Maja Pawinska Sims 17 Oct 2023 // 9:51AM GMT
LONDON — The UK government’s National Protective Security Authority (NPSA) has issued new guidance for communicators on how to avoid “insider risk” by engaging employees to avoid security consequences.
The guidance, ‘Insider events: A communications guide to reduce their impact’, recognises the role that effective organisational communication plays in preventing, managing and recovering from “insider events”, which occur when those in a workforce act against the interest of the organisation.
The NPSA – which was created earlier this year to combat national security threats – defines insider events as “the activity, conducted by an insider (whether intentional or unintentional) that could result in, or has resulted in, harm or loss to the organisation”.
Insider events could include a member of staff passing confidential information to a competitor or a state actor, either for financial reward or for ideological reasons, or being so disgruntled at work that they deliberately sabotage a core system, rendering an organisation unable to operate.
Such events are not always deliberate: an employee might unwittingly give an unauthorised user access to confidential documents or leaves an unprotected laptop on the train, for example. Another scenario might be a member of the team developing cutting-edge technology and taking it with them to a competitor.
Insider events are on the rise, according to the World Security Report 2023, commissioned by Allied Universal and G4S and involving interviews with 1,750 chief security officers from large global companies in 30 countries.
The report found that 92% of global security chiefs expect their organisation to be impacted in the next 12 months. The cost to business can go beyond the financial to include erosion of trust, workforce morale and reputational damage. Factors such as the cost of living crisis, global instability and declining levels of trust in authority all make insider events more likely.
In its guidance, the NPSA underlines the leadership role that communications professionals can play in reducing the impact of an insider event, and calls for greater integration between security, HR and communication professionals at an executive level.
It also outlines why insider events require a different approach to crisis communications, and a toolkit on what communicators can do before, during and after such an event.
The guidance recognises that people are an organisation’s greatest security asset and offers practical advice for organisations in building their resilience: “Effective communication is critical in helping leaders be insider risk-ready. It goes so much further than managing reputational risk, it can make an organisation less vulnerable to attack in the first place, and should an event occur, enhances how well it recovers reputational trust, inside and out”
Crisis communications specialist Rod Cartwright, who last week chaired a CIPR event on the guidance as a special advisor to the CIPR Crisis Communications Network, told PRovoke Media: “The research on the rise of insider risk as an ever-growing area of corporate concern is unambiguous. And yet according to this crucial new guidance, 60% of organisations do not have a plan to manage insider risk appropriately.
“We all know – and probably say regularly – that our people are our greatest asset. But the reality is that if you employ people, you also have insider risk. Insider events can strike at the heart of how an organisation operates and manages it people. As such, they require a different approach from generic crisis communication.
“The good news is that an engaged workforce can help reduce the likelihood and impact of an insider event. NPSA’s new guidance will be invaluable in helping organisations to build their resilience by adopting a truly integrated, silo-free approach, as they work to prepare for, manage and recover from insider events.”
In her foreword to the guidance, Kate Hartley, co-founder of crisis simulation company Polpeo, said: “Mitigating the risk of an insider event means breaking down organisational silos, working with cross-functional teams to create a safe and open culture, great leadership and regular communication.
“It gets to the heart of how an organisation operates and manages its people. Insider events are distinct from other types of possible crisis. It can tear people apart, have a lasting impact on culture, and destroy trust from within the organisation. It is not enough to rely on generic crisis communications principles to deal with it.
“This guidance from NPSA has never been more important. It helps organisations embed their response to insider events into their crisis communications plans, with actions to take before, during and after an event. Every organisation will have a crisis plan. It’s time that plan included ways to address the threat from within."