Personnel Security

PER006

Understand the risk people pose to your organisation

Although people are often said to be an organisation’s greatest asset, they can also be a weakness.

Insider threats come from our past or present employees, contractors or business partners. They can misuse their inside knowledge or access to harm our people, our customers, our assets or our reputation.

An ‘insider threat’, or ‘insider’, is any person who exploits, or intends to exploit, their legitimate access to an organisation’s assets to harm the security of their organisation or New Zealand, either wittingly or unwittingly, through espionage, terrorism, unauthorised disclosure of information or loss or degradation of a resource (or capability).

Studies have found that most insiders who breach security had no malicious intent when they started their employment. Instead, they may become lax or ‘go bad’ as a reaction to later events.

Common ways an insider may breach security

Common insider acts can include:

  • unauthorised disclosure of official, private, or proprietary information
  • fraud or process corruption
  • unauthorised access to ICT systems
  • economic or industrial espionage
  • theft, violence or physical harm to others.

Common reasons an insider may breach security

An insider’s motivation is often because of a combination of factors and pressures, such as:

  • revenge against an employer or colleagues
  • uncertainty about their continued employment
  • greed or financial gain
  • political or religious ideology
  • ego or notoriety
  • coercion, manipulation, or exploitation from an external third party.

When insider cases are investigated, it is not uncommon to discover a pattern of past behaviour of security concern. In some cases, individuals will have come to the attention of previous managers.

Unintentional security breaches

Unintentional security breaches or near misses can result from:

  • lack of awareness or attention to security practices
  • being distracted
  • being tailgated
  • being fooled into unwittingly assisting a third party (social engineering).

Page last modified: 2/10/2018