Tag Archives: Anti-Diversion Program (ADP)

Unpacking AS6174 in relation to Supply Chain Integrity

Posted on by

Author: Paul Curwell

Introduction

Product counterfeiting is a global fraud problem that has been steadily evolving for decades, with no product or industry being immune. In 2015, Frontier Economics estimated “the value of international and domestic trade in counterfeit and pirated goods in 2013 was $710 -$ 917 Billion” (2015). The magnitude of this problem is also reflected in US and EU Customs seizures, which continue to grow (Smith, 2016). Unfortunately, Customs agencies can only seize what they know about, placing the onus on the purchaser to exercise adequate due diligence and supply chain risk management practices.

In 2007, the US Department of the Navy tasked the US Department of Commerce’ Bureau of Industry & Security to conduct an assessment of counterfeit electronics across the US defence industrial base, concluding “all elements of the supply chain have been directly impacted by counterfeit electronics” (2010). Similar findings across other branches of the US Government have triggered a range of Supply Chain Integrity and Security initiatives, one of which is Supply Chain Integrity.

The concept of Supply Chain Traceability

Supply Chain Traceability is critically important as a control to achieve Supply Chain Integrity in safety or high-reliability industries such as Aviation or Healthcare, where the introduction of sub-standard products / components / raw materials (referred to in the standard as ‘materiel’) can ultimately lead to death. Supply Chain Traceability is defined in AS6174 as “having documented history of material’s supply chain history. This refers to documentation of all supply chain intermediaries and significant handling transactions, such as from original manufacturer to distributor” (SAE International, p9), with ‘materiel’ being defined as “material, parts, assemblies and other procured items” (SAE International, p6).

Photo by Alexander Isreb on Pexels.com

This concept of Supply Chain Traceability presented in AS6174 appears akin to the concept of Supply Chain Integrity introduced by the World Economic Forum in 2012, which identified “four key questions that must be answered at the product level as part of Supply Chain Integrity (Pickard & Alvarenga, 2012):

  • Integrity of Source – did this product come from where I think it did?
  • Integrity of Content – is the product made the way I think it is?
  • Integrity of Purpose – is the product going to do what I think it will do?
  • Integrity of Channel – did this product travel the way I think it did?”

The difference between the approach adopted by AS6174 and that of the WEF report is that the standard is, unexpectedly, much more forensic in the way it approaches the concept. Where the WEF principles differ are in their application, which is broader than anti-counterfeiting, and could easily incorporate Environmental / Social / Governance (ESG) and other Sustainability Risk considerations such as Modern Slavery and Illegal Logging as part of a broader focus on Supply Chain Integrity (World Economic Forum, 2015).

Within AS6174, Supply Chain Traceability aims to address the introduction of Suspect, Fraudulent or Counterfeit materiel into the Supply Chain (SAE International, p6). Before proceeding further, it is worth exploring exactly how the introduction of Suspect, Fraudulent or Counterfeit material into the Supply Chain is possible. From my perspective, there are two starting points to this discussion:

Genuine Materials

Genuine materials are used or supplied by the manufacturer, which are subsequently adulterated or compromised, meaning that a legitimate product (referred to in AS6174 as a ‘conforming product’) is transformed into a ‘non-conforming’ (illegitimate) product at some point in the supply chain before it reaches the end user. The transformation from genuine to non-conforming materiel can occur in the supply chain via at least two methods:

  • Product Diversion – where legitimate product is diverted from the authorised supply chain (Bandler & Burke 2009, Datz 2005), impacting the ability of a consumer to rely on a vendors’ warranties around Authenticity and Conformance (SAE International, pp7-10). This can be through theft, but it can also be as a result of sales to seemingly legitimate customers (e.g. OEMs) where that product is then re-sold or passed to a third party, such as a gray marketer (Shulman, 2012)
  • Product Substitution – where a product, or part of a legitimate product, is substituted with non-conforming material (Guide to…2019). The concept of product substitution can be illustrated with a can of house paint. Imagine a paint can with the uppermost quarter consisting of real paint (i.e. conforming materiel). The remaining three-quarters of the paint can is filled with a substitute, or non-conforming materiel, which does not mix with the real paint and is heavier so it stays at the bottom of the can. When a customer receives the paint and looks inside, or perhaps performs testing on the product, they will likely only see the uppermost layer. Provided a sample is taken from this layer, the sample will test positive (i.e. conform with manufacturer’s specifications) and not be detected. Meanwhile, the fraudster who substituted the original for fraudulent product has the opportunity to sell three other cans of paint to unsuspecting consumers for the price of one, less the cost of labeling three unmarked paint cans, pocketing the difference.

Both of the above examples fit the definition of “fraudulent material” under AS6174, which is defined as “suspect material represented to the customer as meeting the customers’ requirements” (SAE International, p6).

Non-Genuine Materials

In the second method, non-genuine materials are used throughout the manufacturing process, resulting in a product that in no way conforms to the specifications or authenticity of the original product itself, other than the application of the victim manufacturers’ Trademarks or branding on the packaging. This is commonly referred to as a counterfeit, or ‘fake’. AS6174 defines counterfeit material as “fraudulent material that has been confirmed to be a copy, imitation or substitute that has been represented, identified, or noted as genuine, and / or altered by a source without legal rights with the intent to mislead, deceive or defraud” (SAE International, p6).

Managing the risks – what does AS6174 suggest?

AS6174 provides guidance across 7 main areas to manage the risks of Suspected, Fraudulent or Counterfeit materiel entering the supply chain. These areas include Product Assurance, Risk Assessments, Contractual Obligations, Purchasing Practices, Traceability Guidance and Reporting / Information Sharing arrangements. The following sections focus in more detail on Product Assurance and the Counterfeiting Risk Assessment. Other elements, such as purchasing and supplier due diligence, will be covered in future posts.

Product Assurance

The purpose of Product Assurance, which effectively involves “confirming the authenticity of materiel or its compliance with manufacturer’s specifications” (SAE International, p27), is minimising the likelihood of non-conforming materiel entering the supply chain. Where it does enter the supply chain, Product Assurance and other elements of AS6174 are designed to facilitate early detection. The standard proposes four elements of any Product Assurance process (SAE International, p27):

  1. Documentation & Packaging Inspection – effectively a review of supplier documentation to trace the history of the product and to review the packaging to confirm it meets expectations around conformance with manufacturer’s specifications. As with all fraud prevention processes, the suggestion of verifying the received documents against the source through means such as confirming the accuracy of serial and batch numbers, is raised.
  2. Visual Inspection – this involves examining the product using various scientific techniques and conditions for the presence of identification markings or traceability indicators.
  3. Non-Destructive Testing (NDT) – involves a variety of tests including radiological, acoustic, thermographic and optical techniques to check the product confirms to specifications without actually destroying or using the materiel itself.
  4. Destructive Testing (DT) – involves analytical chemistry techniques, deformation and metallurgical tests, exposure tests, and functional tests.

Obviously, the performance of some of the above requires access to specialist equipment and / or knowledge (such as details of manufacturer’s markings applied to help prove the authenticity of a product), which may be beyond the reach of some consumers. In this case, businesses in Australia may consider it worthwhile engaging a NATA Accredited laboratory to perform such testing on their behalf. One key principle of AS6174 is that the design of any framework to minimise and / or detect non-conforming parts be risk-based, informed by the likelihood and consequence of a non-conforming part being introduced into the organisation’s supply chain.

Determining Counterfeit Risk

AS6174 suggests that the steps taken to minimise counterfeits in the supply chain, including the extent to which Product Assurance is undertaken, should be driven by both the likelihood and consequence of any “non-mitigated counterfeit item” (SAE International, p13). This means, for example, that greater steps should be taken to prevent counterfeiting in relation to a helicopter engine part than say a ream of paper in the office. The risk rating from this exercise dictates the “degree of traceability required” for that part in the supply chain.

The first element of any counterfeit risk assessment should involve considering the Likelihood, or probability of counterfeiting in that product, industry or market. The guidance provided in AS6174 on how to do this is scant, and does not consider the nature of the counterfeiting threat and the attractiveness of counterfeiting a specific part or materiel to fraudsters or organised crime. In a typical security or fraud management context, the risk assessment is preceded by a Threat Assessment, which identifies potential threat actors (e.g. insiders, organised crime), and determines both their Capability to counterfeit the product or materiel and their Intent. This step, which is missing from AS6174, is in my opinion critical to the risk assessment process for any case where the risk is caused by criminality of a human.

In the absence of performing a threat assessment, it may be possible to rely on informal feedback from others, such as industry groups, competitors or customers, but the quality of their advice is reliant on the processes and tools available to those parties to identify and understand the threat. Given that fraudsters and criminals are financially incentivised to engage in counterfeiting due to the low likelihood of being caught, yet alone detected, it is important to remember that history is not a reliable predictor of the future, and that just because something hasn’t happened before does not mean it will in the future. In my experience, all to often these less mature, ad-hoc approaches to understanding threat provide a false sense of security and may mean risks such as counterfeit parts in a supply chain are not detected because people aren’t looking for them, as opposed to them not being there at all.

One other interesting part of the risk assessment relates to “long term materiel availability” (SAE International, p15) or steps to be taken when a manufacturer stops making something. As part of any Anti-Counterfeiting & Product Protection strategy, manufacturers or Intellectual Property Rights (IPR) Holders will typically perform some degree of market surveillance, to understand where their products are being sold, who the vendor is, and for how much. Market surveillance enables early identification of counterfeit and unlicensed product (e.g. parallel imports) and a facilitates a timely legal response. As products become ‘obsolete’, manufacturers often re-allocate market surveillance and IPR enforcement capabilities towards new products. However, this creates opportunities for sub-standard materiel to enter circulation. Products deemed obsolete by the IPR Holder but which retain their after-market value or are subject to consumer demand in a particular region (e.g. developed versus developing markets) can still be subject to counterfeiting, meaning in these cases market surveillance programs may need to become more targeted rather than ceased completely.

Sources

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

Building a media monitoring capability 101

Posted on by

Author: Paul Curwell

Media Monitoring as part of a wider externally-focused risk intelligence capability

Businesses cannot operate effectively without an external listening capability that helps identify current and emerging issues in the operating environment. Competitors, regulatory change, technological innovation, and important developments involving suppliers and key customers have historically been ‘followed’ by businesses everywhere. However, with the rising importance of reputation risk and regulatory compliance, topics such as economic & trade sanctions, corruption, fraud, privacy & security incidents, business interruptions, modern slavery and environmental issues are also being increasingly watched, especially where suppliers or contractors pose a risk ‘by association’ to the buyer.

Our 24/7 news cycle and the global pace of change means it is no longer viable to read the newspaper once a day or occasionally Google a competitor every few months in your spare time to identify changes in your operating environment – media monitoring today needs to be a core part of your risk intelligence capability, employed on a systematic, continuous basis and integrated into other business processes to add value.

Conceptually, media monitoring seems relatively straightforward, but it follows the iceberg principle with most of the challenges laying beneath the surface. Many organisations struggle with media monitoring when they need to operate across large volumes of search criteria, countries, languages and mediums. Practically speaking, there are also differences between monitoring traditional print, TV and radio channels and social media: This post focuses on traditional channels, whilst social media will be addressed in a future article. The article outlines the key considerations when designing a media monitoring capability, the challenges, what to focus on, and what to do with what you’ve found.

Selecting sources and monitoring tools

The majority of media monitoring programs are run in an ad-hoc manner, without any real understanding of the sources or content of interest. The sophistication of these programs range from performing ad-hoc searches in the internet browser, to using tools such as Google Alerts and data aggregators. Typically, businesses focus on print media to the exclusion of TV and Radio, despite both having interesting and relevant content (take for example, an executive from a competitor being interviewed on the business channel).

The first step in selecting sources involves thinking about what, and who, you want to monitor, and where the content would be published. This ‘where’ is a function of both geography but also industry, as some of the richest coverage might be featured on niche industry platforms. Media monitoring typically focuses either on people or entities, both of which involve name-based searches (e.g. ‘Apple’ or ‘Tim Cook’). Where large numbers of search results are returned, it is normal to use boolean operators to write queries which search for the individual or entity’s name in conjunction with other search criteria, such as ‘strategy’ or ‘fraud’. This process can get quite complex, involving potentially dozens of words of interest (or derivatives of them, such as ‘Crim*’ to search for ‘criminal’, ‘crime’, etc in the same search) in addition to the entity name (i.e. “[name]” and “crim*”).

Media Monitoring Challenges

Licensing and Copyright – news information is subject to copyright, and many IP Rights Owners require their content to be licensed. These costs, and any licensing constraints (e.g. forwarding of a complete article is prohibited without an enterprise license) will require some thought around how any capability is designed, as well as impacting budget.

Syndication – increasingly common globally, syndication has the effect of increasing the volume of search results. Platforms such as Factiva have in-built tools to remove duplicates, however manual processes (e.g. Google Alerts) may take additional time to process

Reliability of free tools – free media monitoring tools use a variety of technologies to identify and index content, which can impact reliability. Unlike platform providers, they typically require closer scrutiny to ensure they are performing as intended.

Press Freedom and ‘Right to Forget’ laws – the reliability and coverage of the mainstream media is increasingly being influenced by attacks, government constraints on journalists, and corruption. In other jurisdictions, ‘Right to Forget’ laws mean the subjects of adverse coverage can have articles such as coverage of convictions or imprisonment deleted, impacting historical search results.

Where large volumes of search queries are required and where budgets allow, news aggregators such as Factiva and ProQuest, as well as other specialised industry journals, represent an excellent option provided they have coverage of the content you are seeking. Once you have identified your sources, you should check to see where their content is published as some publications are not covered by aggregators or news syndication services.

As with print media, television and radio content is also searchable via specialised aggregators. Typically these providers will index the content (i.e. note keywords and other search terms), to enable a word-based search to be performed via their portals. Once results are returned, they can then be screened for relevant content. Two examples of television indexes include BBC Monitoring and InformIT TV News.

Case Management: Reviewing, storing and evaluating matches

Media articles or other search results are typically recorded in some sort of ‘case management system’, which can be anything from a register kept in Microsoft Excel to a database or workflow system such as ServiceNow. There are a few steps in this stage of the process, including:

  • Reviewing each returned search result to determine whether it meets your criteria for retention (i.e. is it relevant, timely and actionable in relation to the question you are seeking to answer and is this new information, or is it a duplicate?)
  • Documenting selected fields / information from the article in your case management system – such as names or addresses of parties mentioned
  • Copying details of names, addresses, relationships, events or other reporting which could affect your relationships with key customers, suppliers or employees into a separate database (this is particularly important for fraud prevention and legal disputes)

This raises the question of who is performing the media monitoring, and how well they understand the intended recipients (i.e. their readers or internal ‘customers’). All too often media monitoring is performed by a central team, with consumers in the business being forwarded copies of news articles they have already read or receiving lots of emails that go unopened. Whether the function is performed centrally or by business line, the most important thing is that information is converted to intelligence so it is actually useful.

Whilst media monitoring can be started with the best of intentions, it quickly becomes a waste of time and effort if the generated content is not relevant and actionable to the recipient (i.e. can they actually do something useful with it) and timely (telling them an event has occurred 3 months after they’ve known about it is useless), if the content is not properly curated and searchable as volumes increase, and if the team performing the role becomes seen as a sender of spam.

Actioning what you’ve found

Once you have identified what’s important, the next step is to do something with it. By this stage of your process, you should be left with a number of articles that contain content of interest. In my experience, this is the stage where many media monitoring processes begin to fall apart.

Case Study:

A large bank had implemented a robust media monitoring process to track strategic developments involving competitors and the market. They were actively monitoring multiple channels, saving articles of interest to PDF from print media sources, and uploading them to a Document Library on their intranet (SharePoint). Over time they had thousands of articles containing rich information but it was never extracted and developed into intelligence. To make use of their collection, they had to individually review each search result rather than being able to see what all search results meant in the wider context. In time, it became quicker for users to simply use Google and the whole effort became a complete waste of time.

Media monitoring is only the first capability building block in an external listening process, and if your process relies upon emails or file libraries in a shared folder or on SharePoint once you hit a certain number of files you will start to encounter data challenges that affect our ability to extract any real value from your media monitoring. To avoid this situation, I recommend you add two steps to the end of your media monitoring process:

Dealing with information about people, events, places and things

Articles with content such as names, incidents, relationships, events and places need to have this information extracted into a structured format (ideally a database but CSV format will also suffice), with the original article attached. Whilst you can use document tags instead of structured content, it is not as effective (1) because you will still need to extract the data into a structured format to properly analyse it, and (2) over time libraries of tags will become unmanageable and you may encounter system limitations. To keep pace with volumes, I find this information most efficiently captured as the article is reviewed, rather than letting everything pile up.

These sort of articles typically relate to issues such as a key customer or supplier’s financial solvency, highlight relationships between employees and a supplier or customer (i.e. conflicts of interest or fraud risks), and legal disputes which might disrupt the supply chain. Consequently, the typical audience for this information will be finance / procurement, legal, audit, risk and compliance.

Articles of a strategic nature

In contrast to information about people, places and things, information of a strategic nature (e.g. articles on regulatory change, interviews given by a competitor on their new product) should be compiled into a separate document or ‘wiki’. Environmental Scanning is a common technique used in the strategic analysis and intelligence communities and is ideal for compiling and analysing this type of content, and will be covered in a future post.

The key difference between strategic information and that of people, places and things is the way it is used – it is mainly employed by strategy teams, product managers, or in other planning activities rather than more operational tasks, hence it needs to be reviewed less frequently. Strategic information is typically reviewed in the context of other strategic information or when making specific decisions.

Optimising your capability

The last step in developing any capability is to periodically evaluate its performance. For a media monitoring capability, this means running separate searches to ensure you haven’t missed anything with current search criteria (have you had consumers in the business ask about something you didn’t pick up?), ensuring that sources are reliable and credible and that search parameters are current, and that your downstream processes in terms of storing, evaluating and reporting remain valid.

Further reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

HUMINT cycle and the recruitment of insiders

Posted on by

Author: Paul Curwell

Introduction

Employees are an organisation’s most important asset: they are what enables organisations to generate value, respond to opportunities and threats in the operating environment, and create a positive culture which attracts other would-be employees and potential customers. Employees are also crucial to security: when conditions are right, employees help build a positive security culture which enables management to quickly identify and respond to security threats.

In the same manner that security would not be necessary if people did not exist, a security program cannot be successful without the support and active participation of its employees. It goes without saying then that an employee who ‘goes rogue’ and becomes malicious (i.e. intends to do harm), or an employee who doesn’t care about their employer or its security practices (i.e. a complacent employee) can do real harm if approached by an external individual or group wishing to gain ‘inside access’ to the organisation and its assets.

What is the HUMINT cycle and who uses it?

Human Intelligence, or HUMINT, techniques are an example of the tactics typically deployed in this scenario to exploit human vulnerabilities. HUMINT refers to the collection of intelligence by humans – principally spies and agents using methods that involve 1:1 contact.

The HUMINT cycle involves four main steps (illustrated below) which might commence with a broad scan of all employees at an organisation, for example, but rapidly narrow down to one or more individuals with both (1) the access to the desired assets or information and (2) the personal characteristics or ideological sympathies which make them amenable to recruitment (See Sano, 2015)

Importantly, undertaking HUMINT and the use of HUMINT techniques is not limited to governments, but also commonly employed in business by ‘competitive intelligence’ practitioners or ‘Private Intelligence Collectors’. ‘Private Intelligence Collectors’ and unscrupulous competitive intelligence professionals often use HUMINT techniques, as well as any other intelligence collection mediums in their toolbox, to collect confidential information that will either be sold to another party (such as the highest bidder) on commission, or which is collected under the paid instruction of the intended recipient.

For a classical HUMINT example, consider a woman who seduces a male chemist at a pharmaceutical company to provide, or facilitate access to, details of a new blockbuster drug compound under development by the pharmaceutical company (referred to in the trade as a ‘honey trap‘). Other threat actors who use HUMINT techniques include organised crime groups, issue motivated groups and terrorists.

How can the HUMINT cycle be leveraged for insider threats?

Once the HUMINT collector has identified (spotted) their target, they begin engaging with them to build a rapport and develop a relationship. Importantly with HUMINT, it may not be necessary to actually recruit the target (or someone who has access to the ultimate target) in order to achieve their objectve. In some instances, the required information can be obtained without the need for a formal and risky recruitment pitch.

It is particularly important to incorporate these learnings into any insider threat awareness training, as employees who are aware of steps taken by HUMINT collectors are more likely to be aware to them, and to be able to seek help early. Examples of ways (vectors) HUMINT collectors might obtain the information they require can include:

  • Infiltration – getting an ‘agent’ or sympathiser of the HUMINT collector (or their cause) into the organisation through standard recruitment processes, as a contractor, or via a supplier
  • Elicitation – refers to techniques used by HUMINT collectors to obtain information from a target without them knowing or realising it, which results in them volunteering the information rather than being asked directly
  • Social engineering – involves the use of deception to manipulate someone into disclosing confidential information, either in a business or personal context
  • Spear Phishing and Phishing scams – can involve the use of legitimately-appearing emails (or even SMS messages, in the case of vishing) to introduce malware into an otherwise secure computer network, allowing later exfiltration of that information. Unlike Phishing which is more general, Spear Phishing is highly targeted and focused on an individual with access to the target, such as a senior executive

There are a variety of forums in which HUMINT collectors operate, including via ‘official’ or business-events, and through social personal interaction. These might include:

  • Conferences and trade shows
  • Professional Associations
  • Clubs and social associations
  • Universities
  • Social Media platforms
  • Emails
  • Unsolicited phone calls

When performing any insider threat or security related risk assessments, organisations need to consider what are their most critical assets, who might be interested in them, and how might they obtain them (i.e. what forums, mediums or platforms). Once this is thoroughly understood, awareness training and incident reporting mechanisms can be clearly established and targeted.

What can organisations do to manage this threat vector?

Complacency is a big driver of insider threat incidents, so it is critical that organisations develop a good security culture and that ‘at risk’ employees have a good understanding of the threats and tactics which may be used against them.

The regular use of security awareness training across the organisation as a whole, supported by targeted training for ‘at risk’ teams, is critical to ensuring these threats remain front of mind.

Staff in ‘at risk’ teams, as well as managers, should be familiar with insider threat behavioural indicators which can suggest an employee or contractor is experiencing some difficulty in their personal life, which might make them vulnerable to exploitation. Early identification of these problems, when raised properly (such as through employee wellbeing programs), might mitigate these risks.

Photo by Sora Shimazaki on Pexels.com

Good security culture is also critical for organisations, ensuring employees understand why security is important, what the threats may be to their organisation, and what they can do to help protect their organisation. For employees to play their part, they often also need to feel trusted and engaged with their employer, otherwise complacency may set in and potential threats selectively ignored.

The preceding paragraphs focus on what organisations can do to mitigate insider threats once they are already in the organisation (i.e. employed or contracted), however equally important is the use of employment screening (‘background investigations’ or ‘background checks’) to prevent individuals with vulnerabilities or unwanted character traits joining the organisation in the first place. Any discussion on background checks is an article in itself, and will be addressed through a future post, however readers who want to more detail (including a model process) can read the chapter on ‘due diligence’ in my recent book co-authored with Oliver May.

Further Reading

Sano, J. (2015). The Changing Shape of HUMINT, AFIO’s Intelligencer Journal, Vol. 21, No. 3, Fall/Winter 2015. www.afio.com

DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.

When values collide: employee / employer values conflicts as a source of insider threat

Posted on by

Author: Paul CurwellIn this article, we will discuss the important topic of Employee Employer Values and how they impact workplace culture.

The role of employee / employer values in the workplace

Within any organisation, it is typical to find employees with a diverse range of views on all manner of political and social issues. The rise of social media has made it easier for us to share our views, both inside and outside of the workplace, creating potential for employees to post material or views which may conflict with their employer’s policies, contract of employment, or even their fiduciary duties as an employee. Additionally, we are in an era of increasing global consciousness around big-ticket items, such as climate change, corruption and personal freedoms (e.g. Arab Spring) and social / economic equality (e.g. Occupy Wall Street) which are serving to rally people to behind a cause.

low angle photograph of the parthenon during daytime
Photo by Pixabay on Pexels.com

Importantly, there is nothing wrong with each of us having these views and sharing them appropriately, such as in public debate. However, in my view it is inevitable that at some point, conflict will arise between the employee and their employer unless they are broadly aligned in terms of views and values. As an individual and as a people leader, I have always maintained it is essential that employees be able to identify with the values and mission of their employer, otherwise employee engagement and satisfaction will decline.

Values can also change over time, and it may be that the values alignment which existed upon commencement of employment is not there some years later. Increasingly in Australia, we are seeing cases where employees or contractors disagree with fundamental positions of their employer, and are proactively doing something about it which is in breach of their legal obligations to their employer. This activity constitutes an ‘insider threat’ which needs to be managed carefully.

So sort of issues are we referring to here?

The landscape of these causes is continually evolving as society evolves. Historically, those causes with a tendency to commit crimes (sometimes serious crimes such as murder) in the name of what they feel is important have been referred to as “issue motivated groups” (IMGs), however I note this term is no longer mentioned in recent annual reports or in the ASIO Act. In 2011, then Director General of Security, Mr. David Irvine AO, defined it as follows in response to a question posed within the Australian Parliament:

“Issue motivated groups is a term we use within ASIO to describe those groups who conduct activities that might lead to violence or to activities that are prejudicial to security”

Mr David Irvine AO, 18 October 2011. See below for full citation.

Every single human is an individual, and we all express a diversity of views which makes our global society what it is today. There is nothing wrong with each of us having our own views, but it gets complicated in terms of insider threats when (1) our views put us in direct conflict with those of our employer, or (2) we start to use violence or extreme violence (e.g. methods commonly associated with terrorist acts) to promote our causes. This form of insider threat is particularly pernicious given the potential ways an insider threat can manifest, including:

  • Workplace sabotage – either to data, systems, physical assets, or reputation, with the aim of having the organisation stop doing something or to draw public attention to it
  • Information leaks / unauthorised disclosure – including providing information on business activities, staff movements, senior staff personal details (e.g. home addresses), or security measures which would make the organisation more vulnerable to attack
  • Espionage-like activities – where the employee is effectively a mole or plant willing to act on the instruction of an external party. This includes the intentional infiltration of highly motivated threat actors into an organisation through the recruitment process or supply chain
  • Soft issues’ – such as ‘go slows’ (e.g. in-action) in the workplace which effectively means the employer is hindered in achieving its objectives by its workforce
people rallying carrying on strike signage
Photo by Martin Lopez on Pexels.com

This challenge is not limited to employers and their contractors, it is also pervasive throughout the supply chain which substantially increases their vulnerabilities, as illustrated by this quote:

Ben Pennings from Galilee Blockade said they now had almost “too much information” from insiders after their “dob in a contractor” campaign.

Robertson, J. (2019). Adani mining insider reveals she is leaking material to environmental activists, ABC News. See below for full citation.

Often, contracting organisations (employers) limit the scope of their involvement or oversight in their suppliers security to a few lines in a contract, stating the supplier should have a security or risk management program. Mature organisations will prescribe security standards for their suppliers, and even more mature organisations will audit this compliance through standard vendor auditing programs.

So what types of causes have historically attracted this type of focus?

The spectrum of causes and issues which can result in insider threats of this nature are broad and constantly evolving. Examples of some of these issues include:

  • Environmental protection and climate change
  • ‘Right to life’ movements
  • ‘Occupy Wall’ Street
  • Social equality movements
  • Animal rights and animal testing
  • Fossil fuels

To reiterate once again before a reader shoots me down, there is nothing wrong with exercising your democratic rights to freedom of speech and peaceful protest. This does become an issue, however, when violence or other criminal acts are involved, including within the workplace. Typically these sorts of issues can be plotted on a spectrum, and an employee may move from left to right (and back again) on this spectrum over time as their views and the actions of their employer evolve. My interpretation of this spectrum is illustrated below:

Created by Paul Curwell (2021), copyright.

Organisations which are involved in socially or politically contentious policies or activities will almost certainly know this, but it is common to find these considerations not incorporated into a threat or risk assessment. Even rarer is consideration of these matters within contracts with vendors and supply chain risk.

Any work performed in this area should have oversight from a diverse management committee and not be driven by a security function alone. Whilst a security team might have the best of intentions and undertake work in this area that is fair and balanced, perceptions of those not involved in the process may be different which could undermine the outcome and ultimately have a detrimental effect on employee satisfaction and performance more broadly.

What can organisations do to manage this issue?

Firstly, its important that employers have clear policies and guidance available for staff (and suppliers) on these matters, and that they are regularly communicated and fairly enforced. To maximise employee support, transparency and employee consultation for any new policies are critical. These principles are standard for any workplace policy. Policies should extend to conflicts of interest (actual and perceived) for employees, particularly those who are active outside of work in forums or associations where they are exercising their democratic rights. These employees, in particular, need clear guidance and management support to ensure they do not unintentionally stray into the orange zone of the spectrum (see above). It is also important that employers develop and clearly communicate a policy and framework for how any workplace incidents will be managed.

Secondly, employers need to have a clear understanding of the risks including:

  • Assets (information, people, systems, facilities, products, reputation) that need protecting
  • What the risks actually are and how they may manifest
  • The likelihood of them manifesting, which will change over time and therefore require regular oversight
  • The coverage of internal controls and the effectiveness of these controls (i.e. are there gaps and do these gaps create unacceptable vulnerabilities)
  • Are there any teams / unique positions that are more at-risk than others? For example, someone with strong views but who is not in a position to do harm in the workplace may need to be managed differently to someone with strong views who is in a position to do harm
two women in front of dry erase board
Photo by Christina Morillo on Pexels.com

Third, insider threat management starts before the employment contract is signed and continues after an employee or contractor has left the organisation until the potential for harm can be satisfactorily reduced. This means:

  • You need to consider this risk when designing your Employment Screening / Employee Due Diligence program.
  • Employee Screening should be undertaken before a contract of employment is issued, periodically during employment (e.g. annually), in response to a workplace incident or other trigger (i.e. by exception), and upon termination of employment (to understand what, if any, risks the recently departed employee may post).
  • Don’t forget suppliers, vendors and contractors pose similar risks (potentially more if they have access to critical assets / processes and no oversight). This requires consideration starting with vendor selection through to contracting, operations, and termination of a supplier contract.
  • Insider Threat Detection programs need to be designed to focus on critical assets and the organisation’s highest risks. Not all parts of an organisation may require the same control coverage or risk mitigation.
  • Independence may be critical to ensuring employee support on key initiatives such as ongoing due diligence. You may need to use an independent, objective third party to perform your due diligence to ensure only those findings involving employees which are material to any threat assessment make it onto an employer’s records.
  • Employers should ensure they, and any service providers, comply with the Privacy Act 1988 (Cth) and its Permitted General Situations (Chapter C) when performing this work.

Lastly, ensure your Insider Threat Program incorporates views from a diverse range of stakeholders. The need for this diversity highlights the importance of having an Insider Threat Management Committee made up of representatives from different functional areas, including the business and center functions such as HR, legal, IT and security, rather than actions being driven by security or fraud functions alone.

Further Reading

DISCLAIMER: All information presented on @ForewarnedBlog is intended for general information purposes only. The content of @ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon @ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.