Tag Archives: Sabotage

Mitigating risks from workplace sabotage

Posted on by

Paul Curwell, CPP, CFE, CISSP

Workplace sabotage as an insider threat

My post ‘Product Tampering: A form of Workplace Sabotage’ defines sabotage as “to damage or destroy equipment, weapons, or buildings in order to prevent the success of an enemy or competitor” (Cambridge Dictionary).

When I think about how sabotage can occur in the workplace I find it easier to decompose it into three categories (which align to targets) for the purposes of prevention, detection and response:

  • Physical sabotage – intentional damage to a physical thing, such as critical, infrastructure, or device
  • IT sabotage – involving international damage to IT equipment or networks, software etc
  • Data sabotage – intentional destruction or compromise of valuable information or data, such as Intellectual Property or research data

Sabotage is typically discussed in a wartime context where either enemy agents or special forces, or alternately sympathetic or compromised insiders, do something to benefit a foreign power (for further discussion on threat actors see my previous post). However, we are increasingly seeing acts of sabotage being performed in the workplace.

Malicious insiders are well placed to commit workplace sabotage

Acts of workplace sabotage can be perpetrated in person (on-site) or virtually (online). From an insider threat context, we are likely to see cases of workplace sabotage involving disaffected employees, such as:

Does this article resonate with you? Please vote below or subscribe to get updates on my future articles

Interestingly, in its 2006 study CERT refers to workplace IT sabotage as ‘trust betrayal’ and also places espionage in this category, however the paper is silent on including fraud. Fraud is probably the most common form of breach of trust in the workplace.

Don’t forget that workplace sabotage can also be perpetrated by staff members of your suppliers (see here)

To understand sabotage in more detail, we need to examine the elements of this offence.

Sabotage offences in Australia

Sabotage is a criminal offence in Australia at both the federal and state / territory levels. Under Section 82 of the Criminal Code 1995 (Cth), the main elements (abbreviated) of sabotage offences include:

  • Intentional damage, destruction or impairment of any thing, substance or material (‘article’) used in connection with Australia’s defence
  • Intentional or reckless conduct which results in damage to critical infrastructure with a nexus to a foreign government or its principal
  • Intentionally or recklessly introducing a vulnerability into an article, thing or piece of software that has a critical infrastructure or national security purpose which makes it (a) vulnerable to misuse or impairment or (b) capable of being accessed or modified by someone not entitled to do so
  • Preparing for, or planning, a sabotage offence
  • Any instances of the above with a foreign nexus, including financing, support, oversight or participation

Under Commonwealth legislation, damage to public infrastructure includes anything that: destroys, interferes, results in loss of function or becomes unsafe / unfit for purpose, becomes unserviceable, is lost, limits or prevents access, becomes defective or contaminated, results in a degradation in quality, or causes serious disruption of an electronic system. This definition is quite broad and all-encompassing.

Image of public infrastructure

Some offences involving specialist products, such as food, pharmaceuticals or medical devices, may be considered acts of sabotage to the layperson, however these are actually criminalised under various product tampering offences. You can read more about this in my previous post.

How to investigate alleged sabotage in the workplace?

Whilst there is increasingly more research into workplace sabotage, there is very little in the literature on how to actually investigate such offences. This is likely because the majority of similar cases have a nexus to national security and would not be publicly available. However, there is some publicly available US Government guidance which I have adapted below in the following investigative strategy:

  • Preserve all evidence as quickly as possible in accordance with local laws and regulations
  • Who – determine the person(s) of interest (POI), including those with means, motive and opportunity and any facilators. Was the perpetrator an individual or part of a group? Background investigations should be performed as required
  • What – identify the actual target and qualify the extent of damage, noting the affected asset may not actually have been the intended target
  • When – confirm the exact time and date of the incident (or as close as possible) and begin building a time-event chart to document developments
  • Where – be clear on the precise location and understand any surrounding activities which may have influenced choice of target
  • Why – try to understand the reasons or rationale for the incident and the intended target, including consideration of motive and opportunity
  • How – understand the type of sabotage involved and methods used. This will likely involve a combination of investigation, analysis and technical examination
  • Was there any communication with the media, social media or internal office communications (a) indicating the POI(s) planned or was planning the act of sabotage, or (b) claiming responsibility?
  • Is there a foreign nexus such as direction, oversight, funding, communication or logistics?

The investigative steps above need to prove or disprove each element of the offence (previous section), meaning investigators need to prove the POI(s) did, tried, or intended to cause harm or damage or were reckless their actions.

Investigator analysing evidence

Can insider threat detection systems identify workplace sabotage before or during an event?

Having an understanding of what workplace sabotage is and how it typically occurs, we can turn our minds to how to detect it. There are quite a number of insider threat detection vendors on the market who claim their systems can do this, and there has been a number of academic studies performed in this area, primarily by Carnegie Mellon University (SEI CERT). In a follow up to this post, I will explore these concepts in more detail.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

HUMINT cycle and the recruitment of insiders

Posted on by

Author: Paul Curwell

Introduction

Employees are an organisation’s most important asset: they are what enables organisations to generate value, respond to opportunities and threats in the operating environment, and create a positive culture which attracts other would-be employees and potential customers. Employees are also crucial to security: when conditions are right, employees help build a positive security culture which enables management to quickly identify and respond to security threats.

In the same manner that security would not be necessary if people did not exist, a security program cannot be successful without the support and active participation of its employees. It goes without saying then that an employee who ‘goes rogue’ and becomes malicious (i.e. intends to do harm), or an employee who doesn’t care about their employer or its security practices (i.e. a complacent employee) can do real harm if approached by an external individual or group wishing to gain ‘inside access’ to the organisation and its assets.

What is the HUMINT cycle and who uses it?

Human Intelligence, or HUMINT, techniques are an example of the tactics typically deployed in this scenario to exploit human vulnerabilities. HUMINT refers to the collection of intelligence by humans – principally spies and agents using methods that involve 1:1 contact.

The HUMINT cycle involves four main steps (illustrated below) which might commence with a broad scan of all employees at an organisation, for example, but rapidly narrow down to one or more individuals with both (1) the access to the desired assets or information and (2) the personal characteristics or ideological sympathies which make them amenable to recruitment (See Sano, 2015)

Importantly, undertaking HUMINT and the use of HUMINT techniques is not limited to governments, but also commonly employed in business by ‘competitive intelligence’ practitioners or ‘Private Intelligence Collectors’. ‘Private Intelligence Collectors’ and unscrupulous competitive intelligence professionals often use HUMINT techniques, as well as any other intelligence collection mediums in their toolbox, to collect confidential information that will either be sold to another party (such as the highest bidder) on commission, or which is collected under the paid instruction of the intended recipient.

For a classical HUMINT example, consider a woman who seduces a male chemist at a pharmaceutical company to provide, or facilitate access to, details of a new blockbuster drug compound under development by the pharmaceutical company (referred to in the trade as a ‘honey trap‘). Other threat actors who use HUMINT techniques include organised crime groups, issue motivated groups and terrorists.

How can the HUMINT cycle be leveraged for insider threats?

Once the HUMINT collector has identified (spotted) their target, they begin engaging with them to build a rapport and develop a relationship. Importantly with HUMINT, it may not be necessary to actually recruit the target (or someone who has access to the ultimate target) in order to achieve their objectve. In some instances, the required information can be obtained without the need for a formal and risky recruitment pitch.

It is particularly important to incorporate these learnings into any insider threat awareness training, as employees who are aware of steps taken by HUMINT collectors are more likely to be aware to them, and to be able to seek help early. Examples of ways (vectors) HUMINT collectors might obtain the information they require can include:

  • Infiltration – getting an ‘agent’ or sympathiser of the HUMINT collector (or their cause) into the organisation through standard recruitment processes, as a contractor, or via a supplier
  • Elicitation – refers to techniques used by HUMINT collectors to obtain information from a target without them knowing or realising it, which results in them volunteering the information rather than being asked directly
  • Social engineering – involves the use of deception to manipulate someone into disclosing confidential information, either in a business or personal context
  • Spear Phishing and Phishing scams – can involve the use of legitimately-appearing emails (or even SMS messages, in the case of vishing) to introduce malware into an otherwise secure computer network, allowing later exfiltration of that information. Unlike Phishing which is more general, Spear Phishing is highly targeted and focused on an individual with access to the target, such as a senior executive

There are a variety of forums in which HUMINT collectors operate, including via ‘official’ or business-events, and through social personal interaction. These might include:

  • Conferences and trade shows
  • Professional Associations
  • Clubs and social associations
  • Universities
  • Social Media platforms
  • Emails
  • Unsolicited phone calls

When performing any insider threat or security related risk assessments, organisations need to consider what are their most critical assets, who might be interested in them, and how might they obtain them (i.e. what forums, mediums or platforms). Once this is thoroughly understood, awareness training and incident reporting mechanisms can be clearly established and targeted.

What can organisations do to manage this threat vector?

Complacency is a big driver of insider threat incidents, so it is critical that organisations develop a good security culture and that ‘at risk’ employees have a good understanding of the threats and tactics which may be used against them.

The regular use of security awareness training across the organisation as a whole, supported by targeted training for ‘at risk’ teams, is critical to ensuring these threats remain front of mind.

Staff in ‘at risk’ teams, as well as managers, should be familiar with insider threat behavioural indicators which can suggest an employee or contractor is experiencing some difficulty in their personal life, which might make them vulnerable to exploitation. Early identification of these problems, when raised properly (such as through employee wellbeing programs), might mitigate these risks.

Photo by Sora Shimazaki on Pexels.com

Good security culture is also critical for organisations, ensuring employees understand why security is important, what the threats may be to their organisation, and what they can do to help protect their organisation. For employees to play their part, they often also need to feel trusted and engaged with their employer, otherwise complacency may set in and potential threats selectively ignored.

The preceding paragraphs focus on what organisations can do to mitigate insider threats once they are already in the organisation (i.e. employed or contracted), however equally important is the use of employment screening (‘background investigations’ or ‘background checks’) to prevent individuals with vulnerabilities or unwanted character traits joining the organisation in the first place. Any discussion on background checks is an article in itself, and will be addressed through a future post, however readers who want to more detail (including a model process) can read the chapter on ‘due diligence’ in my recent book co-authored with Oliver May.

Further Reading

Sano, J. (2015). The Changing Shape of HUMINT, AFIO’s Intelligencer Journal, Vol. 21, No. 3, Fall/Winter 2015. www.afio.com

DISCLAIMER: All information presented on @ForewarnedBlog is intended for general information purposes only. The content of @ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon @ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

When values collide: employee / employer values conflicts as a source of insider threat

Posted on by

Author: Paul Curwell

Introduction

Within any organisation, it is typical to find employees with a diverse range of views on all manner of political and social issues. The rise of social media has made it easier for us to share our views, both inside and outside of the workplace, creating potential for employees to post material or views which may conflict with their employer’s policies, contract of employment, or even their fiduciary duties as an employee. Additionally, we are in an era of increasing global consciousness around big-ticket items, such as climate change, corruption and personal freedoms (e.g. Arab Spring) and social / economic equality (e.g. Occupy Wall Street) which are serving to rally people to behind a cause.

low angle photograph of the parthenon during daytime
Photo by Pixabay on Pexels.com

Importantly, there is nothing wrong with each of us having these views and sharing them appropriately, such as in public debate. However, in my view it is inevitable that at some point, conflict will arise between the employee and their employer unless they are broadly aligned in terms of views and values. As an individual and as a people leader, I have always maintained it is essential that employees be able to identify with the values and mission of their employer, otherwise employee engagement and satisfaction will decline.

Values can also change over time, and it may be that the values alignment which existed upon commencement of employment is not there some years later. Increasingly in Australia, we are seeing cases where employees or contractors disagree with fundamental positions of their employer, and are proactively doing something about it which is in breach of their legal obligations to their employer. This activity constitutes an ‘insider threat’ which needs to be managed carefully.

So sort of issues are we referring to here?

The landscape of these causes is continually evolving as society evolves. Historically, those causes with a tendency to commit crimes (sometimes serious crimes such as murder) in the name of what they feel is important have been referred to as “issue motivated groups” (IMGs), however I note this term is no longer mentioned in recent annual reports or in the ASIO Act. In 2011, then Director General of Security, Mr. David Irvine AO, defined it as follows in response to a question posed within the Australian Parliament:

“Issue motivated groups is a term we use within ASIO to describe those groups who conduct activities that might lead to violence or to activities that are prejudicial to security”

Mr David Irvine AO, 18 October 2011. See below for full citation.

Every single human is an individual, and we all express a diversity of views which makes our global society what it is today. There is nothing wrong with each of us having our own views, but it gets complicated in terms of insider threats when (1) our views put us in direct conflict with those of our employer, or (2) we start to use violence or extreme violence (e.g. methods commonly associated with terrorist acts) to promote our causes. This form of insider threat is particularly pernicious given the potential ways an insider threat can manifest, including:

  • Workplace sabotage – either to data, systems, physical assets, or reputation, with the aim of having the organisation stop doing something or to draw public attention to it
  • Information leaks / unauthorised disclosure – including providing information on business activities, staff movements, senior staff personal details (e.g. home addresses), or security measures which would make the organisation more vulnerable to attack
  • Espionage-like activities – where the employee is effectively a mole or plant willing to act on the instruction of an external party. This includes the intentional infiltration of highly motivated threat actors into an organisation through the recruitment process or supply chain
  • Soft issues’ – such as ‘go slows’ (e.g. in-action) in the workplace which effectively means the employer is hindered in achieving its objectives by its workforce
people rallying carrying on strike signage
Photo by Martin Lopez on Pexels.com

This challenge is not limited to employers and their contractors, it is also pervasive throughout the supply chain which substantially increases their vulnerabilities, as illustrated by this quote:

Ben Pennings from Galilee Blockade said they now had almost “too much information” from insiders after their “dob in a contractor” campaign.

Robertson, J. (2019). Adani mining insider reveals she is leaking material to environmental activists, ABC News. See below for full citation.

Often, contracting organisations (employers) limit the scope of their involvement or oversight in their suppliers security to a few lines in a contract, stating the supplier should have a security or risk management program. Mature organisations will prescribe security standards for their suppliers, and even more mature organisations will audit this compliance through standard vendor auditing programs.

So what types of causes have historically attracted this type of focus?

The spectrum of causes and issues which can result in insider threats of this nature are broad and constantly evolving. Examples of some of these issues include:

  • Environmental protection and climate change
  • ‘Right to life’ movements
  • ‘Occupy Wall’ Street
  • Social equality movements
  • Animal rights and animal testing
  • Fossil fuels

To reiterate once again before a reader shoots me down, there is nothing wrong with exercising your democratic rights to freedom of speech and peaceful protest. This does become an issue, however, when violence or other criminal acts are involved, including within the workplace. Typically these sorts of issues can be plotted on a spectrum, and an employee may move from left to right (and back again) on this spectrum over time as their views and the actions of their employer evolve. My interpretation of this spectrum is illustrated below:

Created by Paul Curwell (2021), copyright.

Organisations which are involved in socially or politically contentious policies or activities will almost certainly know this, but it is common to find these considerations not incorporated into a threat or risk assessment. Even rarer is consideration of these matters within contracts with vendors and supply chain risk.

Any work performed in this area should have oversight from a diverse management committee and not be driven by a security function alone. Whilst a security team might have the best of intentions and undertake work in this area that is fair and balanced, perceptions of those not involved in the process may be different which could undermine the outcome and ultimately have a detrimental effect on employee satisfaction and performance more broadly.

What can organisations do to manage this issue?

Firstly, its important that employers have clear policies and guidance available for staff (and suppliers) on these matters, and that they are regularly communicated and fairly enforced. To maximise employee support, transparency and employee consultation for any new policies are critical. These principles are standard for any workplace policy. Policies should extend to conflicts of interest (actual and perceived) for employees, particularly those who are active outside of work in forums or associations where they are exercising their democratic rights. These employees, in particular, need clear guidance and management support to ensure they do not unintentionally stray into the orange zone of the spectrum (see above). It is also important that employers develop and clearly communicate a policy and framework for how any workplace incidents will be managed.

Secondly, employers need to have a clear understanding of the risks including:

  • Assets (information, people, systems, facilities, products, reputation) that need protecting
  • What the risks actually are and how they may manifest
  • The likelihood of them manifesting, which will change over time and therefore require regular oversight
  • The coverage of internal controls and the effectiveness of these controls (i.e. are there gaps and do these gaps create unacceptable vulnerabilities)
  • Are there any teams / unique positions that are more at-risk than others? For example, someone with strong views but who is not in a position to do harm in the workplace may need to be managed differently to someone with strong views who is in a position to do harm
two women in front of dry erase board
Photo by Christina Morillo on Pexels.com

Third, insider threat management starts before the employment contract is signed and continues after an employee or contractor has left the organisation until the potential for harm can be satisfactorily reduced. This means:

  • You need to consider this risk when designing your Employment Screening / Employee Due Diligence program.
  • Employee Screening should be undertaken before a contract of employment is issued, periodically during employment (e.g. annually), in response to a workplace incident or other trigger (i.e. by exception), and upon termination of employment (to understand what, if any, risks the recently departed employee may post).
  • Don’t forget suppliers, vendors and contractors pose similar risks (potentially more if they have access to critical assets / processes and no oversight). This requires consideration starting with vendor selection through to contracting, operations, and termination of a supplier contract.
  • Insider Threat Detection programs need to be designed to focus on critical assets and the organisation’s highest risks. Not all parts of an organisation may require the same control coverage or risk mitigation.
  • Independence may be critical to ensuring employee support on key initiatives such as ongoing due diligence. You may need to use an independent, objective third party to perform your due diligence to ensure only those findings involving employees which are material to any threat assessment make it onto an employer’s records.
  • Employers should ensure they, and any service providers, comply with the Privacy Act 1988 (Cth) and its Permitted General Situations (Chapter C) when performing this work.

Lastly, ensure your Insider Threat Program incorporates views from a diverse range of stakeholders. The need for this diversity highlights the importance of having an Insider Threat Management Committee made up of representatives from different functional areas, including the business and center functions such as HR, legal, IT and security, rather than actions being driven by security or fraud functions alone.

Further Reading

DISCLAIMER: All information presented on @ForewarnedBlog is intended for general information purposes only. The content of @ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon @ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Product Tampering: A form of workplace sabotage

Posted on by

Author: Paul Curwell

Sabotage, as it is in general use today, means “to damage or destroy equipment, weapons, or buildings in order to prevent the success of an enemy or competitor” (Cambridge Dictionary) and is commonly associated with war or nation state espionage. However, the origin of the word reportedly comes from the industrial revolution, where exploitation of workers was rife with underpayment (or non-payment) of wages and poor industrial safety conditions. French shoemakers wearing sabots reportedly rebelled, damaging and / or destroying their employer’s manufacturing equipment it in the process, becoming ‘saboteurs’.

Since this time, there have been countless instances of sabotage outside of war, particularly relating to either industrial or environmental action. Some acts of industrial sabotage are caused by employees, contractors or suppliers (trusted insiders), whilst others have been perpetrated by customers or unrelated parties as outlined in an interesting article from CNBC in Canada.

So what is product tampering anyway?

‘Product Tampering’ is a form of sabotage, and refers to actions taken to interfere with a product designed for use, or consumption, by the general public. Many industrial cases of product tampering involve food, pharmaceutical or medical products. Product Tampering can occur during or after manufacture (i.e. at any point in the supply chain until it reaches the End User), and is addressed under at least two pieces of Australian Legislation:

  • The Therapeutic Goods Act 1989 (Cth) defines both to ‘tamper’ and ‘product tampering’ in the context of manufacturers failing to report and / or recall. In Australia, the definition of ‘therapeutic goods’ includes medicines, medical devices, disinfectants and other goods such as blood products.
Therapeutic goods can be subject to tampering.
Photo by Karolina Grabowska on Pexels.com

  • Tamper therapeutic goods are tampered with if: (a) they are interfered with in a way that affects, or could affect, the quality, safety or efficacy of the goods; and (b) the interference has the potential to cause, or is done for the purpose of causing, injury or harm to any person (Therapeutic Goods Act 1989 Section 3, Australia).
  • Meaning of actual or potential tampering  – in relation to therapeutic goods, means: (a)  tampering with the therapeutic goods; or (b)  causing the therapeutic goods to be tampered with; or (c)  proposing to tamper with the therapeutic goods; or (d)  proposing to cause the therapeutic goods to be tampered with.
  • The offence of contaminating goods (actual or threatened) with the intent to cause public alarm or anxiety is captured under Part 9.6 – Contamination of Goods of the Criminal Code Act 1995 (Cth), which creates three categories of offence, each of which can potentially result in up to 15 years imprisonment:
    • Contaminating Goods (Section 380.2)
    • Threatening to Contaminate Goods (Section 380.3)
    • Making false statements about Contaminated Goods (Section 380.4)
  • Australia’s food system is defined as part of our ‘Public Infrastructure‘ under Division 82 of the Criminal Code Act 1995 (Cth), which pertains to Sabotage offences primarily in relation to National Security.

2018: the year Australian’s found sewing needles in their strawberries

On 9th September 2018, media reports started to emerge with stories claiming punnets of Australian strawberries were found on the shelves of Australian supermarkets with metal sewing needles stuck in the fruit. If consumed by an unsuspecting customer, the sewing needles could cause severe injury, potentially worse.

Australia was subject to a product tampering incident involving strawberries in 2018.
Photo by Pixabay on Pexels.com

Initial reports of the contaminated berries came from a small number of shops, suggesting the tampering could have happened locally (i.e. by a person walking into a number of stores and inserting the needles without being detected). However, as the incident evolved, consumers and stores across multiple states started reporting tampered products, indicating contamination occurred much earlier in the supply chain either at the point of manufacture and packaging (i.e. the strawberry farm) or at some distribution point.

Media reports quote Police as having identified somewhere between 186 and 230 instances of contaminated strawberries. On 11 November 2018, a 51-year old female supervisor at a Queensland strawberry farm was arrested, and subsequently charged with 7 counts of Contaminating Goods under the Crimes Act 1995 (Cth). At a bail hearing, the Magistrate was quoted by the media as stating the Crown alleged the perpetrator was “motivated by spite or revenge” over a “workplace grievance”. Whilst I couldn’t find any court documents indicating the case had proceeded to trial at the time of this article, readers who are interested in learning more about the case can find a collection of related articles here.

woman standing in front of assorted fruits displayed
Photo by Clem Onojeghuo on Pexels.com

So what can (should) businesses do to manage the threat of product tampering by trusted insiders?

Australia’s 2018 Strawberry Tampering incident was described by Food Standards Australia and New Zealand as a “best case scenario as the tampering was evident and the product packaged” (p. 8). Much of this ‘follow-up report to Government‘ focused on vulnerabilities in the Supply Chain, and the need for improved Supply Chain Security in the Food Sector. However, the report is silent on this incident being caused by an allegedly disgruntled employee, and is silent on this incident being effectively an insider threat.

For companies that make products, implementing a Supply Chain Security Program, such as that outlined in ISO 28000:2007, is critical to helping manage risks from the stage of ‘raw material / ingredient’ inputs through to manufacturing, distribution, transportation, retailing, and ultimately the End User. Additional guidance can also be sought from Product Liability Insurers: Liberty Specialty Markets is a leader in Australian product contamination insurance through their Crisis Management cover. However, I am yet to encounter a Supply Chain Security Program which incorporates prevention and detection aspects such as ‘behavioural indicators’ found in an Insider Threat Program when considering security risks arising from employees and contractors.

For example, could greater awareness of the behavioural indicators associated with disaffected or aggrieved employees have enabled line managers in Australia’s strawberry tampering to spot the employee’s changing behaviour? Based on the outcomes of research into many other types of insider threat, I suspect the answer would be yes. To effectively manage the risk of workplace sabotage in the form of product tampering, organisations which create or deal in things (‘products’) as opposed to services need to combine elements of a traditional Supply Chain Security Program with the missing elements of an Insider Threat Program. Unfortunately, all to often product tampering issues are viewed from a purely supply chain lens which overlooks the involvement by a trusted insider.

Further Reading

  • 9 News (n.d.). Strawberry Needles: Food Recall, Collections Page, 9news.com.au
  • Australian Associated Press (2018). Women charged with strawberry needle contamination sought revenge, court told. Published 12 November 2018, The Guardian
  • BBC News (2018). Australia strawberry scare: Accused saboteur ‘motivated by spite’, 12 November 2018. BBC News
  • Criminal Code Act 1995 (Cth), Federal Register of Legislation.
  • Food Standards Australia and New Zealand (2019). Strawberry tampering incident Debrief 1 May 2019: Follow-up report to Government, www.foodstandards.gov.au
  • International Standards Organisation (2007). ISO 28000:2007 Specification for security management systems for the supply chain, www.iso.org.
  • Liberty Specialty Markets Australia (2021). Crisis Management Insurance.
  • Schwartz, D. (2012). 5 major product tampering cases. CBC News Canada
  • Therapeutic Goods Act 1989 (Cth), Federal Register of Legislation

DISCLAIMER: All information presented on @ForewarnedBlog is intended for general information purposes only. The content of @ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon @ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.