The enemy from within


Among security managers, the first association with the term "enemy" would be "terrorist." A figure of nameless and faceless attacker. An outside enemy.


Most secure bodies, probably the ones among them, signal the enemy from the outside and formulate a security plan that provides protection against the plethora of threats derived from it. A basic rule is to 'face out' in an attempt to locate the suspect or exception, and the lines of defense function accordingly - a scouting watch guard, a viewer focal point, physical shielding, controlled entry procedure, etc. The enemy is out and should be left there.


On the other hand, there is also a potential enemy that receives less attention, in the range between minimal and zero - the enemy from within. Dealing with a potential enemy from the inside is harder, mentally and even emotionally. He has a name, a face, and even a personal connection. It is difficult to attribute a risk potential to a person they meet every day, go out with him for a casual cigarette, invite to a daughter's wedding.


True, there are secure entities where the first attribution threat in the list draws the spotlight on the potential enemy from within and resources are allocated accordingly, but also with different risk management and priorities (financial, technological, etc.). From a holistic view of the security field, it is clear that this angle is neglected in relation to the potential damage.

What is the potential damage? The Global Association for Fraud Investigators (ACFE) has released data stating that organizations that they suffer from internal fraud are around five percent of total profits each year. This data should be refined to reflect only stated and recognized damages. The true figure is probably even higher. In some organizations or circumstances, such damage is an existential threat. In many cases, the fraud is discovered only too late, leaving the organization to bleed during its dying days.


Besides the direct economic damage, in many cases, image damage is also accompanied. Try to imagine a case where a night watchman in an office building enters one of them during the tour and rummages in drawers, even without taking anything from them. Try to imagine a case where a logistics center stacker takes home one item daily, for years. Try to imagine a case where a developer in a development company sells one customer code to a competitor. The basic trust between the parties (also the third party) was violated and broken, and it is unlikely to be repairable. An organization that is capable of absorbing economic damage will also find it difficult to repair image damage.

Given the potential for damage, the security plan should also treat the enemy from within. It is the responsibility of the Security Director to recognize this threat as well and to provide protection against it.


Who is the enemy on the inside? The options are many as the people associated with the organization and hold sufficient levels of access and trust - employees and even providers. The risk potential is relevant and variable for each and every given day. Subsequently, the process of integrity testing and controls is required to begin the initial relationship between the organization and the person. From the interview phase, through continuous escort throughout the period, especially entering new positions or receiving new privileges, into its final day.


The Security Director, or the organization's internal fraud investigator, is required to examine the "triangle" (by Donald Crissy) - three characteristics that increase the risk of internal threat:


  1. Stress - Various causes such as financial distress, fear of losing a job or loss of reputation, victims of extortion, etc.

  2. Opportunity - access and trust that provide roles, privileges and even seniority or personal relationships. Internal organizational changes that precede the initiation of procedures and controls and thus create loopholes.

  3. Rationalization - Internal justification of the fraud act, such as "I deserve a higher salary" or "I steal from the company that steals from its customers" and so on.


The organization has only high control over the second characteristic - the opportunity. Proper construction of the recruitment and promotion process (interviews, web tests, recommendation calls, questionnaires, reliability checks, polygraph tests, etc.), alongside implementation of procedures and controls, will be protection in this aspect. Opportunity will be minimized. On the other hand, the other characteristics require high alertness and attentiveness. Signs of one or more of the features of the fraud triangle require immediate response in an attempt to verify or stir the suspicion.


At this point, Assage and Emphasis - the vast majority of people are normative and innocent, but like searching for suspicious signs among a particular audience, the goal is to find the one with the risk of the rest. Integrity tests and controls should be part of organizational culture, as opposed to a one-point process that suspects and stains one person. Like checking files at the mall entrance - policies and standards must be formalized, and then people will accept them with understanding and agreement, without concern that they have been personally suspected. The process of integrity testing and controls must prove transparent, fair and respectful.


In summary, the responsibility of the security manager is stretched, nowadays where technology opens new holes frequently, even for protection from inside enemies, from home. This is a deviation from the classic boundaries of traditional physical security, but the role of security manager in organizations is gaining more and more volume, and that should be welcomed.