It Happens Here

Help raise awareness of insider threat at your workplace

CAM002

A lack of understanding about insider threat is a potential blind spot in New Zealand’s security culture. Use these campaign resources to help you raise awareness of insider threat at your workplace.

‘It happens here’ is designed to help security professionals working in public and private organisations to build people’s understanding of insider threat and encourage them to take responsibility to help reduce the risks.

The campaign resources are also useful for people:

  • working in communications and human resources
  • leading teams (line managers, team leaders).

Raise awareness, change behaviour, and reduce the risks

The first step in raising awareness about insider threat is to help people understand that:

  • the threat is real
  • insider acts do happen here in New Zealand and the consequences are severe
  • we’re all responsible for helping to reduce the risks.

Security professionals told us that complacency and aspects of New Zealand’s workplace culture were the major barriers to reducing insider threat. They said many employees:

  • don’t take insider threat seriously because they believe ‘it doesn’t happen here’
  • don’t like to think anyone they work with could be a threat because it goes against ‘Kiwi culture’.

In New Zealand, we tend to minimise the risk of security threats — and sometimes bad things in general — with ‘it won’t happen here’.

This campaign addresses these barriers right from the start. The resources aim to help you change beliefs and behaviour while retaining the positive attributes of New Zealand workplaces.


Use the campaign resources to help you spread the word

The resources will help you explain insider threat in a way that people can understand why it matters, how to recognise it, and what they need to do.

Start with understanding the insider threat, distribute the guide to managing insider threat to team leaders, communication teams and HR groups, share the videos, and capture your organisation’s unique challenges using the case study template.

This video introduces the campaign and its relevance to New Zealand workplaces:


Understanding the insider threat

This campaign summary will help you explain and discuss insider threat in your organisation and teams, including the high-level issues and opportunities for mitigating the risks.

This is a summary of the main highlights from the guide developed by the Protective Security Requirements Team.

What is insider threat?

‘Insider threat’ describes the potential for employees to use their authorised access to your organisation’s work locations, people, information, and systems to cause harm.

Main types of insider threat and examples of harm they can cause

  • Theft, fraud, and corruption — Financial losses
  • Information leaks — Reputational damage, loss of intellectual property
  • Privacy breaches — Compromised customer or client information
  • Sabotaged systems or equipment — Disruptions to operations
  • Violent acts or threats — Safety and wellbeing at risk.

Types of insiders: intentional and unintentional

Insiders who cause harm fall into two broad groups — those who act intentionally and those who act unintentionally.

Intentional insiders

‘Intentional insiders’ aim to cause harm. They’re either recruited by an external party or self-motivated.

An intentional insider who is recruited usually responds to external pressure. That pressure could come from people who share their ideology, or an external party with leverage over them. For example, a gang could apply pressure to repay a debt, or a foreign intelligence agent could apply pressure to get access to information.

An intentional insider who is self-motivated is usually motivated by ideology, or driven by financial gain. Possible influences on their behaviour are financial difficulties, greed, wanting to be perceived as wealthy, or being deeply opposed to a decision or stance your organisation has taken.

Unintentional insiders

‘Unintentional insiders’ cause harm accidentally and the most likely cause is poor security behaviour.

An unintentional insider might not know the correct security processes or might ignore security them thinking they are irrelevant. Some might just choose to bypass the proper procedures because they’re in a hurry. Other factors such as stress, high workload, and poor communication can also be behind some unintentional insider acts.

Poor security awareness could mean an employee:

  • has a genuine gap in their knowledge about the security behaviour expected of them
  • hasn’t paid attention to induction materials or other training about security
  • doesn’t understand the potential impacts of failing to follow security processes.

What to watch for

Security intelligence communities around the world recommend you make everyone in your organisation aware of the following common signs of insider threat.

Remember that the presence of any of these common signs doesn’t automatically mean you have an insider threat. However, you should tell your security team what you’ve noticed.

Changes in behaviour / significant life changes

  • Being more nervous and anxious than normal
  • Receiving calls from outside work that cause stress
  • Becoming wealthy suddenly without any explanation

Concerning or unusual behaviour

  • Being under the influence of drugs or alcohol
  • Making extreme statements that show bitterness or anger — especially towards your organisation and its work, or more senior colleagues
  • Not wanting to take leave and being nervous about others acting in their position — being possessive about certain pieces of work
  • Having an unusual interest in choosing new employees

Changes in work performance or habits

  • Poor work performance
  • Unusual working hours — especially repeated after-hours access
  • Unexplained absences or travel

Security violations

  • Breaching security repeatedly, or deliberately not following security policies
  • Asking others to overlook security breaches, such as not wearing an ID tag or carrying a security pass

Attempts to access sensitive information or restricted areas

  • Being more interested than normal in sensitive information (especially information they wouldn’t ordinarily have access to)
  • Attempting to access (or successfully accessing) restricted areas outside their normal responsibility
  • Taking videos or photos or making notes and diagrams of sensitive information.

Why do people do it?

Although financial gain is the most common reason for an insider turning against their organisation, there’s often a combination of factors at play.

The following list gives the most common reasons for insider acts. Remember that there may be other factors and that the presence of one of the behaviours below doesn’t automatically mean you have an insider threat.

Being disgruntled or angry

  • Outwardly displaying signs of anger or resentment with their employer, manager, or colleagues
  • Seeking revenge

Seeking recognition, admiration, or thrills

  • Having a desire for recognition (notoriety)
  • Attempting to boost their self-esteem or image
  • Thrill-seeking, risk-taking

Having relationship or personal problems

  • Having relationship problems with family, friends, or a partner
  • Having health or personal issues that cause compulsive or destructive behaviour

Being influenced by others or an ideology

  • Having divided loyalties or a conflict of interest (for example, between their employer and someone they have a personal or work relationship with)
  • Believing in or developing a belief in an ideology or cause (especially one that opposes their employer and its work)
  • Succumbing to external pressure, such as blackmail or pressure to repay a debt

Not caring about security

  • Not following security processes despite knowing them 
  • Failing to act when a security concern is raised

The Big Five: simple security behaviours

Encourage the following simple security behaviours to help your organisation reduce the threats from both intentional and unintentional insiders.

1. Watch out for tailgaters

In restricted access buildings where you need a swipe card to get in, watch out for tailgaters — people following you in lifts or through restricted access doors.

Don’t use your card to allow other people access, no matter how nicely they ask, how senior they are, or how closely you work with them.

2. Question people who aren’t wearing ID

If someone should be wearing ID and they are not, don’t be afraid to ask them where it is. There is no harm in simply saying, “Hey, where’s your ID card?” or ‘Excuse me, do you have your ID card?’

If questioning someone is difficult for you or the person concerned is senior to you, it’s completely fine to report what you saw to your security team in confidence.

3. Lock your devices

Lock your devices when you get up from your desk or have finished using them — even if you only plan to be away a few minutes. This simple practice prevents unauthorised access to information and systems.

PC – Ctrl + Alt + Del (or Windows + L)

Mac – Command + Control + Q

You should also take extra care when you’re out and about to prevent people from seeing what you’re reading or viewing on a work device.

4. Protect documents

Collect your printing as soon as it’s done rather than leaving it sitting in the paper tray for anyone to grab. If the content is protectively marked, use your organisation’s secure printing method.

Lock documents away in drawers or cabinets and operate a clear-desk policy (keep work-related information out of view).

When you’re travelling for work, follow your organisation’s security policy for protecting any documents you have with you.

5. Speak up

If you notice something concerning, speak up. Tell your manager or someone in your security team straight away.


Managing the insider threat to your organisation

This short, accessible guide will help people in your organisation to better understand and manage insider threat.

The guide explains what insider threat is, how it happens, and what we can all do about it. You’ll also find case studies that illustrate the risks and consequences of not managing the insider threat.


Insider threat videos

Use this series of videos to help you communicate effectively about insider threat. Play the videos at meetings, load them to your intranet, include them in security training modules, or make them part of induction materials for new employees.

Each video conveys core messages about insider threat and builds on the one before. The compilation video combines all the core messages of the ‘It happens here’ campaign.

In the video series, you’ll hear from:

  • Rebecca Kitteridge, the Director-General of the New Zealand Security Intelligence Service
  • security managers from across the public sector
  • Rocket Lab, a private sector company.

Video 1 – Understand the organising idea behind ‘It happens here’

Watch this introductory video to understand the central idea behind the campaign and the purpose of the short guide.

Download a copy of the accessible transcript [DOCX, 30 KB]

 

Video 2 – Listen to security professionals in the public sector talk about why security matters

Security professionals talk about the insider threat in relatable terms, so everyone can understand why it’s important to take this threat seriously, and how they can contribute to reducing it.

“You wouldn’t give someone you don’t know your banks details, you wouldn’t let someone you didn’t know just follow you into your house, so the same principles apply at work.” 

Download a copy of the accessible transcript [DOCX, 31 KB]

 

Video 3 – Take a deeper look at insider threat and the risks involved

This video goes a little deeper into insider threat, and the practical risks insiders can pose to your organisation. It highlights the everyday things people do that put their organisation’s people, assets, and information at risk.

“There could be people within your organisation, who either deliberately, or because they are really careless, are creating some threat to the valuable assets that you hold, such as information” 

Download a copy of the accessible transcript [DOCX, 32 KB]

 

Video 4 – Hear Rocket Lab’s security manager share his approach

This video takes you inside security at Rocket Lab and captures the role everyone can play to protect their workplace. Rocket Lab follows the government’s Protective Security Requirements to protect their people and assets at their world-leading facilities.

“It’s the absence of the normal and the presence of the abnormal…it’s just part and parcel of management, you need to know your people”

Download a copy of the accessible transcript [DOCX, 32 KB]

 

Video 5 – Hear security professionals discuss the impact New Zealand culture has on thinking about insider threat, and how we respond

This video discusses ways to overcome the common barriers to reducing insider threat: people believing insider threat doesn’t happen much, and if it does, it won’t be that bad.

“Challenge people that are inside the environment that you don’t know”

Download a copy of the accessible transcript [DOCX, 31 KB]

 

Video 6 — Watch the ‘supercut’ — a compilation of the five videos

This video captures all the core messages from each of the previous videos. You may find it useful when you want to present all the messages at once. 

Download a copy of the accessible transcript [DOCX, 37 KB]


Case study template for security professionals

When it comes to insider threat, every organisation has unique challenges and lessons. This template gives you an easy way to record what happens with insider threat activity at your workplace, so you can learn what works well and what doesn’t.

Record cases of insider threats being realised, near misses, or times when security measures prevented threats from going any further.

Share the lessons with people outside your team, consider whether you could successfully anonymise the details. Case studies drawn from real events can be great tools for helping people to realise ‘It happens here’.


Guide to the core themes of the campaign

Understanding the thinking behind the campaign will help you to communicate the core messages more effectively.

Barriers this campaign addresses

‘It happens here’ addresses barriers that security professionals frequently encounter when they try to raise awareness about the insider threat. Those barriers are:

  • Many employees don’t like to think about insider threat. They don’t want to imagine their colleagues are capable of it, nor do they believe in their own potential for accidentally exposing their organisation to loss or damage.
  • Most employees underestimate the risk of insider threat: You might hear “that sort of thing doesn’t happen here.” Even if they do acknowledge the risk, they might argue that the impact could never be significant in a country like New Zealand.

Why do these barriers exist?

The work culture in New Zealand is less hierarchical than in other countries. There’s less distance between senior managers and workers, and people often work in open-plan spaces. This culture can make things feel less formal, easier to manage, and reduce perceptions of risk.

While it’s important to keep these positive features of our work culture, we also need to address how it can affect people’s ability to acknowledge and react to insider threat.

Core campaign messages 

The core messages underlying the campaign are:

  • The insider threat is real — insider acts do happen here in New Zealand and the consequences are severe.
  • We can all learn to recognise the signs of insider threat and act in ways that reduce the threat. Preventing an insider threat is everyone’s responsibility.

How you can help spread the word and be understood

The conversations you have with people in your organisation are crucial for embedding the campaign’s core messages and ensuring people understand the resources. In some organisations, the resources could become part of training and development modules.

Working with your people one-to-one or in small groups could be the most effective way of ensuring that:

  • the framing and messaging for ‘It happens here’ is well understood
  • people have time and space to read the guidance and watch the accompanying video series
  • people can ask questions and get advice from their security teams.

Notes for HR practitioners: your role in reducing insider threat

As we brought ‘It happens here’ together, we heard often about the critical role people HR teams play in mitigating insider threat.

If you’re an HR practitioner and haven’t had much to do with your organisation’s security team, now’s the time to reach out. There’s a range of ways you can ensure better security in your organisation, but you might need some new processes and systems (or to dust off old ones). Your security team can help you do that.

What you can do

When it comes to security — particularly insider threat — you have an important ‘bookend’ role to play. Here are some actions you can take.

  • Support a ‘mature’ security culture, where all aspects of the organisation are on board and integrated.
  • Ensure you always do thorough pre-employment checks.
  • Make sure new staff are aware of their responsibilities as stewards of sensitive and valuable information and assets.
  • Improve employee engagement to prevent disgruntled employees becoming a source of insider threat.
  • Consider the insider threat presented by individuals going through disciplinary proceedings or similar, who may experience heightened disgruntlement.
  • Track engagement and ensure good tracking systems and processes are in place when line managers or other staff raise issues to do with insider threat.
  • Manage the departure process for staff by working with your security team before, during, and after their departure to spot any irregularities or other issues.

To manage some of these processes and practices, you’ll need internal policies and major collaborative efforts. For others, simple conversations with your security team will be best.