A book out earlier this year covers the insider threat. Mark Rowe asks if that phrase is too off-putting.
If there’s one topic that deserves the attention of private security people, that I have not given the attention it deserves, it’s the insider threat. Hence I was keen to take a look at Paul Martin’s new book, Insider Risk and Personnel Security, courtesy of someone who (judging by the bookmark) is halfway through it. They were complimentary about it, as an ‘educated view’, by someone who was a practitioner (his career in public service included being director of security for the Houses of Parliament) and who’s now a professor.
I prefer Martin’s double-barrelled title to ‘insider threat’ because the risks that your staff pose are not only due to their (usually concealed) malice but because they are foolish (in too much of a hurry, or lazy), or even trying to do good. Something I heard at the RISK London show this week was the story of a reputational risk arising for a ‘brand’, and consultants looking into the source. It turned out to be not activists or others with a grievance against the corporate, but an employee who was tapping away, meaning well, trying to make the case for his employer. That humans cause the problems implies a need to screen personnel, before you employ them and (even more overlooked) checking them during employment in case their circumstances alter. Paul Martin was the author in 2019 of The Rules of Security, that some raved about, but I had the quibble that the book said too little about pounds and pence – it’s all very well stating how to secure a site and organisation well, but if you don’t understand and use the wiles of getting and keeping budget, it’s academic.
Simply writing the book serves to raise the need to consider insider risk, and I’ll give one example of how it’s not in public discourse. I can’t remember the last time I heard someone from retail loss prevention mention theft by staff. I can understand that. Violence against staff by thieves, whether drug addicts or organised groups stealing to make a (substantial) living, is enough to handle. Appeals by retail for a law (as passed in Scotland) to make an assault on a shop worker a separate offence would have less force if retailers admitted their staff were stealing goods out the back door. Campaigns such as ShopKind urging shoppers to be considerate to those who serve them would work less well if we admitted ‘staff are on the take’. And might that not encourage some shoppers to take too?!
Some trends make for more temptation to staff to steal; fewer shop workers not only means that those employed are more stretched – and might rationalise that they ought to steal, to make up their pay; the less ‘natural surveillance’ by fewer colleagues might mean that remaining staff can take advantage of being on their own, and working around physical and procedural security, colluding perhaps with the delivery driver at the back of house.
It’s a cliché but true nonetheless that staff are not only the main threat, but the main asset against that threat, and I’ll offer a 20-year-old story as proof. To cut the story short I was one of a non-security group that got to visit a Tesco logistics warehouse on a former RAF airfield. I could wave my invisible journalistic antennae while letting others ask any questions. The workforce was Slovaks and the like from eastern European members of the European Union, then recently migrated to the UK. What’s stuck in my memory is the tour guide telling us that those Slovaks (or whatever nationality) were the ones keenest to inform the company of thieving by their fellow nationals. You might think that a nationality would stick together; quite the opposite, the law-abiding ones did not want the thieves among them ruining their good name as hard-working and wanting a better life.
In other words, ‘insider aid’ may be a better focus; how to allow the law-abiding (who can rationalise that if they let colleagues steal, it’ll harm the business and ultimately jeopardise their jobs – besides, who likes to be part of that wrong-doing and thereby condone it?) to report concerns, safely?
Insider risk, to sum up, is a fascinating topic for the psychology (thieving employees regrettably no more go around with signs saying ‘thief’ than burglars carry bags marked ‘swag’) and sociology (if thieving by staff takes hold, it can take a grip of an entire department or site, whereby even corrupt managers hire people on the basis that they are crooked). Sadly, seemingly employees with criminal intent or what His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) in 2022 called ‘the wrong people’ can too easily join the police and then (more’s the point) stay in their positions because of poor or no vetting. HMICFRS made its report after the murder of Sarah Everard in 2021 by a serving police officer. Angolini and indeed Baroness Casey in her as damning report into the Met Police addressed culture – it suits few people to admit it, yet bad people cannot help but give off signals about their badness, and about more than one thing – besides their wrong-doing, they might be plain inadequate at their job. But who speaks up about it, and who listens?
This year Lady Angiolini’s report for the Home Office likewise went into the shortcomings of police vetting of its people. Even in Cold War days, when vetting was above all done to spot and keep out Communists, government was chronically behind in such work. What has changed?
For Paul Martin’s Insider Risk (published by Routledge, paperback £28.79) visit https://www.routledge.com/Insider-Risk-and-Personnel-Security-An-introduction/Martin/p/book/9781032358543.
