In the dynamic landscape of modern business, organisations are not only vulnerable to external threats but also face significant risks from within their walls. Sometimes understood as a broad term, Insider Risk encompasses a spectrum of potential dangers that can compromise the integrity, security, and reputation of an organisation. In this blog post, we will delve into the six faces of insider risk, each representing a distinct category of the wider threat: sabotage, data theft, unauthorised disclosures, workplace violence, fraud and corruption, and finally, insider trading. To illustrate the real-world impact, we’ll explore a prominent case associated with each face.
The first face is that of sabotage, one of the three most common intentional insider acts facing industries worldwide. Sabotage is a deliberate act aimed at undermining or incapacitating an organisation through obstruction, disruption, or destruction. Sabotage can take many forms and target various elements of an organisation. For example, IT sabotage targets the integrity and availability of systems and information, while manual sabotage aims to disrupt operational infrastructure.
A landmark case is that of Ricky Joe Mitchell, a former network engineer for EnerVest, an oil and gas company based in the U.S. After finding out he was set to be fired, Mitchell reset the company’s servers to factory settings, freezing operational activities for a month, and causing a cost of over $1 million.
The second face is that of data theft. This entails the insider’s use of access to steal or exploit data, material and intellectual property (IP), from an organisation. Insiders stealing data often hope to gain an immediate advantage at a new job, start a new business, or assist the collection efforts of a foreign organisation or government. Common targets of data theft include source code, scientific formulas and other forms of IP. This can be a consequence of an individual’s will, or due to a targeted attack of espionage by a rival organisation or nation-state. The theft of IP is often the biggest fear for most organisations, as it directly harms organisations’ competitive advantage, and decreases their incentives to innovate.
Here we can look at a recent case affecting the pharmaceutical industry. Chun Xiao Li, an associate director of statistics at Pfizer, uploaded over 12,000 files to her personal Google Drive account from a company laptop without prior permission. She had been with Pfizer for 15 years and had allegedly been offered a job at Xencor, a biopharmaceutical competitor of Pfizer. The company claimed Li had planned to transfer documents “potentially related to numerous Pfizer vaccines, drugs, and other innovations”, specifically concerning information about the COVID-19 vaccine and monoclonal antibodies, to her new employer. As of December 2021, Pfizer’s attorneys stated that “Li has expressed her willingness to cooperate with Pfizer and to resolve this action without further court intervention.”
Below, you can find a video explaining intellectual property theft in more detail:
An unauthorised disclosure is the communication or physical transfer of classified information to an unauthorised recipient. These account for the majority of insider acts. Whilst data theft can be understood to fall under unauthorised disclosures, here we focus on disclosures to the media and contrast them against whistleblowing. The key difference with whistleblowing is the conscious choice made by the insider to refrain from following existing confidential reporting mechanisms. As such, unauthorised disclosures comprise the unauthorised release of confidential information, false information, or fake news to news media or other media outlets, including social media. These can trigger retaliatory behaviour among frightened or angry customers, investors, regulators, and other members of the public.
U.S. intelligence agencies in particular have faced a turbulent history related to unauthorised disclosures. A landmark case is that of Reality Winner, a former Air Force linguist and intelligence contractor with a Top-Secret security clearance. Winner printed classified documents concerning possible Russian involvement in the 2016 U.S. elections and emailed them to a news outlet. The news website published the unredacted documents with the printer’s digital watermark, which allowed authorities to trace the leak back to her. Winner is currently serving a five-year prison sentence for the unauthorised disclosure of a classified intelligence report. A U.S. attorney said the report Winner leaked revealed sources and methods of intelligence gathering and that its disclosure “caused exceptionally grave damage to U.S. national security”. Below you will find an interview with Reality Winner on 60 Minutes.
Fraud and Corruption cover acts of deception with the purpose of unfair, undeserved or unlawful gain. Corruption specifically can also encapsulate goals broader than direct financial objectives, such as impairing integrity, virtue, or moral principles. Insiders often commit fraud and corruption by corrupting existing critical corporate processes. Fraudsters use their access to modify, add, or delete organisational data for personal gain. Examples include modifying driver’s licence records, criminal records, welfare status, product information and payment instructions. An increasingly emergent aspect of this is the infiltration of subversive crime into legitimate organisations., specifically aiming to compromise the integrity of supply chains.
Shell and Eni have been accused of paying over $1 billion through bribes to members of former Nigerian President Goodluck Jonathan’s administration. This was done with the aim of acquiring rights to the OPL245 offshore oilfield. These activities have been recognised as detrimental to Nigeria’s population. Internal emails show how Shell’s senior executives knew about the payments that would be issued to Dan Etete, former Nigerian oil minister. In fact, the $1.1 billion which was meant to go to benefit the Nigerian people, went straight into the pockets of the former oil Minister who had awarded himself the offshore field in 1988 via a company he secretly owned. After more than ten years, charges against Shell and Eni have been dropped, but questions remain over the transparency and integrity of the transactions.
Insider trading can often be misunderstood to fall under fraud and corruption. However, insider trading specifically concerns the trading of a corporation’s stock or other securities by individuals with access to non-public information about the company. The insider may trade themselves or pass the information to an external party that trades on their behalf. Insider trading erodes market confidence, inhibits capital investments, damages the efficiency of the market and directly harms investors.
In September of 2017, former Amazon financial analyst Brett Kennedy was fined $2,500 and sentenced to 6 months of prison for insider trading-related charges. Kennedy had provided non-public financial results to an acquaintance of his, who purchased 4,440 Amazon stock shares before selling them for a profit of $116,000. Kennedy received $10,000 of the profit for the information provided.
Exploring the different faces of insider risk highlights two key points: the first is that insiders can be found in any type of organisation. Regardless of whether an organisation is private or public, and regardless of what sector they operate in, insiders can always target specific assets or information that can be compromised. Secondly, and most importantly, organisations are exposed to all types of insider threats. Whilst for some organisations reputation is their greatest asset, whilst for another it may be their employees, all facets of an organisation can be manipulated and compromised causing widespread, and sometimes unexpected costs.