming responsibility?
Is there a foreign nexus such as direction, oversight, funding, communication or logistics?

The investigative steps above need to prove or disprove each element of the offence (previous section), meaning investigators need to prove the POI(s) did, tried, or intended to cause harm or damage or were reckless their actions.

Can insider threat detection systems identify workplace sabotage before or during an event?

Having an understanding of what workplace sabotage is and how it typically occurs, we can turn our minds to how to detect it. There are quite a number of insider threat detection vendors on the market who claim their systems can do this, and there has been a number of academic studies performed in this area, primarily by Carnegie Mellon University (SEI CERT). In a follow up to this post, I will explore these concepts in more detail.

What is a Personnel Security Risk Assessment?

Posted on December 24, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

Why do a Personnel Security Risk Assessment?

Trusted Insiders – employees, contractors, suppliers and business partners – are the ideal threat vector given their legitimate access and inside knowledge, yet many businesses are immature in the way they manage these risks.

A 2007 CPNI survey found many organisations don’t employ a structured approach to Personnel security, leading to development of guidance material on Personnel Security Risk Assessments (PSRA) to change the status quo. My experience is this dial hasn’t really shifted in Australia since the survey was published. The PRSA forms the basis of a structured, risk-based approach to managing insider risk.

A team is only as strong as its weakest link: Personnel Security helps mitigate some risks.

What is a Personnel Security Risk Assessment?

The PSRA enables business to focus its limited prevention, detection and response resources to those areas, and position numbers (roles), of highest risk. In high security organisations, this often translates to low risk staff not being exposed to intrusive background investigations and ongoing monitoring in comparison to staff in high risk roles.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

The PSRA also informs design of an organisational vetting standards (i.e. what background checks are performed given the risk). This ensures employees are not subjected to intrusive checks and expenses incurred by the business for no real purpose.

Under the CPNI methodology, there are three types of PSRA:

Organisational PSRA – identifies enterprise level threats and risks, including the main risk types. Organisational PSRAs lack sufficient detail to identify business unit specific risks and corresponding internal controls.
Group PSRA – focused at the Business Unit level (or lower) or alternately specific functional groups (e.g. finance, engineering, ICT, senior executives).
Individual PSRA – focuses on the risk a specific individual poses, typically managed through vetting (employment screening / background investigations) and Continuous Monitoring / Continuous Evaluation (CM/CE).

The remainder of this article focuses on Organisational and Group PSRAs.

Trusted insiders have access to valuable information and assets by virtue of their roles.

How do you complete a PSRA?

The PSRA follows the ISO31000 methodology, as follows:

Step 1 – Scoping

As with any risk assessment, scoping is probably the most important step as it can inadvertantly exclude material risks. When scoping, I ask questions such as:

What is the organisation’s strategy?
What are the critical assets (or core business activities) requiring protection?
What regulatory or ‘social licence to operate’ considerations are there?
What does the threat landscape look like (determined by the threat assessment)?
What are the organisation’s high risk roles?

Understanding these factors allows the PSRA to be properly scoped.

Setting the context for the PSRA - from context to treatment

Step 2 – Risk Identification

Risk Identification involves identifying sources of risk involving employees, contractors and other trusted insiders. Not every risk is applicable to every organisation, so there is an element of qualifying suggested risks whilst building the risk register.

Common categories of Personnel Security risk include:

Espionage (nation state, economic or industrial)
Sabotage (physical, data and ICT)
Information and data theft or fraud
Workplace violence, harassment and bullying
Terrorism and extremism (i.e. politically motivated violence)
Organised Criminal Infiltration
Corruption and conflicts of interest
Intentional internal control compromise
Physical theft and fraud
Issue Motivated Violence (i.e. non-political violence perpetated by Issue Motivated Groups)

Step 3 – Risk Analysis

Once identified, the risk assessment process can begin. This involves determining the Consequence and Likelihood of any risk materialising (i.e. a ‘risk event’). This formula results in the determination of a risk rating. It is customary to provide two risk ratings – inherent and residual – reflecting ratings without and with internal control coverage.

Adequate control coverage has the effect of reducing either the consequence or likelihood of a risk event occurring, whilst inadequate or ineffective control coverage has the opposite effect.

The ISO31000 Risk Assessment. Illustrating the effect of applying controls on an inherent risk as part of the risk treatment process.

Step 4 – Risk Evaluation

Risk Evaluation involves determining whether the risk rating assigned to a given risk lies within the organisation’s risk tolerance (‘risk appetite’). This is a topic in itself which I will cover later, however for any risk treatment there are four options:

Accept the risk
Reject the risk (i.e. don’t do something)
Transfer the risk (e.g. to a supplier, insurer)
Treat the risk

Step 5 – Risk Treatment

Risk treatment requires evaluating the specific situation to determine how you can change a situation to reduce or modify the risk. Ways to treat personnel security risks include:

Implementing additional controls such as vetting, user activity monitoring or management oversight
Business process redesign to increase transparency or reduce the need for high level account privileges
Policy changes, including implementing and enforcing compliance via IT systems
Use of analytics for insider threat detection
Implementing and communicating internal reporting programs for staff who identify suspicious acticity
Cultural change and security awareness training

Risk treatment plans should be incorporated into programs, frameworks, policies, systems or business processes to ensure they are implemented effectively.

Step 6 – Communication and Consultation

Communicating throughout any risk assessment process is critical, as is engaging with stakeholders including management and relevant business functions (e.g. HR, Legal, Security, Risk, etc) when completing the risk assessement, evaluation and treatement process. Employee representatives are another critical stakeholder group to ensure their privacy is respected.

Step 7 – Monitoring and Review

The last step in the PSRA process is to ensure the assessment is periodically updated, ideally through an annual or biannual refresh depending on the extent of change in your organisation. The longer personnel security risks go unrecognised, the greater the vulnerability.

Alert management and insider risk continuous monitoring systems

Posted on December 10, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is ‘Continuous Monitoring’ for Insider Threat Detection?

A core component of any Insider Risk Management program is what is referred to as Continuous Monitoring by the U.S. Government, which involves the collection, correlation and analysis of data to identify patterns of behaviour, activity or indications that a trusted insider may pose a threat (i.e. an ‘insider threat’) or be progressing down the Critical Path.

To perform Continuous Monitoring, organisations are purchasing solutions such as DTEX, Exabeam, Secureonix, and Splunk or alternatively using existing analytics platforms to introduce some level of capability. Microsoft Purview Insider Risk Management, launched in 2019, is another option in the vendor landscape. Irrespective of what system you use, they all have one thing in common: they generate ‘alerts’.

What is an ‘alert’ anyway?

Advanced analytics systems (such as those used in insider threat detection, workforce intelligence, fraud detection or cybersecurity) generate what are colloquially referred to as ‘alerts‘. Alerts are simply instances of activity (e.g. transactions, behaviours, relationships, events) which meet the criteria configured in the advanced analytics system models.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Alerts that are generated are typically managed, or dispositioned, as a ‘case’ using some sort of case management system. Dispositioning an alert involves reviewing the information associated with that alert and potentially conducting further data collection or analysis specific to the alert’s “event type”, before determing what to do with it based on organisational policies. This sequential process is illustrated below:

Illustrating the sequential process from Event to Case or Closure (Curwell, 2022)

Some insider threat detection solutions offer detection analytics and case management as part of an integrated solution, some have no inbuilt case management functionality but easily integrate with a third party solution via API, and yet others accomodate both options. Case Management is a large topic in its own right which I will write about more in the future.

The three levels of insider risk ‘alert’ management

The literature on Insider Risk Management typically refers to three types of alert. Whilst the terminology and specifics is inconsistent between authors, audiences and vendors, the basic principles remain the same. My interpretation is explored more below:

Level 1 alert disposition comprises the steps take to review a system generated alert based on pre-defined or deployed detection models or rules. In some situations, Level 1 alerts may only comprise a single indicator, which is likely to give rise to more ‘false positives’ and may be easily triggered out of context. Level 1 alerts are typically anonymised or masked in many Insider Threat Detection systems on the market to prevent analysts identifying individuals and reducing opportunities for analytical bias. In terms of actions, a Level 1 analyst might:

Reject an alert as a false positive,
Place some sort of temporary increased monitoring on the individual if there are signs of suspicious behaviour but do not meet the organisation’s criteria for escalation, or,
Escalate the Level 1 alert to a Level 2 case where there characteristics of a case meet the businesses pre-defined criteria for escalation.

Level 1 alerts are usually the greatest in terms of volume, and are typically dispositioned by junior team members or in cases where risks are within tolerance, automated decision engines.

Photo by Tima Miroshnichenko on Pexels.com

Level 2 preliminary assessment is where the basics of what we consider a ‘real’ investigation begin, and may involve looking for patterns of behaviour, anomalies, or performing background investigations to gather context required to disposition what are often multiple alerts on the same individual, or which involve a single typology comprising multiple inter-related indicators or behavioural patterns.

Level 2 cases are often worked by more experienced team members. They typically commence with an anonymised case but if the case is not closed as a ‘false positive’, at some point the evidence may justify de-anonymising based on the organisation’s policies and procedures. The outcomes of a Level 2 case typically include:

Close a case as unsubstantiated / unable to substantiate / no case to answer;
Place the trusted insider or type of behaviour / activity on a watchlist so it can be more closely monitored in the future (often involving manual review without reliance on automated detection models);
Refer the matter to a line manager or other internal professional (e.g. HR, Compliance, Risk, IT) where action is required but criterial for Level 3 escalation is not met such as:
- Trusted insiders who are at the early stages of progressing along the critical path and may benefit from counselling or individual support, and / or,
- Staff who require more training, coaching or guidance to ensure proper compliance (i.e. ignorant or complacent insiders), or,
- Identification of internal control gaps requiring remediation by the employer (i.e. cases where an employee is not a fault)
Escalate the case to Level 3 where an allegation of misconduct, fraud or other criminal behaviour is formed.

Level 3 comprises a formal internal investigation, performed by professionaly trained and appropriately accredited investigators (see ICAC, 2022). Sometimes it is appropriate for these investigations to be performed by external service providers – if unsure, guidance should be sought with General Counsel prior to commencing an investigation. These investigations involve not just evidence collection and data analysis from systems, but may also involve interviewing witnesses and suspects, taking statements, writing formal investigative reports and, in extreme cases, preparing briefs of evidence for criminal prosecution.

Understanding Insider Threat Detection Alerts (Curwell, 2022)

Level 3 investigations are not undertaken lightly

Just because a case is meets the organisation’s criteria and is escalated for Level 3 investigation does not necessarily mean that an investigation must or will commence (see ICAC, 2022). Businesses need strong governance and clear policies when it comes to internal investigations, starting with the management decision on whether a formal investigation is justified.

Typically this decision will be made by a special committee with delegated authority from the CEO or Board and comprising representation from senior management, legal, HR, risk, compliance, security and integrity, and sometimes internal audit. This decision is based off a number of factors which will be explored more in a future article, but the important thing is to have clear guidlines and evaluate each case in a consistent manner to avoid allegations of bias.

Importantly, even for Level 3 cases employers have a range of alternatives to a formal investigation, including changes to supervision or management arrangements, employee development, or other organisational action. Where a formal internal investigation is performed, employees must be afforded procedural fairness (also known as ‘natural justice’).

In my opinion, Level 2 alert dispositions are the most critical for any employer. They can identify and divert trusted insiders at early stages of progressing along the critical path, and whilst harm may have been done against the organised, this may be relatively minimal and / or recoverable for the organisation and trusted insider concerned. In contrast, it may not be possible or practical for malicious trusted insiders to recover from some types of Level 3 cases which are substantiated. It makes sense to disproportionately allocate organisational resources – including specialists from HR, Legal, IT, security, counsellors, and professional psychologists to resolve Level 2 issues, in comparison to Levels 1 and 3.

Level 2: source of greatest risk and greatest opportunity for diversion?

In contrast to Level 1 and Level 3 cases, Level 2 presents not only the greatest opportunity (as outlined above) but the greatest risk to the organisation. I have seen overzealous individiuals do substantial damage at this stage, far more so than Level 1 where opportunities to cause harm are limited due to viewing an anonymised alert in isolation, and Level 3 which are staffed by professional and experienced investigators, oversighted by appropriate governance and legal mechanisms and who have a deep understanding of how to perform their role.

Level 2 practitioners often have a combination of advanced skills, knowledge of the alert subject’s identity, however they typically lack of understanding of the law and protocols when conducting an internal investigation. This can lead to the commencement of what is effectively a Level 3 investigation without internal approval or oversight, potentially damaging employee engagement and trust in management, removal or termination of the insider risk management program, litigation or regulatory action, and even adverse mental health and welfare outcomes for the subject concerned.

It is imperative that Level 1 and 2 team members, particularly Level 2, recieve adequate training and guidance on what is and is not appropriate in their role. Any Insider Risk Management Program, including continuous monitoring, should be fair, transparent and developed in consultation with Legal, employees and where applicable unions. Poor practices or discipline in continuous monitoring can terminally damage organisational trust in such progams.

Understanding High Risk Roles

Posted on November 26, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What are High Risk Roles?

Understanding the concept of High Risk Roles begins with the concept of assets. There are generally agreed to be two categories of asset – tangible (e.g. physical things) and intangible (e.g. knowledge). Examples of tangible assets include property (facilities), information (including intellectual property and trade secrets), reputation, people (workforce), systems and infrastructure, and stock or merchandise.

Every business is comprised of a variety of different roles, each of which poses a different risk. — Photo by Matheus Bertelli on Pexels.com

Whilst loss, degradation or compromise of an asset may cause a financial loss or inconvenience, not all assets are critical to an organisation’s survival: Those assets which are critical are often referred to as ‘critical assets‘.

Definition: Critical Assets
A ‘Critical Asset‘ is an asset which the organisation has a high level of dependence on; that is, without that critical asset the organisation may not be able to perform or function.
Paul Curwell (2022)

Critical assets typically comprise only a small fraction of all assets held by any organisation, but their loss causes a disproportionately high business impact. In security risk management, we never have enough resources to treat every risk, nor does it make sense to do so. By extension, an organisation’s critical assets are those assets which it must use disproprotionately more resources to protect. This may range from restricting access to the asset to prevent loss or damage through to providing multiple layers of redundancy and increasing organisational resilience in the event of unanticipated shocks or events.

Not every activity is critical: its important to identify these and focus limited resourced on what's really important. — Photo by Pixabay on Pexels.com

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

High Risk Roles: What are they and why are they important?

High Risk Roles are those which confer privileged access to an organisation’s critical assets, as well as other types of access privileges, user privileges, or delegations of authority.

High and Low Risk Roles Defined

High Risk Roles – those which confer privileged access to Critical Assets (including information) or decision-making rights
Low Risk Roles – those which confer normal access to Critical Assets, information or decision-making rights (i.e., non-privileged).
Paul Curwell (2022)

The concept of privileged access to assets, including information, is very much situational within the organisation concerned. If an organisation has no controls to protect its critical assets from loss, damage or interference, then every role is effectively high risk.

In contrast, if some roles are subject to less controls, supervision or oversight; senior staff are easily able to bypass or compromise internal controls by virtue of their position (or coerce junior employees or subordinates into doing so); or are more readily able to access critical assets (such as in organisations where critical assets are closely guarded or ‘locked down’), then a higher degree of trust is inherently placed in those individuals. This degree of trust is reflected in their ‘privileged access’ to these assets – some organisations have historically used the term ‘positions of trust’ to refer to such roles.

What are some examples of privileged access which make a position ‘high risk’?

An organisation’s workforce must have access to its critical assets to perform its core functions. Members of the workforce with access to its critical assets may not just comprise trusted employees, but also contractors, suppliers and other third parties, making it essential to have a mechanism to track who has access to what as part of good governance, let alone risk management and assurance. Examples of postitions which an employer may deem ‘high risk roles’ based on a risk assessment process include:

Positions with unchecked access to the organisation’s critical assets (i.e. the organisation’s ‘crown jewels’)
Positions conferring higher Delegations of Authority (e.g. financial delegations)
Positions conferring Access to customer or employee Personally Identifiable Information (PII)
Those with access to Trade Secrets, sensitive research or other Confidential Information
Persons with access to sensitive business information
Roles involving system administrator privileges
Roles conferring access to valuable stock, merchandise or assets (particularly those which are of high value and easily moved)
Roles conferring other privileged access or decision making rights

Unless defined by legislation, what constitutes a High Risk Role will differ between organisations. Some organisations use the Personnel Security Risk Assessment as a tool for identifying these roles (refer below).

The more senior an employee's position, the greater the potential risk exposure. — Photo by Andrea Piacquadio on Pexels.com

Five suggested tools to manage High Risk Roles

As outlined in the preceding paragraphs, the purpose of defining High Risk Roles is to identify the subset of your overall workforce which has privileged access to critical assets. In most organisations, perhaps with the exception of smaller organisations such as startups, those in High Risk Roles will comprise a very small percentage of the overall workforce. There are five main steps in managing high risk roles, as follows:

1. Personnel Security Risk Assessment (PSRA)

The purpose of the PSRA is a structured approach to identifying those groups of roles, or even specific positions, in the organisation which may be defined as high risk. The PSRA helps inform development of a number of risk treatments and internal controls, including design of Employee Vetting and Supplier Vetting Standards (also known as Employment Screening, Workforce Screening, Employee Due Diligence or Supplier Due Diligence or Supplier Integrity standards) and Continuous Monitoring Programs.

This alignment helps ensuring that the vetting (background check) programs reconcile to the organisation’s inherent risks where the risk driver is a trusted insider with an adverse background, and that Continous Monitoring Programs are risk-based and justifiable. The relationships between these high level concepts is illustrated in the following figure:

Organisational context shapes and influences PSRA design. Personnel Security risk treatments should correspond to a specific risk.

See my article here for more detail on Personnel Security Risk Assessment process.

2. Identify your High Risk Roles

This involves an exercise to determine which position numbers (or groups / types of roles) have privileged access to your critical assets. This activity manually assigns a risk rating to each position, group or type of role in the company’s HR Position Control or HR Position Management registers extracted from the organisation’s Human Resources Information System and might be stored somewhere such as Active Directory.

An example of the process used to identify high risk roles.

In some cases, the identification of High Risk Roles is undertaken as part of the Personnel Security Risk Assessment, whilst other organisations chose to do this as a discreet exercise.

3. Apply enhanced vetting to individuals occupying High Risk Roles

Many organisations run multiple levels of workforce screening (employment screening) for prospective and ongoing employees. Importantly, vetting looks at the employees’ overall background but does not consider their activity, behaviours or conduct within the organisation or on its networks (this is the role of Continuous Monitoring, below).

To manage cost and minimise unnecessary privacy intrusions, low risk roles will typically be subject to minimal screening processes – perhaps Identity Verification, Right to Work Entitlement (e.g. Working Visa or Citizenship), and Criminal Record Check. Vetting programs for High Risk Roles should be treatments for some of the risks identified through the Personnel Security Risk Assessment.

4. Conduct periodic ICT User Access Reviews

This should be undertaken on an ongoing basis as part of your cybersecurity hygiene, but Users who have higher access privileges, administor access, or access to critical assets should be periodically re-evaluated by line management to ensure this access is still required in the course of work. It is common to find people who are promoted or move laterally to new roles who inherit access privileges from previous roles which may no longer be required in subsequent roles.

Restricting Administrative Privileges is one of Australia’s Essential 8 Strategies to Mitigate Cyber Security Incidents, as published by the Australian Cyber Security Centre, which recommends revalidation at least every 12 months and that privileged user account access is automatically suspended after 45 days of inactivity.
Australian Cyber SEcurity Centre (2022)

5. Apply continuous monitoring for users in high risk roles

Continuous Monitoring through the correlation of data points obtained through User Activity Monitoring and / or other advanced analytics or behavioural analytics-based insider risk detection solutions (such as DTEX Intercept, Microsoft Insider Risk or Exabeam) should be disproportionately focused towards those in High Risk Roles (see Albrethsen, 2017).

In summary, the identification and management of High Risk Roles should be a feature of any Insider Risk Management, Supply Chain Risk Management, or Research Security Program. Increasingly, various legislative frameworks – such as Anti-Money Laundering / Counter-Terrorist Financing (AML/CTF) regime – also consider the concept of High Risk Roles in their compliance programs as a way to manage personnel related risks. Don’t forget, given that High Risk Roles change periodically as the organisation changes, regular updates to related artefacts form part of a mature capability.

Applying the critical-path approach to insider risk management

Posted on November 12, 2022 by Paul Curwell, CPP, CFE, CISSP

Paul Curwell, CPP, CFE, CISSP

What is the critical-path in relation to insider risks?

The ‘critical-path method’ (critical path approach) is a decision science method developed in the 1960’s for process management (Levy, Thompson, Wiest, 1963). In 2015, Shaw and Sellers applied this method to historical trusted insider cases and identified a pattern of behaviours which ‘troubled employees’ typically traverse before materialising as a malicious insider risk within their organisation.

Employees with concerning behaviours can sometimes manifest in the workpalce — Photo by Inzmam Khan on Pexels.com

This research paper was written after a period of hightened malicious insider activity in the USA, including Edward Snowden, Bradley (Chelsea) Manning, Robert Hansen and Nidal Hasan. Shaw and Seller’s research identified four key steps down the ‘critical-path’ to becoming an insider threat, as follows:

Personal Predispositions: Hostile insider acts were found to be perpetrated by people with a range of specific predispositions
Personal, Professional and Financial Stressors: Individuals with these predispositions become more ‘at risk’ when they also experience life stressors which can push them further along the critical path;
Presence of ‘concerning behaviours’: Individuals may then exhibit problematic behaviours, such as violating internal policies or laws, or workplace misconduct
Problematic ‘organisational’ (employer) responses to those concerning behaviours: When the preceding events are not adequately addressed by the employer (either by a direct manager or the overall organisational response fails), concerning behaviours may progress to a hostile, destructive or malicious act.

Shaw and Sellers note that only a small percentage of employees will exhibit multiple risk factors at any given time, and that of this population, only a few will become malicious and engage in hostile or destructive acts. Shaw and Sellers also found a correlation between when an insider risk event actually transpires and periods of intense stress in that perpetrator’s life.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

The ability to identify these risk factors early means managers may be able to help affected employees before they cross a red line and commit a hostile or destructive act from which there is no coming back – but only if a level of organisational trust exists and if co-workers / employees are aware of the signs. The research by Shaw and Sellers is summarised in the following figure, which has been overlaid against the typical ’employee lifecycle’ for context:

Graphic of the critical path in relation to the typical employee lifecycle — The ‘critical path’ in relation to the employee lifecycle (Paul Curwell, 2020)

Shaw and Sellers found the likelihood of someone becoming an insider risk increases with the accumulation of individual risk factors, making early identification a priority which should help inform decisions by people managers within an organisation.

**The critical path should help inform people-management decisions**

Over the past decade, the focus of emotional and mental health and well-being has grown in western society (as highlighted by COVID 19). On the supply side, tight labour markets have focussed the attention of managers towards maintaining employee engagement and retention. Society’s increasing openness to discussing mental health issues, including stress and anxiety, is helping provide a mechanism for earlier awareness of behavioural conditions which could trigger an employee or contractor to progress down the critical path and become a malicious insider.

Consequently, there are now various supports and interventions in the workplace and in society to help employees with personal predispositions who are experiencing life stressors. Examples of workplace assistance programs include:

Employee Assistance Programs – providing access to workplace psychological and counselling services
Financial counselling – for individuals who are over-extended in terms of credit or are struggling financially (this may include support restructuring personal debt to avoid bankruptcy)
Addiction-focused peer support and counselling – such as Gamblers Anonymous or Narcotics Anonymous

I’m sure that for some people, the increasing acceptance and willingness of society to be open to listening to colleagues who may be struggling helps to relieve the pressure somewhat, whereas historically these individuals may have been forced to suffer in silence.

It is critical employees feel adequately supported in the workplace to minimise insider risks — Photo by cottonbro on Pexels.com

The importance of these programs is that employees feel they are adequately supported, and that they are confident that if they self report an issue they will not be vilified, disadvantaged long term, or even fired for doing so. This concept is referred to by the CDSE as ‘organisational trust‘, which is a two-way street: Employers and managers must be able to trust their workforce, but workers must also be able to trust that management and the organisation will do the right thing by them.

The role of continuous monitoring (insider risk detection) systems and the critical path

Preceding paragraphs discussed the three main steps in the critical path, being personal predispositions, life stressors and concerning behaviors. Some of these may be visible to colleagues, such as an employee who is visibly angry. However, other indicators, such as accessing sensitive information, office access at odd hours, declining performance and engagement, may not be visible on the surface as ‘signs’ to co-workers.

Continous monitoring and evaluation tools, otherwise known as Insider Risk (Threat) Detection or Workforce Intelligence systems, are advanced analytics based solutions which integrate a variety of virtual (ICT), physical (e.g. access control badge data, shift rosters, employee performance reporting) and contextual information (e.g. employee is in a high risk role, information access is sensitive and not required in ordinary course of duty) in one central location.

Behavioural Analytics is typically marketed as a core component of software solutions on the market, although the way in which the behavioural analytics actually works may be a ‘black box’ with some vendors. These analytics tools are typically programmed to identify one or more indicators on the critical path, and generate ‘alerts’ or automated system notifications in response to an individual displaying the programmed indicators.

Most systems use some sort of identity masking, at least in the early stages of alert review and disposition, so that employees cannot be unncessarily targeted or vilified – at least until there is sufficient material evidence that suggests a problem which is sufficient to initate an investigation under the employer’s workplace policies.

Continuous monitoring is key to address behavioural change over time — Photo by Christina Morillo on Pexels.com

Continous monitoring systems require configuring for your organisation’s context

Importantly, as with any analytics-based intelligence or detection system, the system itself is only as good as what it is programmed to detect. Shaw and Sellers (2015) have this to say in relation to the blanket application of the Critical-Path Approach to every type of insider threat:

We do not suggest that this framework is a substitute for more specific risk evaluation methods, such as scales used for assessing violence risk, IP theft risk, or other specific insider activities. We suggest that the critical-path approach be used to detect the presence of general risk and the more specific scales be used to assess specific risk scenarios.
Shaw and Sellers (2015), Application of the Critical-Path Method
to Evaluate Insider Risks

This highlights the importance of ensuring your system is properly tuned to your organisation’s inherent risks, and could require multiple detection models, each of which focuses on a specific risk (e.g. sabotage, workplace violence). Models or rules used by these systems must be tuned to the organisation’s specific threats and risks, and configured in a way that reflects the organisation’s unique operating context.

The ‘garbage in, garbage out’ principle applies here: If your organisation only uses simple out of the box rules or detection models provided by the software vendor, it is unlikely these will detect the really critical risks to your business. Continous monitoring and evaluation for insider risks is an area which is developing quite rapidly, and is influenced by the convergence of cybersecurity with protective security and integrity more generally. I will discuss these continuous monitoring and evaluation concepts in more detail in future posts.