Tag Archives: Insider Risk Framework

Who are SOCI Act Critical Workers?

Posted on by

Paul Curwell, CPP, CFE, CISSP

A recap on Australia’s SOCI Act

In 2022, Australia’s 2018 Security of Critical Infrastructure Act (SOCI Act or SOCI) was amended to strengthen the security and resilience of critical infrastructure. The number of industry sectors and asset classes deemed critical was expanded to eleven, and new legislative obligations were introduced for all Responsible Entities under SOCI.

Responsible Entities for a critical infrastructure asset are the bodies with ultimate operational responsibility for an asset.

A CIRMP is a Critical Infrastructure Risk Management Plan, as set out in the CIRMP Rules.

SOCI is a large, complex piece of legislation comprising the Act plus 5 Legislative Instruments (Rules). The CIRMP Rules, which became law on 17 February 2023, also require compliance with one of 5 accepted information security frameworks (although further time has been granted for organisations to complete these cybersecurity uplifts). To comply, Responsible Entities have 6 months to develop a CIRMP (i.e., by 18 August 2023).

In my opinion the focus of SOCI on uplifting national resilience is much needed in Australia and should be applauded, although it is noted that interpreting SOCI requires careful reading and research. Implementation is complicated by changes to legislation during the parliamentary processes which affects relevance of the guidance material.

scenic photo of water dam during daytime
Photo by Frans van Heerden on Pexels.com

How is a ‘critical worker’ defined?

Part 1, Divn 2, Section 5 of the SOCI Act

The term ‘Critical Worker’ means an individual, where the following conditions are satisfied:

(a) the individual is an employee, intern, contractor or subcontractor of the responsible entity for a critical infrastructure asset to which Part 2A applies (i.e., the asset is subject to a CIRMP);

(b) the absence or compromise of the individual:

(i) would prevent the proper function of the asset; or

(ii) could cause significant damage to the asset; as assessed by the responsible entity for the asset;

(c) the individual has access to, or control and management of, a critical component of the asset

Meeting all elements of the above test is required to be deemed a ‘Critical Worker’. Note that Element (b) applies both an insider threat and business continuity lens to identify those who could prevent the asset’s operation or cause significant damage.

Whilst not linked to personnel in the legislation, the way in which potential risk events could cause significant damage would ideally be via risk assessment based on residual risk ratings determined by the Responsible Entity.

What steps do I need to take to manage ‘Personnel Hazards’ under the Rules?

Identifying Critical Workers is only the start of the Personnel risk management process. Appropriate security measures and access controls must be implemented to ensure only Critical Workers who have passed the AusCheck (or comparable) processes gain access. Responsible Entities must also take reasonable steps to minimise or eliminate trusted insider risks (insider threats), including during the offboarding process.

Section 9 Personnel hazards

        (1)     For paragraph 30AH(1)(c) of the Act, for personnel hazards, a responsible entity must establish and maintain a process or system in the entity’s CIRMP:

(a)   to identify the entity’s critical workers; and

(b)   to permit a critical worker access to critical components of the CI asset only where the critical worker has been assessed to be suitable to have such access; and

(c)   as far as it is reasonably practicable to do so—to minimise or eliminate the following material risks:

             (i)  arising from malicious or negligent employees or contractors; and

            (ii)  arising from the off-boarding process for outgoing employees and contractors. 

Conceptually, getting your head around the idea that some positions in an organisation pose higher risks than others can take time. Some months ago, I wrote this primer on understanding high risk roles which may assist.

Understanding High Risk Roles

The High Risk Role concept is only one element of what SOCI calls Personnel Hazards. Whilst not mentioned in SOCI, a Personnel Security Risk Assessment is a broader activity used by the UK’s National Protective Security Agency and which provides the level of traceability and scruitiny needed to identify, assess and mitigate Personnel Hazards.

What is a Personnel Security Risk Assessment?

What are the implications for employers?

Employers of Critical Workers need to confront the fact that some employees or contractors (or those of their suppliers) may not pass the AusCheck process. Three options are likely for each individual:

  • Employees (or employees of a critical supplier) who meet the ‘critical worker’ test voluntarily submit to the AusCheck process, with no impacts to employee engagement or employment contracts
  • Employees (or employees of a critical supplier) with existing employment contracts object to participating in AusCheck along the grounds of ‘conscientious objections’ or the suspicion they may fail
  • Employees (or employees of a critical supplier) fail the AusCheck process

Conceivably, managing the legal, financial and workplace relations implications of people who object to, or fail, the AusCheck process could be onerous, especially for industries which have not historically employed rigorous workforce screening.

Designing your workforce screening program

Real dilemmas are likely to be encountered by smaller Responsible Entities’ whose operations are not big enough to separate their critical and non-critical operations. This may mean those employers cannot move employees who fail or object to AusCheck into non-critical worker roles as there may not be any available. One thing is clear: Employers need to be proactive and focus on what this could mean for their workforce as early as possible. Every new employment contract issued before August that does not adequately address this issue may need future remediation.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Workforce Screening Programs should include your suppliers

Posted on by

Paul Curwell, CPP, CFE, CISSP

Insider Threats are often overlooked when it comes to your supply chain, but suppliers are a key source of trusted insider risks.These risks need to be identified and incorporated into procurement decisions and sourcing contracts, inclusive of contractual obligations by suppliers to conform to your requirements. This may well incur additional costs, making it important for buyers to work collaboratively with their suppliers to agree an approach that is workable for all parties. This may mean buyers need to change their processes to mitigate a risk rather than transferring the management of this risk to a supplier.

Workforce Screening is a foundational element that should be included in any supplier agreements, but its application needs to be targeted towards the buyers material risks. This article explores this challenge, provides suggestions on good practice, and discusses the role of supplier assurance in relation to Workforce Screening Programs.

Many businesses are complex ecosystems with different parties - employees, contractors, suppliers, visitors - constantly interacting.
Photo by Ralph Chang on Pexels.com

We need to recognise that suppliers also pose trusted insider risks

Suppliers and Third Parties are a core part of the ecosystem for every business enterprise. By the nature of their roles and functions, many suppliers and other third parties have privileged access to their client’s (i.e. your organisation) information, systems and critical assets. Examples of trusted insider access by suppliers include:

  • Service providers with remote access to critical systems or networks, such as Programmable Logic Controllers (PLCs) or Operational Technology (OT) systems
  • Outsourced IT managed services
  • Managed data centres
  • Contract Manufacturers and Contract Research Organisations (CROs, CMOs)
  • Outsourced Clinical Trials Managers
  • Distribution Centres for order fulfilment
  • Repackaging and relabelling services
  • Recruitment, accounting, audit, consulting and law firms and insurance brokers
  • Corporate catering, cleaning services

Many more services can be added to this list: clearly, the breadth and scope of functions performed by suppliers today is nearly ubiquitous – this needs to be taken into account when identifying insider risks.

Suppliers, as outsourced service providers, often have direct and unsupervised access to a business' most critical assets without us realising.

Existing practices often fail to properly assess supplier-insider risks

Supplier-insider risks need to be managed with a degree of foresight given that supplier contracts are often multi-year agreements with the potential for extensions. This means that failing to incorporate the necessary provisions upfront may create a vulnerability for multiple years or even a decade.

Understanding the insider risk posed by your supplier’s workforce begins with identification of your High Risk Roles – are any of those outsourced? This information informs your Personnel Security Risk Assessment which qualifies the inherent risk and determines whether internal control coverage is adequate for your risk appetite.

The gap between inherent and residual risk where the risk actor is a member of your supplier’s workforce is what you may need to address through any Supplier Agreement using tools such as a Workforce Screening Program. This process justifies which members of your supplier’s workforce need screening and to what extent, and why based on their access to your organisation’s assets.

Suppliers should be contracted to implement your Workforce Screening program

Security and integrity is seen by many as a business enabler, but many businesses still see it as a cost and management overhead. It is not uncommon to find suppliers with either no security or integrity program, or that lack the requsite level of capability maturity required to manage complex risks that may arise in their customers’ business.

It goes without saying that buyers need to provide guidance to their suppliers on their expectations, just like any other aspect of the sourcing process. Considerations on leading practices for supplier-insider risk management include:

  • Imposing contractual obligations to maintain a risk based security and integrity program that conforms to your organisations standards and policies
  • Providing a copy of your current workforce screening standard and other continuous monitoring information to ensure your supplier knows exactly what they need to do to comply
  • As a buyer, performing continuous monitoring (insider threat detection) of your supplier’s interactions with your endpoints, network access and critical assets (including your most valuable information) – don’t rely on anyone else to do this
  • Incorporating requirements for a time-bounded escalation or notification mechanism obligating your suppliers to inform you of certain types of incidents within defined timeframes
  • Ensuring appropriate supplier assurance and supplier audit / investigations clauses are included in your contracts and don’t be afraid to use them

These practices could also be incorporated into your Supplier Integrity Framework.

checking information in documents
Photo by Alexander Suhorucov on Pexels.com

Workforce Screening should be incorporated into ongoing Supplier Assurance

Just because there is a contractual requirement to do something does not mean a counterparty will comply, or that they have the internal governance mechanisms to keep track of this. In some cases, counterparties start out with the best of intentions, but some years after contract signing business may get tough or management may change and contract compliance could slip as a result. Supplier assurance (vendor assurance) programs are intended to regularly monitor or reivew key aspects of a supplier’s compliance with contract.

Ensuring contract compliance with Workforce Screening and other Insider Risk obligations should form part of any supplier assurance program, however this should be supplimented with insights from period updates to your Personnel Security Risk Assessment, Register of High Risk Roles, and revisions to your Workforce Screening Program Guideline (standard) to ensure supplier practices correspond to your inherent risks and risk appetite.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Microsoft Purview Information Protection – an overview

Posted on by

Author: Paul Curwell

It’s April 2022 – enter, Microsoft Purview

In 2017, Microsoft introduced its cloud-based Microsoft 365 solution, offering a range of personal and business applications to customers. Then, in April 2022, the Microsoft Purview platform was unveiled, combining fuctionality previously called Azure Purview with what was then Microsoft 365 Compliance, providing a host of new tools and functionality for corporate teams involved in protecting and managing sensitive data, including:

  • Microsoft Purview Insider Risk Management
  • Microsoft Purview Data Loss Prevention
  • Microsoft Purview Data Lifecycle and Records Management
  • Microsoft Purview eDiscovery
  • Various legal holds, auditing and compliance tools, and,
  • Microsoft Purview Information Protection

These solutions are Microsoft’s answer to a range of risk, compliance and security problems which commonly arise in businesses across a range of industries. They are designed to largely be implemented out of the box with configuration (as opposed to customisation); however, more advanced technical skills are required to setup features such as APIs, perform PowerShell coding, and undertake other technical tasks.

Microsoft Purview solution catlogue
Microsoft (2022). Microsoft Purview – Solution Catalogue

Remember: technology is not the first or only step!

I’ve written numerous articles on the importance of protecting sensitive business information, Intellectual Property, and research on this blog, but irrespective of what you are protecting it all starts with a good Information Protection Program.

A well-designed Information Protection Program starts with a fit for purpose framework, supported by policies (such as a Code of Conduct, employment and IT Acceptable Use policies) to confidential information naming conventions, appropriate physical / cyber and personnel security programs, security culture and awareness training, and physical and ICT (virtual) monitoring and auditing.

Once your Information Protection Program is developed, Microsoft Purview Information Protection contains a range of tools to help implement and sustain that program over time. Like any software, Microsoft Purview Information Protection is not a substitute for a good Information Protection Program. Conversely, in today’s data and technology rich environment, Information Protection Programs are unlikely to be truly effective without tools like those offered by Microsoft.

man wearing black blazer
Photo by Caleb Oquendo on Pexels.com

Let’s cut to the chase: Microsoft Purview Information Protection is suitable to help manage a variety of information types, including:

  • Trade Secrets
  • Personally identifiable information (PII)
  • Confidential business information (pricing, customer lists, strategies, etc)
  • Research data (eg pre-patent, draft papers), and,
  • Government classified information

Whether Microsoft Purview Information Protection is suitable for managing your organisations information risk profile is subject to a few considerations, including:

  • Is your sensitive information stored outside of a Microsoft 365 environment?
  • Do your employees use offline systems, paper records, personal devices or endpoints which are not centrally managed or onboarded?
  • Do your suppliers create or replicate your sensitive information on their systems, out of reach of your management and control?

If you have answered yes to any of the above, you may only have partial protection from Microsoft Purview Information Protection without changes to the way your organisation operates.

What features does Microsoft Purview Information Protection offer?

In my opinion, Microsoft Purview offers a range of great tools out of the box which are suitable for many organisations, particularly those which generate and manage sensitive information within the Microsoft ecosystem. Primary data protection tools include:

  • Sensitivity labels – provides the tools to classify documents, files, emails and other datasets using your organisation’s information classification scheme (i.e. confidential, proprietary, commercial-in-confidence). This is one area where Microsoft Purview configuration needs to reflect the framework and polices setup in your Information Protection Program.
  • Sensitive information types – these are pattern-based classifiers, and used to find datasets containing defined data patterns, such as the format of a Medicare or Tax File Number, BSB and Bank Account etc. Microsoft Purview comes with a host of sensitive information types pre-defined out of the box, saving configuration time and effort.
  • Trainable classifiers – the ability to train in-built AI tools to identify and classify datasets based on their attributes. Like all AI tools, this requires a sufficient sample size to learn from, and works best for content not suited to manual (human) or automated-pattern matching (keywords such as ‘confidential’, text strings such as credit card numbers, and file metadata).
  • Data classification – provides a host of tools for managers of a Information Protection Program to view and understand how the program is being implemented by users, where sensitive information resides in the organisation (e.g. by type, sensitivity label, etc), and host of other features. This can help inform identification of High Risk Roles and Personnel Security Risk Assessments to inform Workforce Screening Program design, as well as inform implementation of Information Protection Programs and control improvement plans.
white caution cone on keyboard
Photo by Fernando Arcos on Pexels.com

I’m enthusiastic about the ability of Microsoft Purview to bring Information Protection, eDiscovery and Insider Risk Management capabilities to small and mid-sized organisations which otherwise might not be able to afford to implement and maintain different vendor solutions to achieve the same outcome.

Two questions I have is what the buyer profile is for E5 licensing in Australia (are these primarily large corporates, or can small to mid-sized organisations afford this as well?), and of the current E5 buyers, how many have actually turned this functionality on. I haven’t been able to find information on Microsoft’s market penetration in Australia, so answers to my questions will need to wait for another day! For organisations who are interested, Microsoft offers a 90-day free trial.

Perhaps most importantly, I strongly recommend you already have an Information Protection Program either operating or the framework development well underway before you procure or implement any technology solution. Pleasingly, so does Microsoft!

Not only will this inform your business requirements and business case, but it will ensure that the technology solution is implemented in a way that actually aligns with the way your organisation operates. There is nothing worse than when technology, rather than business need, dictates your operating model.

Operationalising your Information Protection Program

All too often, I see cases where organisations have purchased a software solution and expect this will address all their ills. Technology is an enabler that can enhance the effectiveness of an Information Protection Program, but is is not a substitute for implementing the program itself.

Like any technology solution, using Microsoft Purview requires regular attention and maintenance to ensure it does what was intended and is not impacting business users unnecessarily. Microsoft Purview will need periodic adjustment as your organisation changes, such as where new sensitive projects are setup that requiring new sensitivity labels, or in response to insider threat events.

Minimising problems for capabilities ‘in operation’ will require someone (or a team) who has an apprecation of both the Information Protection Program and Microsoft Purview, as well as change management to minimise adverse user outcomes.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What is a Personnel Security Risk Assessment?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Why do a Personnel Security Risk Assessment?

Trusted Insiders – employees, contractors, suppliers and business partners – are the ideal threat vector given their legitimate access and inside knowledge, yet many businesses are immature in the way they manage these risks.

A 2007 CPNI survey found many organisations don’t employ a structured approach to Personnel security, leading to development of guidance material on Personnel Security Risk Assessments (PSRA) to change the status quo. My experience is this dial hasn’t really shifted in Australia since the survey was published. The PRSA forms the basis of a structured, risk-based approach to managing insider risk.

A team is only as strong as its weakest link: Personnel Security helps mitigate some risks.

What is a Personnel Security Risk Assessment?

The PSRA enables business to focus its limited prevention, detection and response resources to those areas, and position numbers (roles), of highest risk. In high security organisations, this often translates to low risk staff not being exposed to intrusive background investigations and ongoing monitoring in comparison to staff in high risk roles.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

The PSRA also informs design of an organisational vetting standards (i.e. what background checks are performed given the risk). This ensures employees are not subjected to intrusive checks and expenses incurred by the business for no real purpose.

Under the CPNI methodology, there are three types of PSRA:

  • Organisational PSRA – identifies enterprise level threats and risks, including the main risk types. Organisational PSRAs lack sufficient detail to identify business unit specific risks and corresponding internal controls.
  • Group PSRA – focused at the Business Unit level (or lower) or alternately specific functional groups (e.g. finance, engineering, ICT, senior executives).
  • Individual PSRA – focuses on the risk a specific individual poses, typically managed through vetting (employment screening / background investigations) and Continuous Monitoring / Continuous Evaluation (CM/CE).

The remainder of this article focuses on Organisational and Group PSRAs.

Trusted insiders have access to valuable information and assets by virtue of their roles.

How do you complete a PSRA?

The PSRA follows the ISO31000 methodology, as follows:

Step 1 – Scoping

As with any risk assessment, scoping is probably the most important step as it can inadvertantly exclude material risks. When scoping, I ask questions such as:

  • What is the organisation’s strategy?
  • What are the critical assets (or core business activities) requiring protection?
  • What regulatory or ‘social licence to operate’ considerations are there?
  • What does the threat landscape look like (determined by the threat assessment)?
  • What are the organisation’s high risk roles?

Understanding these factors allows the PSRA to be properly scoped.

Setting the context for the PSRA - from context to treatment

Step 2 – Risk Identification

Risk Identification involves identifying sources of risk involving employees, contractors and other trusted insiders. Not every risk is applicable to every organisation, so there is an element of qualifying suggested risks whilst building the risk register.

Common categories of Personnel Security risk include:

Step 3 – Risk Analysis

Once identified, the risk assessment process can begin. This involves determining the Consequence and Likelihood of any risk materialising (i.e. a ‘risk event’). This formula results in the determination of a risk rating. It is customary to provide two risk ratings – inherent and residual – reflecting ratings without and with internal control coverage.

Adequate control coverage has the effect of reducing either the consequence or likelihood of a risk event occurring, whilst inadequate or ineffective control coverage has the opposite effect.

The ISO31000 Risk Assessment. Illustrating the effect of applying controls on an inherent risk as part of the risk treatment process.

Step 4 – Risk Evaluation

Risk Evaluation involves determining whether the risk rating assigned to a given risk lies within the organisation’s risk tolerance (‘risk appetite’). This is a topic in itself which I will cover later, however for any risk treatment there are four options:

  • Accept the risk
  • Reject the risk (i.e. don’t do something)
  • Transfer the risk (e.g. to a supplier, insurer)
  • Treat the risk

Step 5 – Risk Treatment

Risk treatment requires evaluating the specific situation to determine how you can change a situation to reduce or modify the risk. Ways to treat personnel security risks include:

  • Implementing additional controls such as vetting, user activity monitoring or management oversight
  • Business process redesign to increase transparency or reduce the need for high level account privileges
  • Policy changes, including implementing and enforcing compliance via IT systems
  • Use of analytics for insider threat detection
  • Implementing and communicating internal reporting programs for staff who identify suspicious acticity
  • Cultural change and security awareness training

Risk treatment plans should be incorporated into programs, frameworks, policies, systems or business processes to ensure they are implemented effectively.

Step 6 – Communication and Consultation

Communicating throughout any risk assessment process is critical, as is engaging with stakeholders including management and relevant business functions (e.g. HR, Legal, Security, Risk, etc) when completing the risk assessement, evaluation and treatement process. Employee representatives are another critical stakeholder group to ensure their privacy is respected.

Step 7 – Monitoring and Review

The last step in the PSRA process is to ensure the assessment is periodically updated, ideally through an annual or biannual refresh depending on the extent of change in your organisation. The longer personnel security risks go unrecognised, the greater the vulnerability.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Understanding High Risk Roles

Posted on by

Paul Curwell, CPP, CFE, CISSP

What are High Risk Roles?

Understanding the concept of High Risk Roles begins with the concept of assets. There are generally agreed to be two categories of asset – tangible (e.g. physical things) and intangible (e.g. knowledge). Examples of tangible assets include property (facilities), information (including intellectual property and trade secrets), reputation, people (workforce), systems and infrastructure, and stock or merchandise.

Every business is comprised of a variety of different roles, each of which poses a different risk.
Photo by Matheus Bertelli on Pexels.com

Whilst loss, degradation or compromise of an asset may cause a financial loss or inconvenience, not all assets are critical to an organisation’s survival: Those assets which are critical are often referred to as ‘critical assets‘.

Definition: Critical Assets
A ‘Critical Asset‘ is an asset which the organisation has a high level of dependence on; that is, without that critical asset the organisation may not be able to perform or function.

Paul Curwell (2022)

Critical assets typically comprise only a small fraction of all assets held by any organisation, but their loss causes a disproportionately high business impact. In security risk management, we never have enough resources to treat every risk, nor does it make sense to do so. By extension, an organisation’s critical assets are those assets which it must use disproprotionately more resources to protect. This may range from restricting access to the asset to prevent loss or damage through to providing multiple layers of redundancy and increasing organisational resilience in the event of unanticipated shocks or events.

Not every activity is critical: its important to identify these and focus limited resourced on what's really important.
Photo by Pixabay on Pexels.com

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

High Risk Roles: What are they and why are they important?

High Risk Roles are those which confer privileged access to an organisation’s critical assets, as well as other types of access privileges, user privileges, or delegations of authority.

High and Low Risk Roles Defined

High Risk Roles – those which confer privileged access to Critical Assets (including information) or decision-making rights
Low Risk Roles – those which confer normal access to Critical Assets, information or decision-making rights (i.e., non-privileged).

Paul Curwell (2022)

The concept of privileged access to assets, including information, is very much situational within the organisation concerned. If an organisation has no controls to protect its critical assets from loss, damage or interference, then every role is effectively high risk.

In contrast, if some roles are subject to less controls, supervision or oversight; senior staff are easily able to bypass or compromise internal controls by virtue of their position (or coerce junior employees or subordinates into doing so); or are more readily able to access critical assets (such as in organisations where critical assets are closely guarded or ‘locked down’), then a higher degree of trust is inherently placed in those individuals. This degree of trust is reflected in their ‘privileged access’ to these assets – some organisations have historically used the term ‘positions of trust’ to refer to such roles.

What are some examples of privileged access which make a position ‘high risk’?

An organisation’s workforce must have access to its critical assets to perform its core functions. Members of the workforce with access to its critical assets may not just comprise trusted employees, but also contractors, suppliers and other third parties, making it essential to have a mechanism to track who has access to what as part of good governance, let alone risk management and assurance. Examples of postitions which an employer may deem ‘high risk roles’ based on a risk assessment process include:

Unless defined by legislation, what constitutes a High Risk Role will differ between organisations. Some organisations use the Personnel Security Risk Assessment as a tool for identifying these roles (refer below).

The more senior an employee's position, the greater the potential risk exposure.
Photo by Andrea Piacquadio on Pexels.com

Five suggested tools to manage High Risk Roles

As outlined in the preceding paragraphs, the purpose of defining High Risk Roles is to identify the subset of your overall workforce which has privileged access to critical assets. In most organisations, perhaps with the exception of smaller organisations such as startups, those in High Risk Roles will comprise a very small percentage of the overall workforce. There are five main steps in managing high risk roles, as follows:

1. Personnel Security Risk Assessment (PSRA)

The purpose of the PSRA is a structured approach to identifying those groups of roles, or even specific positions, in the organisation which may be defined as high risk. The PSRA helps inform development of a number of risk treatments and internal controls, including design of Employee Vetting and Supplier Vetting Standards (also known as Employment Screening, Workforce Screening, Employee Due Diligence or Supplier Due Diligence or Supplier Integrity standards) and Continuous Monitoring Programs.

This alignment helps ensuring that the vetting (background check) programs reconcile to the organisation’s inherent risks where the risk driver is a trusted insider with an adverse background, and that Continous Monitoring Programs are risk-based and justifiable. The relationships between these high level concepts is illustrated in the following figure:

Organisational context shapes and influences PSRA design. Personnel Security risk treatments should correspond to a specific risk.

See my article here for more detail on Personnel Security Risk Assessment process.

2. Identify your High Risk Roles

This involves an exercise to determine which position numbers (or groups / types of roles) have privileged access to your critical assets. This activity manually assigns a risk rating to each position, group or type of role in the company’s HR Position Control or HR Position Management registers extracted from the organisation’s Human Resources Information System and might be stored somewhere such as Active Directory.

An example of the process used to identify high risk roles.

In some cases, the identification of High Risk Roles is undertaken as part of the Personnel Security Risk Assessment, whilst other organisations chose to do this as a discreet exercise.

3. Apply enhanced vetting to individuals occupying High Risk Roles

Many organisations run multiple levels of workforce screening (employment screening) for prospective and ongoing employees. Importantly, vetting looks at the employees’ overall background but does not consider their activity, behaviours or conduct within the organisation or on its networks (this is the role of Continuous Monitoring, below).

To manage cost and minimise unnecessary privacy intrusions, low risk roles will typically be subject to minimal screening processes – perhaps Identity Verification, Right to Work Entitlement (e.g. Working Visa or Citizenship), and Criminal Record Check. Vetting programs for High Risk Roles should be treatments for some of the risks identified through the Personnel Security Risk Assessment.

4. Conduct periodic ICT User Access Reviews

This should be undertaken on an ongoing basis as part of your cybersecurity hygiene, but Users who have higher access privileges, administor access, or access to critical assets should be periodically re-evaluated by line management to ensure this access is still required in the course of work. It is common to find people who are promoted or move laterally to new roles who inherit access privileges from previous roles which may no longer be required in subsequent roles.

Restricting Administrative Privileges is one of Australia’s Essential 8 Strategies to Mitigate Cyber Security Incidents, as published by the Australian Cyber Security Centre, which recommends revalidation at least every 12 months and that privileged user account access is automatically suspended after 45 days of inactivity.

Australian Cyber SEcurity Centre (2022)

5. Apply continuous monitoring for users in high risk roles

Continuous Monitoring through the correlation of data points obtained through User Activity Monitoring and / or other advanced analytics or behavioural analytics-based insider risk detection solutions (such as DTEX Intercept, Microsoft Insider Risk or Exabeam) should be disproportionately focused towards those in High Risk Roles (see Albrethsen, 2017).

In summary, the identification and management of High Risk Roles should be a feature of any Insider Risk Management, Supply Chain Risk Management, or Research Security Program. Increasingly, various legislative frameworks – such as Anti-Money Laundering / Counter-Terrorist Financing (AML/CTF) regime – also consider the concept of High Risk Roles in their compliance programs as a way to manage personnel related risks. Don’t forget, given that High Risk Roles change periodically as the organisation changes, regular updates to related artefacts form part of a mature capability.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Applying the critical-path approach to insider risk management

Posted on by

Paul Curwell, CPP, CFE, CISSP

What is the critical-path in relation to insider risks?

The ‘critical-path method’ (critical path approach) is a decision science method developed in the 1960’s for process management (Levy, Thompson, Wiest, 1963). In 2015, Shaw and Sellers applied this method to historical trusted insider cases and identified a pattern of behaviours which ‘troubled employees’ typically traverse before materialising as a malicious insider risk within their organisation.

Employees with concerning behaviours can sometimes manifest in the workpalce
Photo by Inzmam Khan on Pexels.com

This research paper was written after a period of hightened malicious insider activity in the USA, including Edward Snowden, Bradley (Chelsea) Manning, Robert Hansen and Nidal Hasan. Shaw and Seller’s research identified four key steps down the ‘critical-path’ to becoming an insider threat, as follows:

  • Personal Predispositions: Hostile insider acts were found to be perpetrated by people with a range of specific predispositions
  • Personal, Professional and Financial Stressors: Individuals with these predispositions become more ‘at risk’ when they also experience life stressors which can push them further along the critical path;
  • Presence of ‘concerning behaviours’: Individuals may then exhibit problematic behaviours, such as violating internal policies or laws, or workplace misconduct
  • Problematic ‘organisational’ (employer) responses to those concerning behaviours: When the preceding events are not adequately addressed by the employer (either by a direct manager or the overall organisational response fails), concerning behaviours may progress to a hostile, destructive or malicious act.

Shaw and Sellers note that only a small percentage of employees will exhibit multiple risk factors at any given time, and that of this population, only a few will become malicious and engage in hostile or destructive acts. Shaw and Sellers also found a correlation between when an insider risk event actually transpires and periods of intense stress in that perpetrator’s life.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

The ability to identify these risk factors early means managers may be able to help affected employees before they cross a red line and commit a hostile or destructive act from which there is no coming back – but only if a level of organisational trust exists and if co-workers / employees are aware of the signs. The research by Shaw and Sellers is summarised in the following figure, which has been overlaid against the typical ’employee lifecycle’ for context:

Graphic of the critical path in relation to the typical employee lifecycle
The ‘critical path’ in relation to the employee lifecycle (Paul Curwell, 2020)

Shaw and Sellers found the likelihood of someone becoming an insider risk increases with the accumulation of individual risk factors, making early identification a priority which should help inform decisions by people managers within an organisation.

The critical path should help inform people-management decisions

Over the past decade, the focus of emotional and mental health and well-being has grown in western society (as highlighted by COVID 19). On the supply side, tight labour markets have focussed the attention of managers towards maintaining employee engagement and retention. Society’s increasing openness to discussing mental health issues, including stress and anxiety, is helping provide a mechanism for earlier awareness of behavioural conditions which could trigger an employee or contractor to progress down the critical path and become a malicious insider.

Consequently, there are now various supports and interventions in the workplace and in society to help employees with personal predispositions who are experiencing life stressors. Examples of workplace assistance programs include:

  • Employee Assistance Programs – providing access to workplace psychological and counselling services
  • Financial counselling – for individuals who are over-extended in terms of credit or are struggling financially (this may include support restructuring personal debt to avoid bankruptcy)
  • Addiction-focused peer support and counselling – such as Gamblers Anonymous or Narcotics Anonymous

I’m sure that for some people, the increasing acceptance and willingness of society to be open to listening to colleagues who may be struggling helps to relieve the pressure somewhat, whereas historically these individuals may have been forced to suffer in silence.

It is critical employees feel adequately supported in the workplace to minimise insider risks
Photo by cottonbro on Pexels.com

The importance of these programs is that employees feel they are adequately supported, and that they are confident that if they self report an issue they will not be vilified, disadvantaged long term, or even fired for doing so. This concept is referred to by the CDSE as ‘organisational trust‘, which is a two-way street: Employers and managers must be able to trust their workforce, but workers must also be able to trust that management and the organisation will do the right thing by them.

The role of continuous monitoring (insider risk detection) systems and the critical path

Preceding paragraphs discussed the three main steps in the critical path, being personal predispositions, life stressors and concerning behaviors. Some of these may be visible to colleagues, such as an employee who is visibly angry. However, other indicators, such as accessing sensitive information, office access at odd hours, declining performance and engagement, may not be visible on the surface as ‘signs’ to co-workers.

Continous monitoring and evaluation tools, otherwise known as Insider Risk (Threat) Detection or Workforce Intelligence systems, are advanced analytics based solutions which integrate a variety of virtual (ICT), physical (e.g. access control badge data, shift rosters, employee performance reporting) and contextual information (e.g. employee is in a high risk role, information access is sensitive and not required in ordinary course of duty) in one central location.

Behavioural Analytics is typically marketed as a core component of software solutions on the market, although the way in which the behavioural analytics actually works may be a ‘black box’ with some vendors. These analytics tools are typically programmed to identify one or more indicators on the critical path, and generate ‘alerts’ or automated system notifications in response to an individual displaying the programmed indicators.

Most systems use some sort of identity masking, at least in the early stages of alert review and disposition, so that employees cannot be unncessarily targeted or vilified – at least until there is sufficient material evidence that suggests a problem which is sufficient to initate an investigation under the employer’s workplace policies.

Continuous monitoring is key to address behavioural change over time
Photo by Christina Morillo on Pexels.com

Continous monitoring systems require configuring for your organisation’s context

Importantly, as with any analytics-based intelligence or detection system, the system itself is only as good as what it is programmed to detect. Shaw and Sellers (2015) have this to say in relation to the blanket application of the Critical-Path Approach to every type of insider threat:

We do not suggest that this framework is a substitute for more specific risk evaluation methods, such as scales used for assessing violence risk, IP theft risk, or other specific insider activities. We suggest that the critical-path approach be used to detect the presence of general risk and the more specific scales be used to assess specific risk scenarios.

Shaw and Sellers (2015), Application of the Critical-Path Method
to Evaluate Insider Risks

This highlights the importance of ensuring your system is properly tuned to your organisation’s inherent risks, and could require multiple detection models, each of which focuses on a specific risk (e.g. sabotage, workplace violence). Models or rules used by these systems must be tuned to the organisation’s specific threats and risks, and configured in a way that reflects the organisation’s unique operating context.

The ‘garbage in, garbage out’ principle applies here: If your organisation only uses simple out of the box rules or detection models provided by the software vendor, it is unlikely these will detect the really critical risks to your business. Continous monitoring and evaluation for insider risks is an area which is developing quite rapidly, and is influenced by the convergence of cybersecurity with protective security and integrity more generally. I will discuss these continuous monitoring and evaluation concepts in more detail in future posts.

Further Reading

  • Centre for Development of Security Excellence [CDSE], (2022). Maximizing Organizational Trust, Defense Personnel and Security Research Center (PERSEREC), U.S. Government
  • Levy, F.K., Thompson, G.L, Wiest, J.D. (1963). The ABCs of the Critical Path Method, Process Management, Harvard Business Review, September 1963, https://hbr.org/1963/09/the-abcs-of-the-critical-path-method
  • Shaw, E. and Sellers, L. (2015). Application of the Critical-Path Method to Evaluate Insider Risks, Studies in Intelligence Vol 59, No. 2 (June 2015), pp. 1-8, accessible here.

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What’s the problem with conflicts of interest?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Photo by Brett Jordan on Pexels.com

What are conflicts of interest?

At their core, conflicts of interest are about integrity. ‘Conflict of interest‘ arise in situations where employees or third party legal entities such as vendors or business partners (including employees of those third parties) could be influenced, or where it could be perceived that they are influenced, by a ‘personal’ interest in carrying out their duty (Commonwealth Ombudsman 2017).

In this sense, ‘personal’ interest refers to perceived or actual benefits being derived, ranging from money to relationships or reputation. There are three forms of conflicts of interest (Commonwealth Ombudsman 2017):

  • Actual conflict – where a direct conflict arises between an individual or entity’s personal interest and their fiduciary duties
  • Perceived conflict – situations where others might perceive a conflict (even if an actual conflict does not exist)
  • Potential conflict – situations which in the future could give rise to an actual or perceived conflict of interest but have not yet happened

Are conflicts of interest fraud?

Conflicts of interest are considered one of four ‘corruption schemes‘ by the Association of Certified Fraud Examiners (ACFE), the other three being bribery, illegal gratuities, and economic extortion. However, unlike some types of fraud, an actual conflict of interest only becomes fraudulent if it is not declared.

Photo by Brett Jordan on Pexels.com

Declaring a conflict of interest (whether actual, perceived or potential) provides an opportunity for it to be managed, which could include the conflicted party recusing themselves from the conflicting situation or decision, or declaring this conflict to peers (such as where a board member is conflicted through multiple interests).

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

How do conflicts of interest arise?

Conflicts of interest arise can either intentionally or unintentionally (Commonwealth Ombudsman 2017) :

  • Intentional conflicts occur where an individual or legal entity knowingly puts itself in a conflicting situation. This could arise where a potential conflict is entered into with the full knowledge of all affected parties (and appropriately managed), or where the party gaining a personal benefit attempts to conceal the conflict (fraud)
  • Unintentional conflicts arise from poor management or awareness by affected parties, such as where employees do not recieve conflicts of interest awareness training, employers do not have conflicts of interest policies or require attestations.
Photo by Jopwell on Pexels.com

Declarations – a key part of conflicts management

Conflicts of interest are all about transparency, or the lack thereof. Declarations are a key component of managing conflicts. Irrespective of whether an employee, contractor, supplier or potential business associate, businesses need to understand what (if any) potential conflicts they may have and work through a process to evaluate them.

Typically, the easiest way of managing conflicts of interest is avoiding them, but this is not always possible. Where a conflict does or may arise, it must be evaluated – sometimes this process can be quite onerous.

The U.S. National Academies of Sciences (NAS) notes that “conflicts are not binary (present or absent)”, and that they “can be more or less severe”. The NAS identifies two factors to assist decision makers when evaluating a conflict of interest declaration, being (a) the likelihood of undue influence by the secondary interest, and (b) the seriousness of the outcome. The NAS presents this useful rubric for assessing confict of interests:

Likelihood of undue interestSeverity of potential harm
What is the value of the secondary interest?What is the value of the primary interest?
What is the scope of the relationship?What is the scope of the consequences?
What is the extent of discretion?What is the extent of accountability?
NAS (2009) – Chapter 2 Principles for Identifying and Assessing Conflicts of Interest

Depending on severity or perceived harm, treating a conflict of interest may require removing the conflicted individual / entity from the decision making process, or in other cases severing the business relationship entirely. Exactly how you need to manage a conflict depends on the situation (noting that in some cases there may be applicable legislation which will also govern this).

Good practice requires organisations to collect information on conflicted individuals or entities regularly – there is no set timeframe for this, but an annual declaration coupled with voluntary event-based disclosures by the affected party if they arise, makes sense for most organisations. Any more frequent and the program can be difficult to manage, whilst a longer gap between declarations can give employees the impression that conflicts aren’t important, as well as meaning the organisation is working on out of date information.

Once conflicts are identified and confirmed, managers of those employees or affected contracts (e.g. vendor managers) must be made aware of the conflict and charged with managing the risk in accordance with the organisation’s agreed treatment plan.

The challenge of detecting undeclared conflicts

Managing declared conflicts can be challenging enough for large organisations, however detecting them is something different altogether. Without a properly structured approach it is possible to spend a lot of time, effort and money without identifying anything conclusive.

Photo by cottonbro on Pexels.com

In the absence of an allegation, such as a tip-off from a whistleblower or competing vendor, organisations seeking to be proactive in detecting potential undeclared conflicts should focus their resources on the business units, processes, people or vendors of highest risk. The ACFE identifies three main types of conflict of interest scheme (Wells, 2007):

  • Purchasing Schemes – where a conflicted party manipulates the victim’s purchasing process to the benefit of the entity to which they are conflicted
  • Sales Schemes – where the conflicted party negotiates discounts or processes write-offs to benefit the entity to which they are conflicted
  • Other schemes – where the conflicted party diverts funds, clients / sales leads, and / or resources such as equipment from their employer to the entity to which they are conflicted for the conflicted entity’s benefit

Each of these categories of scheme is comprised of a number of typologies (perhaps best thought of as variations), some of which are more easily detected than others.

As you can see, conflicts of interest schemes can arise amongst employees in sourcing and procurement or sales and marketing roles; however, this is not exclusively the case. Conflicts of interest are generally quite complex to both detect and investigate. Typical methods of detecting conflicts include fraud data analytics (fraud detection) and investigative techniques including (Wells, 2007):

  • Supplier vetting or due diligence (and comparison of ownership data with employee and contractor names and other indicators, such as phone numbers)
  • Matching of supplier / vendor and employee identifiers (eg.g. Address, phone number data)
  • Identification of employees who are take up employment with a vendor after termination
  • Tipoffs and complaints, including from other disaffected vendors who are losing work as a result of the corruption scheme as well as employees who notice inconsistencies or favouritism

A well designed integrity program, inclusive of appropriate internal controls in key areas (such as purchasing), awareness programs and annual attestations can help mitigate the risk of these insider threats. Perhaps most importantly though, these same practices must extend to third parties, whether a vendor, business partner or other classification. A third party’s employees or contractors in positions which place the contracting entity at risk must be managed and monitored closely, sometimes with even more scrutiny than may be applied to the contracting entities staff – this decision is dependent on where the risk lies, and the inherent and residual rating of that risk.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Business espionage – the sale of intellectual property on the dark web

Posted on by

Paul Curwell, CPP, CFE, CISSP

What is the dark web?

For those who are new to this, concept, the dark web is the third part of the internet which is not indexed by ordinary search engines and requires a specific web browser (a ‘TOR’ browser) to access. The other two parts of the internet are the surface web (what we all think of when we hear the term ‘internet’), and the deep web, which comprises often proprietary databases and data holdings which sit behind a firewall and generally require a subscription or password to access. A database of media articles is one example.

Photo by Pixabay on Pexels.com

There are a number of illicit markets on the dark web selling everything and anything which is illegal in an anonymised way. These illicit markets also include illicit payment mechanisms for financial transactions which bypass the global financial system. Whilst it makes sense that IP would be sold here, until now this is not something I had heard much about aside from the sale of counterfeit products – shoes, medicine, passports etc. My working hypothesis is that much of the stolen IP on the dark web which is not counterfeit product is likely derived from ‘business espionage’.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What is business espionage?

We all know that information is power, but these days it is also a global currency. According to Forbes Magazine, innovation and intangible assets today comprised around 80% of a business’ value in 2014 (Juetten). In recognition of their value, the International Accounting Standards Board (IASB) adopted IAS 38 Intangible Assets in 2001 to prescribe the accounting treatment for intangible assets.

For simplicity here, I refer to all types of valuable business information, intangible assets or intellectual assets as ‘IP’. Business espionage is a term that I have borrowed from Bruce Wimmer (2015) to refer to the theft of commercial information from businesses including ‘industrial espionage’ (companies spying on their competitors) as well as ‘economic espionage’ (theft of IP by nation states for national security purposes).

Photo by cottonbro on Pexels.com

The types of IP that is stolen includes:

Research dataPricing data
Confidential informationCustomer lists
Trade SecretsProduct development data
Engineering schematicsSales figures
Proprietary software codeStrategies and Marketing plans
Chemical formulasCost analyses
‘Know how’Personnel data
Examples of IP targeted by business spies – Nasheri (2005)

If I think about it simplistically, my hypothesis is there are two main ways someone could obtain this IP for sale: licit and illicit. The licit route would arise where a party has access to the IP and is authorised to copy or use that IP for a permitted purpose (such as under license or terms of confidentiality), but then chooses to use that information for a non-permitted purpose. Examples here could include:

  • Where IP is provided to an outsourced service provider or business partner, such as a Contract Research Organisation, Contract Manufacturing Organisation, or IT managed services provider. When a contractual arrangement ceases the IP may not be properly destroyed, and could be used for unauthorised purposes later (such as to win a new contract with a previous customer’s competitor).

In contrast, the illicit route refers to cases where IP is stolen and then onsold. There are a number of potential vectors here including:

  • Theft and / or exfiltration by trusted insiders (such as employees, contractors or suppliers)
  • Targeting of business travellers in hotels, bars, etc
  • Cyber criminals and hackers breach secured networks
  • Opportunistic individuals who find valuable information on an unsecured corporate network
  • Plus other similar examples

So, to recap, we have the scenario where commercially valuable information (IP) has been stolen – sometimes employees steal IP from an employer as they see it as ‘theirs’ and feel they are the legitimate creater or owner of this information, despite typically having assigned their moral rights to their employer via their employment contract. In this scenario, my experience is that employees rarely sell this information to a third party – but they will often use this information for personal advantage in future roles or positions. However, this is not the focus of this post. In this post, we are referring to the theft and sale of commercially valuable information on a large scale.

Photo by Kindel Media on Pexels.com

Is there a criminal value chain behind the illicit market for stolen IP?

It makes sense that someone who has access to sensitive IP which is valuable in the market and who has ulterior motives would want to sell it, but how does this work? Do they sell it exclusively to the highest bidder at auction? Do they sell it multiple times to multiple parties? If you are the highest bidder at auction, how do you guarantee you are the only buyer? Also, how do you guarantee the authenticity or quality of the information?

“It does little good to steal intellectual property if you do not have the expertise to use it”

James Lewis, SVP and director of the Center for Strategic and International Studies’ (CSIS) Technology Policy Program in Gates (2020)

I have so many unanswered questions here, but the presenter I referred to earlier mentioned the prices some buyers pay for stolen IP on these illicit marketplaces is in the millions of US dollars, and that about 90% of the IP on these illicit markets is authentic. These illicit market dynamics mean this is clearly something worth examining further. As a security consultant, part of my job involves ‘thinking like a criminal’ to identify how such a scheme would work – I have developed my hypothesis below based on my experience and knowledge of how other illicit markets work:

© Paul Curwell, 2022

In my hypothesis shown above, I have assumed there is a degree of criminal specialisation in the stolen IP market, as there is in other aspects of cyber crime and cyber fraud. Just with legitimate online marketplaces, if I were a buyer I wouldn’t trust sellers I don’t know or who other people I trust haven’t verified, and I’m not going to pay anything more than a trivial amount or take the risk to buy IP which hasn’t been verified either as authentic (i.e. stolen from the company alleged to have produced it) or not fictional (i.e. garbage content). For a good overview of how online review systems work, look at this Harvard Business Review article from Donaker et al (2019).

In my mind, there must be information brokers who play a ‘trusted intermediary’ role and offer an independent validation and verification services – for a fee. However, this would also require access to pool of experts who would be paid to perform this work (e.g. scientists, doctors or engineers who are specialists in their field and open to a side hustle). Presumably some are complicit and know what they are doing, but are some also told this is legitimate and have no cause to question further? And what about the companies that are happy to take the risk both that the info might be fake and that they might get caught? As it stands I have more questions than answers, but the one thing I know is this is something I will be looking into further.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

What is an ‘IP Audit’ anyway?

Posted on by

Paul Curwell, CPP, CFE, CISSP

Intangible Assets – easily overlooked

I still remember performing my first ever Intellectual Property (IP) audit on my consulting journey. I had just graduated from business school which had opened my eyes to the world of commercialisation and IP assets, and how they could be exploited or misplaced. My client was a large player in global airport infrastructure services, and as part of their work the Executive Officer to the CEO thought it was important to identify and map their IP asset holdings. As I worked my way through the organisation, interviewing staff and cataloguing their IP, I still remember stumbling across the engineering laboratory hidden in one corner of a floor, out of sight.

Photo by Pixabay on Pexels.com

As I spoke to the team members there, I discovered not only did they maintain specialised electronic components for equipment used in delivery of their services, but in their spare time and with discretionary budget the team of engineers worked to invent their own solutions to airport infrastructure problems. This activity flew completely under the radar of the organisation’s executive, meaning not only did their work potentially miss out on dedicated funding which might generate a revenue stream or licensing opportunity for the organisation, but the IP was not properly protected – including from theft should those employees decide to resign and move to a competitor or start their own business.

Photo by RODNAE Productions on Pexels.com

This type of situation is encountered time and time again in Australian businesses. Our level of awareness and maturity in relation to IP is relatively low in most sectors, and my experience has been that in sectors which are aware of the fundamental concepts, IP assets are either managed very selectively or in many cases not at all. As an advanced economy with a strong STEM-based population and research capability, we need to get better at protecting our IP if we are to compete and thrive as a nation in a knowledge-driven world. Completing an IP Audit is one of the first steps to doing this.

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What are intellectual assets?

Intellectual Assets are intangibles that have value to an enterprise including but not limited to “information, intellectual property, credibility and reputation, and brand identity”. Whilst the term ‘intellectual property’ is often used to commonly refer to sensitive information, six types of IP are recognised by the World Intellectual Property Organisation (WIPO):

  • Patents
  • Trade Marks
  • Copyright
  • Industrial designs
  • Geographical Indicators (e.g. ‘champagne’)
  • Trade Secrets

In Australia, we have another category of IP called ‘Plant Breeders Rights‘, and Geographical Indicators are registered under our ‘Certification Trade Mark system‘. Unlike other jurisdictions such as the U.S., Australian law does not explicitly recognise ‘trade secrets’ as a category of IP – instead, ‘trade secrets’ are considered a category of ‘Confidential Information’ (Dighe & Lewis, 2020, Twobirds.com). More on this in a future post.

According to IP Australia, “a trade secret can be any confidential information of value. Unlike other IP rights, trade secrets are protected by keeping them a secret, and are not registered with IP offices. The protection of a trade secret will cease if the information is made public, and trade secrets do not prevent other people from independently inventing and commercialising the same product or process”.

What is an IP audit?

According to the Queensland Government, “an IP audit is a review of the IP owned, used or acquired by an organisation. It aims to find out what IP is within an organisation, who owns it, the value of that IP, its legal status, and what to do with it“. Once identified, in addition to focusing on the legal status of your IP, you also need to understand whether it is adequately protected. For example:

  • Which threat actors might seek to steal or sabotage your intellectual assets? Employees, competitors, nation states (‘economic espionage’) or someone else?
  • What are the actual risks posed by these threat actors? Examples include theft, sabotage and IP infringement.
  • What internal controls do you have in place in terms of your holistic security programs to address the identified threats and risks? These may need to address insider threats, supply chain threats, and external threats (e.g. competitors).
Photo by Mark Stebnicki on Pexels.com

How are IP audits performed?

Once you have decided to undertake an IP audit, you need to develop your scope and methodology. This starts with developing your audit plan and audit team. I find its easier to divide the audit into two or three parts, as follows:

  • Step1 – data collection: systematically catalogue confirmed or potential IP and confidential information in a register. I use the organisation chart as a starting point for this.
    • Tip: its easy to get bogged down and start to catalogue every document. Instead, focus on categories of information (e.g. financials) and then narrow down in key areas.
  • Step 2 – initial assessment: once you’ve compiled your initial register, assess it to remove all unnecessary content by ensuring each entry meets the criteria for an asset. If not relevant, delete it. Hopefully you’re left with a relatively small number of manageable entries, the output of which is your register of ‘critical information assets’.
  • Step 3 – commercial evaluation: use your register of ‘critical information assets’ to review potential commerical opportunities (e.g. licensing), develop monitoring programs for infringement, or even sell the IP Rights to another party if no longer used or relevant to your strategy.
  • Step 4 – risk management: review your register of critical assets to ensure the information is adequately protected. This includes legal provisions (e.g. patents), employment contracts (e.g. non-disclosure and IP assignment clauses), information security programs, and supply chain or third party risk programs. Make sure your critical information assets are appropriately marked, secured (e.g. encrypted), access is controlled, and unauthorised dissemination is limited.
Photo by picjumbo.com on Pexels.com

Using the findings of your IP audit to better protect these assets

All to often, businesses take a purely legalistic approach to protecting their IP and Confidential Information assets. It is important to remember that just because your research is patented or because you have a non-disclosure agreement in place with your suppliers or employees it is not completely protected. Particularly in the case of confidential information, courts expect businesses to have implemented appropriate security programs to safeguard their information – it is not sufficient to rely purely on legal protections in the courts if something happens. Further, this sort of reactive response is not productive, is very expensive, and consumes substantial amounts of time from your board, executives and senior staff – time that could be more productively spent elsewhere.

Prevention and early detection is the key, but to do this you need to understand what your IP assets are (such as via the IP audit process), work out where their associated vulnerabilities or exposures lie (are they limited to your employees or do you divulge this information to your third parties too? if so, who has access…). Then you can wrap a combination of cybersecurity (e.g. networks, systems, encryption) and what I refer to as ‘non-cyber information security’ programs around this to build your protective bubble. These relationships are illustrated below:

Curwell (2002) – the relationship between IP and Confidential Information assets and Security

As you can see, there is more to protecting your IP and Confidential Information than patents, copyright and design rights. If you’re unfamiliar with how to build a program to protect your confidential information, take a look at my previous post here.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Understanding the risk of organised crime infiltration in your business

Posted on by

Paul Curwell, CPP, CFE, CISSP

What is Serious Organised Crime anyway?

The concept of organised criminal infiltration into your business or supply chain is interesting. I’ve worked with a number of critical infrastructure operators in Australia who have this concern: the nature of their business provides a unique opportunity for criminals to exploit their business, or the employees position, to facilitate their own or others criminal activity. Before we start to get carried away that serious groups like the mafia are infiltrating your business, it’s worth understanding key elements of the ‘spectrum of crime’ which forms a basis for any Threat Assessment:

  • Criminal enterprise – a group of individuals with an identified hierarchy, or comparable structure, engaged in significant criminal activity (FBI)
  • Opportunistic individuals – individuals who take advantage of internal control gaps or weaknesses and opportuinities of circumstance to perpetrate criminal and / or unethical activity (e.g. fraud or business espionage) (Curwell, 2022)
  • Organised criminals – “small, organised networks of entrepreneurial offenders, often transitory in nature, that develop to exploit particular opportunities for illegal profit. These groups vary from temporary associations created to commit a time-limited series of offenses, to enduring businesses that invest in on-going criminal activities” (Eck & Clark, 2013, p28).
  • Organised crime (organised criminal group) – “a structured group of three or more persons, existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit” (Smith 2018 in United Nations 2004: 5).
  • Transnational Organised Crime – those self-perpetuating associations of individuals who operate transnationally for the purpose of obtaining power, influence, and monetary and/or commercial gains, wholly or in part by illegal means, while protecting their activities through a pattern of corruption and/or violence, or while protecting their illegal activities through a transnational organisational structure and the exploitation of transnational commerce or communication mechanisms (FBI)
Photo by Anugrah Lohiya on Pexels.com

Its important to remember that not all crime that happens somewhere like a border, port or airport will be perpetrated by serious organised crime. Anecdotally, a lot of the crime I come across day to day involves opportunistic individuals and organised criminals. These risks are managed through employment screening and internal controls (which might include detection programs – see What can be done about it? below).

Photo by Anete Lusina on Pexels.com

Common activities of serious organised crime – is there a nexus with your business?

Understanding the types of activities which commonly involve serious organised crime groups can help businesses assess their likely exposure to this activity. In the following list, I have compiled a list of offences based on information published by the FBI and ACIC:

  • Bribery
  • Currency Counterfeiting
  • Embezzlement
  • Fraud schemes
  • Cybercrime
  • Investment and financial market fraud
  • Revenue and tax fraud
  • Credit card fraud
  • Superannuation fraud
  • Money Laundering
  • Murder for Hire
  • Drug Trafficking
  • Prostitution
  • Exploitation of Children
  • Organised retail crime
  • Human Trafficking and Slavery
  • Intellectual Property Crime – including Counterfeit Goods
  • Illegal Sports Betting
  • Cargo Theft
  • Sale and distribution of stolen property
  • Murder
  • Kidnapping
  • Gambling
  • Arson
  • Robbery
  • Extortion
  • Tobacco and firearms smuggling
  • Vehicle theft

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

What we know about Serious Organised Crime in Australia today

Access to detailed assessments of the nature and sophistication of serious organised crime in Australia are not publicly available. However, one of the most useful reports is the periodic assessment of Serious Organised Crime released approximately every 5 years by the Australian Criminal Intelligence Commission. This report provides a useful outline of serious organised criminal markets in Australia, as follows:

Illicit CommoditiesSerious Financial CrimeSpecific Crime MarketsCrimes Against the Person
NarcoticsCybercrimeVisa & Migration FraudExploitation of Children
Illicit Pharmaceuticals & AnaestheticsInvestment & Financial Market FraudEnvironmental CrimeHuman Trafficking & Slavery
Performance Enhancing Drugs (e.g. steroids)Revenue & Taxation FraudIntellectual Property Crime
llicit TobaccoSuperannuation Fraud
Illicit FirearmsCredit Card Fraud
ACIC (2017). Serious Organised Crime in Australia, Canberra

Understanding whether your business, including your supply chain, has a nexus with any of these criminal markets will help inform your threat and risk assessment process in relation to organised criminal infiltration. As with assessing physical security of your office premises or facilities, you may not have a direct nexus with organised crime but your suppliers or neighbouring businesses might. This creation of an indirect nexus should also be considered, as this could have adverse reputation, safety and disruptive effects on your business, employees or customers.

The role of criminal enablers

Some organisations may not be directly of interest to OCG, but they may be recognised as having something or someone who can enable or facilitate their objectives. Examples here include access to information, professional facilitators (eg. lawyers, accountants, trust & company service providers), systems (eg being able to change a database record in a third party system), or sub-leasing warehouse or storage space.

The Australia Criminal Intelligence Commission identifies six enablers of serious and organised crime (ACIC, 2017):

  • Money laundering
  • Technology
  • Professional facilitators
  • Identity crime
  • Public Sector corruption
  • Violence and intimidation

Enablers can be targeted by organised crime either directly (eg group leases warehouse space for its own activities) or in relation to employees in key positions. Employees who have some sort of vulnerability, either at home or at work, may be coerced, bribed, intimidated or extorted to perform acts at the direction of a group.

Photo by ThisIsEngineering on Pexels.com

What can be done about the risk of organised criminal infiltration?

So far in this post, we’ve demystified what constitutes serious organised crime, the types of activities (offences) commonly associated with this activity, the criminal markets where organised crime groups are found, and the professional intermediaries and enablers who might knowingly (or unknowlingly) support them. The next question is what to do about it.

The starting point for any business leader concerned about potential organised criminal infilitration in their business is a thorough, objective and factual assessment of the threats and risks, and their associated likelihood and consequence. Once understood, a proper security plan can be implemented to mitigate these risks.

With infiltration by organised crime there is a potential insider threat. This can materialise within both the employee and contractor / third party populations, including within the extended supply chain. This also needs to be considered when scoping any assessments. Suggested actions for businesses concerned about organised criminal infiltration include:

  1. Perform a Threat Assessment to map your ‘threat universe‘ (i.e. who is likely to target your organisation), and why
  2. Undertake a Security Risk Assessment, which incorporates identifying critical assets, vulnerabilities (control gaps), consequence and likelihood (i.e. which of your assets might serious organised crime groups actually consider attractive) for the various threats identified in the Threat Assessment. For risk such as product theft or product diversion, don’t forget to assess if your products are CRAVED.
  3. Undertake a Personnel Security Risk Assessment – this is commonly separate to your Security Risk Assessment, but identifies high risk positions and roles in the organisation which give acceess to your critical assets, and the types of employment screening (background investigation) and continous insider threat detection programs that may be required to mitigate the risk
  4. Perform due diligence on prospective and current employees, contractors, suppliers and business partners / third parties based on the risks idenitifed in your Security Risk Assessment and Personnel Security Risk Assessment.
  5. Develop a robust intelligence and security program to monitor for ongoing changes to your organisation’s threat landscape (including building capabilities such as media monitoring), and where appropriate, develop partnerships with police and security agencies to help mitigate the risk to within your organisation’s risk appetite.

Following these steps will ensure you know where you need to focus your security effort and resources. It may be that your greatest risk is that of opportunistic individuals and organised criminals (including trusted insiders and employees or contractors of your third parties or business partners) and not serious organised crime, requiring a different treatment strategy. If in doubt, seek assistance from an appropriately qualified professional who is licenced by the State Police to give security advice in the relevant Australian jurisdiction. If in doubt, have a read of this advice from ASIAL, the Australian Security Industry Association.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.