Author: Paul CurwellIn this article, we will discuss the important topic of Employee Employer Values and how they impact workplace culture.

The role of employee / employer values in the workplace

Within any organisation, it is typical to find employees with a diverse range of views on all manner of political and social issues. The rise of social media has made it easier for us to share our views, both inside and outside of the workplace, creating potential for employees to post material or views which may conflict with their employer’s policies, contract of employment, or even their fiduciary duties as an employee. Additionally, we are in an era of increasing global consciousness around big-ticket items, such as climate change, corruption and personal freedoms (e.g. Arab Spring) and social / economic equality (e.g. Occupy Wall Street) which are serving to rally people to behind a cause.

Importantly, there is nothing wrong with each of us having these views and sharing them appropriately, such as in public debate. However, in my view it is inevitable that at some point, conflict will arise between the employee and their employer unless they are broadly aligned in terms of views and values. As an individual and as a people leader, I have always maintained it is essential that employees be able to identify with the values and mission of their employer, otherwise employee engagement and satisfaction will decline.

Values can also change over time, and it may be that the values alignment which existed upon commencement of employment is not there some years later. Increasingly in Australia, we are seeing cases where employees or contractors disagree with fundamental positions of their employer, and are proactively doing something about it which is in breach of their legal obligations to their employer. This activity constitutes an ‘insider threat’ which needs to be managed carefully.

So sort of issues are we referring to here?

The landscape of these causes is continually evolving as society evolves. Historically, those causes with a tendency to commit crimes (sometimes serious crimes such as murder) in the name of what they feel is important have been referred to as “issue motivated groups” (IMGs), however I note this term is no longer mentioned in recent annual reports or in the ASIO Act. In 2011, then Director General of Security, Mr. David Irvine AO, defined it as follows in response to a question posed within the Australian Parliament:

“Issue motivated groups is a term we use within ASIO to describe those groups who conduct activities that might lead to violence or to activities that are prejudicial to security”

Mr David Irvine AO, 18 October 2011. See below for full citation.

Every single human is an individual, and we all express a diversity of views which makes our global society what it is today. There is nothing wrong with each of us having our own views, but it gets complicated in terms of insider threats when (1) our views put us in direct conflict with those of our employer, or (2) we start to use violence or extreme violence (e.g. methods commonly associated with terrorist acts) to promote our causes. This form of insider threat is particularly pernicious given the potential ways an insider threat can manifest, including:

• Workplace sabotage – either to data, systems, physical assets, or reputation, with the aim of having the organisation stop doing something or to draw public attention to it
• Information leaks / unauthorised disclosure – including providing information on business activities, staff movements, senior staff personal details (e.g. home addresses), or security measures which would make the organisation more vulnerable to attack
• Espionage-like activities – where the employee is effectively a mole or plant willing to act on the instruction of an external party. This includes the intentional infiltration of highly motivated threat actors into an organisation through the recruitment process or supply chain
• ‘Soft issues’ – such as ‘go slows’ (e.g. in-action) in the workplace which effectively means the employer is hindered in achieving its objectives by its workforce

This challenge is not limited to employers and their contractors, it is also pervasive throughout the supply chain which substantially increases their vulnerabilities, as illustrated by this quote:

Ben Pennings from Galilee Blockade said they now had almost “too much information” from insiders after their “dob in a contractor” campaign.

Robertson, J. (2019). Adani mining insider reveals she is leaking material to environmental activists, ABC News. See below for full citation.

Often, contracting organisations (employers) limit the scope of their involvement or oversight in their suppliers security to a few lines in a contract, stating the supplier should have a security or risk management program. Mature organisations will prescribe security standards for their suppliers, and even more mature organisations will audit this compliance through standard vendor auditing programs.

So what types of causes have historically attracted this type of focus?

The spectrum of causes and issues which can result in insider threats of this nature are broad and constantly evolving. Examples of some of these issues include:

• Environmental protection and climate change
• ‘Right to life’ movements
• ‘Occupy Wall’ Street
• Social equality movements
• Animal rights and animal testing
• Fossil fuels

To reiterate once again before a reader shoots me down, there is nothing wrong with exercising your democratic rights to freedom of speech and peaceful protest. This does become an issue, however, when violence or other criminal acts are involved, including within the workplace. Typically these sorts of issues can be plotted on a spectrum, and an employee may move from left to right (and back again) on this spectrum over time as their views and the actions of their employer evolve. My interpretation of this spectrum is illustrated below:

Organisations which are involved in socially or politically contentious policies or activities will almost certainly know this, but it is common to find these considerations not incorporated into a threat or risk assessment. Even rarer is consideration of these matters within contracts with vendors and supply chain risk.

Any work performed in this area should have oversight from a diverse management committee and not be driven by a security function alone. Whilst a security team might have the best of intentions and undertake work in this area that is fair and balanced, perceptions of those not involved in the process may be different which could undermine the outcome and ultimately have a detrimental effect on employee satisfaction and performance more broadly.

What can organisations do to manage this issue?

Firstly, its important that employers have clear policies and guidance available for staff (and suppliers) on these matters, and that they are regularly communicated and fairly enforced. To maximise employee support, transparency and employee consultation for any new policies are critical. These principles are standard for any workplace policy. Policies should extend to conflicts of interest (actual and perceived) for employees, particularly those who are active outside of work in forums or associations where they are exercising their democratic rights. These employees, in particular, need clear guidance and management support to ensure they do not unintentionally stray into the orange zone of the spectrum (see above). It is also important that employers develop and clearly communicate a policy and framework for how any workplace incidents will be managed.

Secondly, employers need to have a clear understanding of the risks including:

• Assets (information, people, systems, facilities, products, reputation) that need protecting
• What the risks actually are and how they may manifest
• The likelihood of them manifesting, which will change over time and therefore require regular oversight
• The coverage of internal controls and the effectiveness of these controls (i.e. are there gaps and do these gaps create unacceptable vulnerabilities)
• Are there any teams / unique positions that are more at-risk than others? For example, someone with strong views but who is not in a position to do harm in the workplace may need to be managed differently to someone with strong views who is in a position to do harm

Third, insider threat management starts before the employment contract is signed and continues after an employee or contractor has left the organisation until the potential for harm can be satisfactorily reduced. This means:

• You need to consider this risk when designing your Employment Screening / Employee Due Diligence program.
• Employee Screening should be undertaken before a contract of employment is issued, periodically during employment (e.g. annually), in response to a workplace incident or other trigger (i.e. by exception), and upon termination of employment (to understand what, if any, risks the recently departed employee may post).
• Don’t forget suppliers, vendors and contractors pose similar risks (potentially more if they have access to critical assets / processes and no oversight). This requires consideration starting with vendor selection through to contracting, operations, and termination of a supplier contract.
• Insider Threat Detection programs need to be designed to focus on critical assets and the organisation’s highest risks. Not all parts of an organisation may require the same control coverage or risk mitigation.
• Independence may be critical to ensuring employee support on key initiatives such as ongoing due diligence. You may need to use an independent, objective third party to perform your due diligence to ensure only those findings involving employees which are material to any threat assessment make it onto an employer’s records.
• Employers should ensure they, and any service providers, comply with the Privacy Act 1988 (Cth) and its Permitted General Situations (Chapter C) when performing this work.

Lastly, ensure your Insider Threat Program incorporates views from a diverse range of stakeholders. The need for this diversity highlights the importance of having an Insider Threat Management Committee made up of representatives from different functional areas, including the business and center functions such as HR, legal, IT and security, rather than actions being driven by security or fraud functions alone.

Further Reading

• Curwell, P. (2021). Defining your ‘Threat Universe’ as a building block of your intelligence capability, https://paulcurwell.com/2021/10/17/the-threat-universe/
• Gelles, M. (2016). Insider Threat: Detection, Mitigation, Deterrence and Prevention, 1st Edition, Butterworth-Heinemann.
• Irvine, D. (2011). Australian Security Intelligence Organisation response to question posed by Senator Rhiannon, Legal and Constitutional Affairs Committee, Senate Estimates, Parliament of Australia, 18 October 2011, https://lee-rhiannon.greensmps.org.au/articles/estimates-australian-security-intelligence-organisation-1
• Office of the Australian Information Commissioner (2019). Permitted General Situations, Chapter 4. Version 1.1, July 2019. https://www.oaic.gov.au/assets/privacy/app-guidelines/APP-Guidelines-Chapter-C-v1.1.pdf
• Office of the Australian Information Commissioner (2021). Privacy. https://www.oaic.gov.au/privacy/
• Robertson, J. (2019). Adani mining insider reveals she is leaking material to environmental activists, ABC News, 15 September 2019, https://www.abc.net.au/news/2019-09-15/adani-contractor-staffer-leaking-to-environmental-protesters/11511410

DISCLAIMER: All information presented on @ForewarnedBlog is intended for general information purposes only. The content of @ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon @ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.