You are using an outdated browser. Please upgrade your browser to improve your experience
Dragonfly views protective security as encompassing three interrelated domains: cyber security; physical security; and personnel security. The latter area encompasses personnel screening and the insider threat.
The core value of most businesses is held within (1) its technical know-how, (2) customer (and to a lesser extent, supplier) databases, (3) bespoke contacts, and (4) price structure. Those inside the company with authorised access to this sensitive data are often the people best placed to exploit the value of these assets to the detriment of the business.
An exclusive focus on outward-facing cyber and physical security, without considering the need for effective internal personnel security, exposes the business to considerable risk.
Two case studies bring this threat to life. These case studies are both true, with identities redacted.
Company A is a substantial business supplying logistics and personnel to domestic and foreign (mainly US) military. Their IT systems were sufficiently robust to detect potential misuse of data by a senior manager, who was downloading and copying client lists, contracts and price structures. The activity could be tagged to the specific individual, dates, times and classes of material.
This material was being forwarded to external sources, including a counterpart in a competing business, and it appeared that the intention was to gain commercial advantage through insider knowledge.
The evidence was sufficiently compelling to enable lawyers to obtain a Search Order from the High Court, authorising entry of the homes of the senior manager and his counterpart and seizure of relevant electronic and hard copy evidence.
The order was executed at both locations simultaneously, to avoid the possibility of evidence being destroyed or hidden through them warning each other. In each case the search was supervised by an independent solicitor, and the electronic search conducted by an independent IT expert who imaged every electronic device on the properties.
The electronic data was removed to a secure evidence store, and keyword searches undertaken to identify relevant evidence. The evidence collated was sufficient for HCR to return to Court and obtain further orders (known as "Springboard relief"):
(1) Forbidding the two parties from contacting named individuals and entities for a specified period
(2) Compelling the two parties to deliver specific documents to Company A, delete all electronic copies, and allow access to Company A’s IT experts to verify deletion
(3) Compensation to Company A for losses and costs sustained, totalling over £500,000.
Company B is a List X supplier of technology to the UK MoD. They detected a potential misuse of data by a senior manager, however despite robust cyber-security against external threats the internal procedures and safeguards were virtually non-existent. Access was not restricted or password protected, USB's and devices were pooled and shared, and activity could not be tagged to individuals, dates and times.
In this case legal advice was not to apply for a Search Order, thereby saving significant wasted cost as Courts will only authorise a dramatic invasion of privacy in exceptional cases and many applications are refused, leaving applicants with large, unrecoverable legal bills. Similarly, legal advice was against seeking a Springboard injunction, as without the evidence, the financial risk was too great.
Company B was not sure whether to report the security breach to the MoD, and legal advice was a categorical yes. If an unreported breach was discovered later, they risked permanent loss of List X status leading to the probable loss of the business.
HCR liaised with the UK MoD police, who were persuaded to use their own powers of search and seized evidence at the home of the senior manager; the recovery of all of Company B’s confidential information prevented it from reaching the competition and saved the business.
The case studies above highlight some factors that organisations should consider when it comes to the insider threat:
The lawyers acting in both cases were HCR (Harrison Clark Rickerbys). Dragonfly’s Security Intelligence service advises businesses in all areas of security to help protect their people, assets and brands.
This article is one part of a wider series of useful reference materials that we created to aid businesses post Covid-19. If you would like to see more resources that can help plan your risk and security strategies, please see our Business Recovery Toolkit.