Laura Eshelby, Head of Economic Crime at Clue Software, formerly a Deputy Director at the
Cabinet Office, shares her seasoned expertise on addressing insider threats in the public sector
Insider threats are becoming an increasingly pressing issue within the public sector, accounting for 30% of all breaches in this space. In the highly regulated public sector, agencies handle sensitive personal and government data, making insider threats particularly dangerous, with consequences ranging from financial losses, confidential leaks and reputational damage.
Insider threats can manifest themselves in various ways, from organised crime groups leveraging insiders to access sensitive data, to angry employees committing fraud or theft. Employees handling more confidential information in unsecured or public environments are more vulnerable to breaches, and remote work has given rise to new threats like dual-working fraud. This is where employees may exploit remote conditions to engage in fraudulent activities with multiple employers.
This growing risk underscores the need for robust internal security measures and monitoring to safeguard public sector organisations from internal exploitation and ensure the protection of sensitive information.
The rise of insider threats
Insider threats have been on the rise, with filings to Cifas’ Insider Threat Database (ITD) increasing by 14% in 2023.
A significant driver of insider threats has been dishonest financially motivated misconduct by employees. This accounts for 49% of reported cases and is believed to be fueled by pressures from the cost-of-living crisis and inflation. Notably, 38% of individuals filed to the ITD had been in their roles for less than a year, highlighting that employees are more willing to engage in dishonest behaviour early in their employment.
A notable example includes a former Ministry of Defence official who was convicted in public office after being found guilty of taking kickbacks of more than £70,000 in exchange for commissioning work from offshore consultants. This goes against the civil service code and the values and standards of the civil service.
Beyond intentional insider threats, the rise of remote work has heightened the risk of accidental information leaks to bad actors, as sensitive conversations can occur outside secure environments.
The prevalence of social media has also introduced new routes of attack, as the amount of extensive personal information shared on these platforms allows perpetrators to target and blackmail employees. Insider threats can compromise the confidentiality, integrity, and availability of financial data and systems if left unchecked, given that insiders possess deep knowledge of a company’s operational and security protocols.
The critical need for strong internal security measures
The increasing risk of insider threats in the public sector highlights the urgent need for strong internal security measures to counter these vulnerabilities. The importance of effective internal controls is highlighted in the Cifas 2024 Fraudscape Report, which noted a 20% rise in detected cases due to internal controls.
While rigorous vetting is often the first line of defence, utilising reference checks, identity verification, criminal and financial screenings, and social media assessments, these measures alone cannot fully address insider threats. Ongoing monitoring and creating a security-aware culture are essential for ongoing risk mitigation.
Conducting a comprehensive risk assessment helps identify critical assets, high-risk areas, and key personnel, establishing a foundation for a governance framework that enables collaboration between stakeholders such as HR, Legal, Cybersecurity, and IT. This ensures that risks are systematically monitored and managed. Additionally, anomaly detection tools provide essential support by flagging unusual user behaviour, such as accessing sensitive files outside regular hours, to pre-empt potential data breaches.
Establishing a proactive three-pronged strategy
While internal security measures are essential for reacting to insider threats, a robust and secure reporting structure and enhanced intelligence capabilities are key for early detection. By implementing a third-party reporting system, organisations in the public sector can maintain thorough records of internal and external intelligence to help identify threats before they escalate. Analysing this data enables organisations to spot behavioural shifts, unusual access patterns and connections to external events that may signal potential risks.
Gathering information from multiple sources, including technology monitoring and external partners, can help security professionals develop a well-rounded intelligence picture, uncovering insights beyond their internal data sets. When intelligence points to a high likelihood of fraudulent activity, a threshold often used in civil and disciplinary cases, it is important to conclude an investigation with actionable outcomes.
Before 2015, the UK Government lacked a unified approach to tackle insider threats, leading to situations where employees dismissed for fraud or theft could re-enter the public sector. In response, the UK Government established a system parallel to the ITD led by CIFAS, mandating the completion and reporting of all investigations related to staff fraud. Under this system, individuals dismissed for fraud-related offences are recorded and flagged in pre-employment screenings, with a five-year restriction on re-employment in the Civil Service in compliance with the Rehabilitation of Offenders Act.
This process illustrates that without robust reporting and intelligence-sharing frameworks, employers across all sectors risk allowing individuals to resign mid-investigation, only to move on and potentially inflict similar harm elsewhere.
Fortifying security measures
Although it’s nearly impossible to eliminate the risk of insider threats entirely, a proactive strategy for investigating these threats can significantly mitigate the escalating risk.
By implementing a three-pronged approach that integrates security measures, a solid reporting system and a strong response plan, the public sector can strengthen its defences against both internal and unintentional threats in the long term.
