Do we really know our colleagues?

In April 2023 a young, bright, unassuming US junior airman from a military family appeared in court accused of leaking the latest highly sensitive classified intelligence documents. He follows in the footsteps of others such as Edward Snowden, Chelsea Manning and Julian Assange.

Aside from the wide-reaching consequences of the data becoming public, the question for internal auditors is do we really know our colleagues?

Cybersecurity and the risk to data is evergreen. It has been the top risk in Risk in Focus since 2019, the area where internal audit spends most of its time and is forecasted to remain the top risk into the future.

When we think of controls, prevention and detection, considerable effort is given to protecting the outer layer of the onion from penetration – from external threat.

But what about the internal threat?

The person you talk to at the coffee machine, the regular Friday MS Teams call with colleagues in second line functions or the account manager for your outsourced payroll function…what threat do they pose?

The term "insider threat" refers to the risk posed by individuals who have legitimate access to an organisation's sensitive data but misuse that access for unauthorised purposes. This can include employees, contractors, or other individuals who work within your organisation. The insider threat can arise from various motivations, including financial gain, revenge, ideology, or simply negligence.

Three common types of data leaks include:

1. Intentional - deliberate actions by employees or contractors to disclose sensitive data without authorisation such as selling to competitors, leaking to the media/posting it on social media or using it for personal gain.
2. Negligent - accidental data leaks caused by carelessness or lack of awareness such as sending sensitive information to the wrong recipient, leaving confidential documents unsecured, or using weak passwords that are easily hacked.
3. Social Engineering - leaks that occur when external actors manipulate employees or contractors to disclose sensitive information such as phishing attacks.

A basic control is continuous monitoring of system access logs to detect unusual events or patterns of behaviour, not limited to access but transfer of files to personal email accounts or downloaded to devices. Where data is highly sensitive are personal devices such as mobile phones prohibited – common practice in call centres where personal data is concerned but what about data that is commercially sensitive or of national security?

Background checks are also mitigation against intentional leakage. Screening employees and contractors as part of the recruitment process but also before granting access to sensitive data. How often does your organisation repeat this? Is the sensitivity of your data sufficient to warrant detailed checks? Circumstances change over time - debt, addiction, hobbies, relationships, beliefs and values – all of which alter a person’s risk profile. In addition to formal checks managers should always be alert to changing circumstances that people talk about such as family members being unwell, the impact of the cost of living crisis, growing credit card debt, out of character discontent with the establishment etc.

Risk-based checks of this nature (criminal history, credit history, relationship status, blood tests) are sensitive. They require adherence to applicable laws and regulations, as well as respect for individuals' privacy rights. It's recommended to seek legal counsel or HR expertise to ensure that your organisation's background check process eg, DBS checks, is compliant and conducted in a fair and consistent manner.

In some environments or in specific situations, monitoring employee behaviour such as e-mail communications and file access may also be appropriate. As with background checks there are strict protocols that need to be in place for this type of control.

Does this sit counter to your organisational culture of trust and respect?

Does it seem a little too close to 1984’s Big Brother?

Does the abundance and value of data in the modern era outweigh the notion of trust?

It is a risk-based decision at the end of the day. It applies equally to fraud as is does to data theft as there is overlap in the motivation, opportunity and rationale.

Other mitigations include:

• Role-based access controls that limit access to the minimum necessary to perform a role.
• Ongoing awareness training including phishing tests, best practice, password management etc.
• Data encryption/two-factor authentication in the event of a breach or leak.
• Retention of necessary data only with regular purging of systems.
• Create a confidentiality culture whereby all employees have responsibility for data risks and report suspicious activity. An organisational culture with trust and respect as key values will enable colleagues to speak up without fear either to management or through a whistleblowing process.

In our digital age, the risk of colleagues leaking sensitive data is a serious concern for any organisation. It requires a proactive and multi-layered approach to mitigate the risk effectively. Data security is a continuous process.

Regular reviews and updates to security measures are essential to stay ahead of potential threats.

And internal auditors always using their professional skepticism.