The risk profile of any business is never a one-size-fits-all model. Chief Risk Officers (CROs), Chief Security Officers (CSOs) and other upper management personnel spend countless hours and resources presenting and compelling the C-Suite and stakeholders why investing in certain security and risk physical and cyber security countermeasures substantiates a positive return on investment for the duty of care for not only the organization’s greatest assets, its employees, but also something that if tarnished, could be very difficult to reclaim…reputation.
As a contract security manager for over 20 years, I have been privileged to be integrated with a team of frontline security professionals across a diverse portfolio. Whether the contract be the protection of multi-million-dollar aircraft, executive protection, or fixed assets such as class A corporate buildings, there always needs to be a harmonious understanding between the frontline security and the security technology and access control systems to properly protect the principal (i.e., client/business).
Emerging technologies are indeed an inevitable part of society and will only continue to become more fascinating, (or frightening depending on whose hands it falls into and if exploited), however, as new physical security technologies are created and operated by the human factor such as security departments and their security officers, there must be guidelines, guidance, and maintenance to ensure the success of the investment and its intended purpose. Moreover, it is important for businesses and their leaders to understand what these countermeasures are protecting against and the impact that may result from it.
Cyber criminals and their unscrupulous intentions are the most contemporary and prevailing threats facing businesses due to the ease and anonymity. Social engineering has become as easy, if not easier, for most cyber criminals than physical merchandise snatch and grab. The attacks do not cease on company time. Thanks to the ease and accessibility of technology, paired with mild ignorance or gullibility, social engineering attacks can come in many forms.
Just as individuals in their personal lives are sent corrupted files, which hold the potential of being a phishing attack, cyber criminals send out emails with corrupted files that could lock a business out of their own system until ransomware is paid. One of the best training representations of this would be “Anatomy of an Attack,” from Cisco in 2017, which showed the viewer the ease with which an impetuous click of the mouse topples an organization overnight. Even now in 2025, with ransomware still being a relevant issue as well as threats involving deepfakes, cybersecurity countermeasures must maintain competitiveness with their exploitative counterparts.
Insider threat attacks make up a large portion of prevailing threats in the contemporary global business market. Viewing the possible threats or assaults on businesses and their employees from the outside is only viewing the glass as half empty. Granted, outside manmade threat objectives, such as but not limited to political, religious, or even intellectual disability, all pose potential hazards to the well-being of organizations; however, examining possible or suspected insider threats should not be dismissed. Three of the most relevant insider threats for organizations to examine and train their security teams and employees on are:
Negligence
This form of insider threat is often dismissed as accidental; however, it should not be dismissed as such. Employees are human and require the same necessities and resources as a bystander on the street. Meals, accommodations, and transportation all provide a service. With proprietary positions becoming more sparse and contracted/vendor services more prominent, many individuals will come in direct and indirect contact with variables of the employee or, at times, the C-Suite’s routine. For instance, what if a member of the C-Suite has a food allergy and that information has not been passed on to a vendor preparing the executive’s meal, or electrical work is being done in the vicinity of the C-Suite during an annual meeting, which cuts off power to the floor? This is where clear, concise, and constant communication comes in.
Complacent
Complacent insider threats involve those directly or indirectly involved with the business’ employees and C-Suite, taking protocols too lightly or, for lack of a better word, not caring. This can include, but is not limited to:
- Leaving sensitive information out and available.
- Lending or swiping someone through a turnstile.
- Noticing an entry point or broken protective circle and procrastinating its repair.
The list of examples is as long as the specifications that fit the employee/executive’s and their organization’s expectations. Furthermore, this can increase if there is high turnover or inadequate compliance audits and training. Much like negligent insider threats, complacent insider threat attacks can be mitigated through training, communication, and audits. Pride also plays a role in too much complacency. This may come in the form of a security detail hosting the same principal year after year at the same venue, without researching the current threat landscape or familiarization with the principal’s organizational enterprise risk management (ERM) or enterprise security risk management (ESRM) structure.
Malicious
Finally, this form of insider threat is the most mitigated against because of the knowledge that the insider with malicious intent possesses. Insider threat attacks can cripple anything from critical infrastructure to an organization’s reputation. What lies behind the objective can range from personal profit to a disgruntled current or former employee. Numerous countermeasures may be set up to combat this; however, one of the biggest mitigators is background checks and monitoring of red flags flown by those who may be considered a threat to the organization.