Skip to main content

Insider threat - Managing people security

Published on 22 January 2020

What does the insider threat look like?

There are five common crimes associated with insider threat:

Account fraud is often associated with administration access rights abuses. It may involve an employee changing business related payment details in their own favour or in favour of a third party, diverting funds from their rightful destination.

Bribery has three main strands: bribing someone (active bribery); being bribed (passive bribery) and the corporate offence of failing to prevent bribery within the business. These are offences under the Bribery Act 2010 which carry a maximum sentence of 10 years imprisonment and an unlimited fine.

Procurement is particularly susceptible to bribery but other areas of business are vulnerable as well e.g. an employee could be bribed to disclose sensitive information to a third party. This could be damaging on a number of levels but there are now additional Data Protection implications to be considered.

Dishonest acts to obtain benefit by theft/deception covers a wide range of activities such as theft of equipment/stock; time sheet fraud and sickness absence fraud. These are all common threats against the organisation and are often viewed by the perpetrators as being minor infringements and not criminal behaviour.

Employment application fraud ranges from minor embellishments on an application form to fabricated work histories and qualifications. A candidate may use false identification; present forged education attainment certificates; use false references; conceal previous misconduct or conceal other facts about themselves that may be detrimental to their application. Once someone has been successful in their application and is in position, they may retain their post, illegitimately earning their wage for a long period of time, without their initial deceit coming to light.

Unlawful obtaining/disclosure of data is a huge threat for public bodies that hold vast amounts of sensitive workforce and customer data. Every time we access systems we are expected to do so in accordance with the principles of data protection and confidentiality, but it is easy for these principles to be overlooked or ignored if they are not regularly reinforced. For example, it would be relatively easy for someone with legitimate access to extract information and sell it on to a third party for financial gain. In fact, there are data wholesalers in the UK who pay individuals for corporate data-sets and sell them on to retailers and others to use for an unknown and unregulated purpose.