We invite you to either listen to the article or read the below.
Introduction
Each organisation is unique, yet all share a common goal: to safeguard assets and information, ensure operational continuity, maintain trust, and protect against potential threats.
Organisations expect employees, executives, partners, and suppliers to exhibit desirable behaviours such as ethics, integrity, and professional conduct along with accountability, teamwork, adaptability, and a commitment to upholding the organisation’s values and goals. These are artefacts of success.
At Pentagram Advisory, when we advise organisations on insider threat mitigation through insider threat programs and workforce screening, we often hear that the concept feels unfamiliar or new. Many organisations express concerns about navigating privacy and employment laws, as well as managing potential stakeholders including unions. An insider threat program is another name for many activities and policies already in place.
The term ‘insider threat’ is often associated with espionage or cyber security incidents. While these are important threat vectors, insider threats encompass a much broader range of risks that organisations are already addressing—they are just referred to using different language and terminology.
Today, let’s bridge this gap in understanding, bust common myths about insider threats, and highlight what organisations are already doing to mitigate insider threat through recounting practical cases studies.
Case Study 1: Corruption, Fraud, and Theft
Peter, a 42-year-old facilities manager at a critical infrastructure hospital, was tasked with overseeing maintenance and procurement contracts to ensure the hospital’s smooth operations. Unknown to his employer, Peter secretly owned a private company that supplied maintenance goods and services.
Over a three-year period, Peter manipulated the procurement process by bypassing competitive tendering requirements and awarding lucrative contracts directly to his own company. To further conceal his actions, he falsified invoices, inflated costs, and misrepresented the urgency of repairs to justify his decisions.
Through this scheme, Peter not only defrauded the hospital of substantial funds but also engaged in theft by diverting hospital-owned supplies for use in his private company’s operations. This unethical arrangement resulted in subpar maintenance services, critical equipment failures, and financial losses for the hospital, ultimately jeopardising patient care and tarnishing the organisation’s reputation.
Consequences for Peter
Following an internal investigation and external audit, Peter was terminated from his position and reported to law enforcement. He was later convicted of fraud and theft under the Criminal Code Act 1995 (Cth) and received a custodial sentence, along with a court order to repay part of the misappropriated funds.
Existing efforts and building on current investments
Organisations are already actively managing this type of insider threat through governance rules, anti-corruption polices, protected procurement frameworks, vendor due diligence, conflict-of-interest declarations, regular training, audit, and codes of conduct. These measures represent substantial investments aimed at mitigating risks, ensuring compliance, and fostering a culture of accountability and integrity.
However, this case demonstrates the need to build on these efforts by incorporating pre-employment screening, continuous monitoring, cross-departmental oversight, and robust reporting mechanisms. Expanding these practices and integrating them into a comprehensive insider threat program can significantly enhance an organisation’s capacity to safeguard critical infrastructure while optimising the impact of their existing investments.
Case Study 2: Insider Trading
Emma, a 35-year-old financial analyst at a critical infrastructure energy company, had access to confidential financial data due to her role in preparing reports for executive decision-making. During a routine analysis, Emma discovered sensitive information about a pending merger between her company and a smaller, publicly traded energy firm. The merger, when announced, was expected to significantly boost the smaller firm’s stock price.
Recognising the potential for financial gain, Emma discreetly purchased a substantial number of shares in the smaller company through a personal brokerage account registered under a relative’s name to avoid detection. Following the public announcement of the merger, the smaller firm’s stock price surged, allowing Emma to sell the shares and realise significant profits.
Emma’s actions were a clear violation of Australian laws. Once her activities were uncovered through an internal audit, the organisation faced scrutiny from regulatory bodies, reputational damage, and potential fines. Stakeholders questioned the integrity of the company’s governance, personnel, and information security practices. The incident exposed gaps in the company’s governance and risk management systems, raising concerns about its compliance with the Corporations Act 2001 requirements to manage material risks effectively.
Consequences for Emma
Emma faced severe consequences, including termination of employment and legal action under the Corporations Act 2001 for insider trading. She was convicted, fined heavily, and prohibited from holding executive or financial positions for several years. This case serves as a stark reminder of the grave repercussions insider trading can have for both individuals and organisations.
Existing efforts and building on current investments
Many organisations already enforce policies on information handling, conflict-of-interest declarations, regular training, and secure access controls to mitigate insider trading risks. Additionally, under the Corporations Act 2001, directors and officers have a duty to manage material risks, including those related to insider trading, to protect their organisation from operational, financial, and reputational threats.
However, this case underscores the importance of enhancing efforts with advanced monitoring systems to detect unusual trading activities, regular training programs to ensure legal and ethical awareness, and independent oversight to identify and address governance gaps.
Integrating these measures into a comprehensive insider threat program can strengthen governance, effectively mitigate risks, and safeguard organisational integrity and stakeholder trust.
Addressing insider trading as a material risk is critical not only to safeguarding financial stability but also to maintaining stakeholder trust, organisational credibility, and reputation.
Case Study 3: System Sabotage, Psychosocial Hazards, and Workplace Bullying – A Complex Mix to Address!
Jane, a 32-year-old system administrator at a critical infrastructure water company, was known for her competence and dedication. However, during a corporate restructure, her responsibilities were significantly reduced, and she was excluded from key decision-making processes. Her new manager, David, a known micromanager, publicly criticised her and dismissed her concerns. Despite raising grievances with HR, no action was taken.
Over time, Jane became increasingly disengaged, and her performance declined. During an office relocation, she was moved to an isolated workstation, further exacerbating her sense of alienation. Feeling undervalued, she resigned abruptly without handing over her duties. Four weeks later, staff discovered that key records had been deleted and IT backups encrypted.
Investigations revealed that Jane had inserted malicious software into the network before leaving. Her system access, which had not been revoked, allowed her to remotely sabotage the organisation, causing $1.2 million in recovery costs and significant reputational damage.
Consequences for Jane
Jane’s actions were a clear breach of both ethical standards and legislation. Following forensic investigations, Jane was charged under the Criminal Code Act 1995 (Cth) for unauthorised access to and sabotage of IT systems. She was convicted and received a custodial sentence, along with a court order to pay restitution for part of the financial damages incurred by the company. Jane’s career prospects were severely impacted, and she faced significant personal and professional repercussions.
Existing efforts and building on current investments
The response to Jane’s actions required coordination across HR, legal, integrity, IT, compliance, security, communications, and finance, with each department working independently. An enterprise insider threat program with multidisciplinary governance would streamline these efforts, aligning disjointed policies and procedures into a cohesive framework for maximum efficiency and impact.
Jane’s case highlights the preventable nature of insider threats when organisations implement a robust insider threat program. While many organisations already have measures like access control policies, grievance mechanisms, and incident response plans, these often operate in silos, leaving critical gaps. A comprehensive program integrating these measures with proactive support could have prevented Jane’s grievances from escalating into costly sabotage.
Key enhancements include psychosocial safety measures to address workplace bullying, early intervention systems to identify dissatisfaction, and robust offboarding procedures to revoke access immediately. Incorporating these into a holistic insider threat program provides a unified approach to addressing risks before they escalate, safeguarding critical operations and organisational resilience.
Conclusion
Behaviours such as corruption, insider trading, theft, fraud, conflicts of interest, sabotage, unauthorised use or disclosure of personal information are interconnected manifestations of insider threats. Because insider threats involve people, recognising behaviours in and around the workplace is key to identifying individuals who may be on the pathway to committing an insider threat act. By noticing these behaviours, you could potentially intervene and help prevent actions that could harm both the individual and the organisation.
Addressing these risks requires a comprehensive, integrated approach.
A holistic insider threat program consolidates fragmented initiatives, reducing redundancies and administrative overhead while minimising resource wastage. It delivers measurable benefits, including cost savings, enhanced regulatory compliance, proactive risk mitigation, a culture of trust and engagement, increased organisational resilience, and protects reputation.
By bringing fragmented processes under a single framework, organisations can safeguard their operations, reputation, and future while achieving significant financial and operational efficiencies. More than a compliance measure, an insider threat program is a strategic investment that aligns cost-effectiveness with resilience and long-term security and enables the organisation to be nimble in response to new threats.
Interested in Learning More? Pentagram’s eLearning Hub offers a range of online courses focused on insider threat mitigation, including step-by-step guidance on establishing an insider threat program and workforce screening. Discover how these courses can help your organisation strengthen risk management, foster collaboration, and ensure compliance with key legislative obligations.