People risk management and operational resiliency

Ask security leaders or senior managers what they worry about most, and the answer will probably be “people.” This will be all the more true this year, as the root of those worries becomes amplified by the risks posed not just to our people, but from them to the organization as well.

Operational resiliency (OR) is an organization’s ability to navigate and thrive through myriad challenges that threaten organizational objectives. Achieving OR is not an endgame, but a journey. People are the solution to achieving it, but they also are its biggest obstacle.

An “insider threat” is generally regarded as any threat that an employee or contractor poses to the organization, whether wittingly or not, by leveraging unique knowledge or access to practices, data or systems. While insider threat is usually considered to be related to cybersecurity, the concept is just as relevant when applied to other asset categories. Because the potential for insider threat is rapidly increasing, an integrated, cross-functional team is key when developing a framework for protecting the organization’s people, resources, profits, objectives and assets.

Let’s consider the most likely ways organizations can be impacted by threats from their own people in 2022.

MENTAL HEALTH WELLNESS

Threats: Absenteeism, Impeded Productivity, Employee Turnover

Solutions: Foster a positive, supportive work environment and proactively sense behaviors.

Teams required: HR, EHS, Legal, Security

Roughly 23% of American adults reported experiencing mental health issues in 2020, according to Mental Health America. This was reported to be a 40% increase over 2019. Anxiety and depression increased 93%. For most Americans, 2021 was just as challenging as the previous year, if not more, and employees are bringing those stresses back to the workplace with them.

Many companies have seen success with mental wellness programs or similar initiatives that normalize the discussion surrounding mental health. Often, these programs leverage existing benefits — like employee assistance program (EAP) hotlines, team building, events and positive messaging — that cost the company little incremental budget but bring a considerable return in employee safety, productivity and retention. One example is Jacobs Engineering, which invested $2 million in these programs in 2019 and reported a return of more than $8 million in improved health and productivity of their workforces.

ACTIVE THREAT AND WORKPLACE VIOLENCE

Threats: Irreparable Danger to Lives, Safety, Objectives and Reputations

Solution: Prepare for the worst when it comes to workplace violence.

Teams required: Sites/Facilities, HR, Police or Law Enforcement, Security

The motivations may be personal, political or professional in nature, and the targets can be an individual or a group and be triggered by an event or simply a perception, but active shooter situations or threats and workplace violence can derive from employees carrying out their grievances at the workplace. Often, active shooters exhibit a noticeable change of behavior in the weeks beforehand, and some have told at least one person of their plans. Thus, there may be some hints for detecting the potential for an active shooter event.

That’s why many organizations are finding the best course of action is to foster an environment that is proactive rather than reactive. Mental wellness programs, like those noted above, are a start. Other effective measures include better communication on the issue and repeated training. According to Gun Violence Archive, there were 693 mass shootings and 44,828 gun violence deaths in the United States in 2021. Every one of these incidents opens the door to messaging from management that encourages employees to seek support during these increasingly stressful times.

Active threat response training led by local law enforcement is also crucial. When the Oxford High School shooting happened in Michigan in November 2021, the students and faculty were trained in life-saving measures and many knew what to do (barricade themselves in classrooms, hide and jump out of windows when appropriate). “The

school made sure that we knew where to go, who to call and how to act…If we didn’t have this [active shooter] training I don’t know what would have happened,” Eva Grondin, a 15-year-old sophomore, told the New York Times.

Similar to repeated fire drills, these scenarios should be practiced two to three times per year to ensure everyone understands the “avoid, deny, defend” actions that are their best path to safety.

CYBERATTACKS

Threats: Fraud, Theft, Espionage, Sabotage

Solutions: Increased sensing and threat detection and an advanced understanding of objectives and vulnerabilities can prevent cyberattacks.

Teams required: IT, Security, R&D, HR, Sales, Finance, Supply/Logistics

Cyber threats have become so pervasive that it is almost impossible to measure the actual impact. Experts anticipated the global cost of cybercrime to be $6 trillion for 2021, and that doesn’t include attacks that go unreported or have yet to be calculated. For U.S. companies, IBM Security and Ponemon Institute issued a joint report indicating the average cost of a breach to be about $4.2 million. There are also the insurance increases, reputational damage, ramifications with consumers and other stakeholders, long-term loss of competitive advantages when sabotage and copycats occur and countless other ripple effects. According to a Verizon report published last year, 60% of small- and medium-sized businesses close permanently within six months of a cyber incident. There is also, of course, the harm caused to individuals when their personal information is stolen.

Though IT cannot be expected to have a crystal ball — and the bad actors are becoming more sophisticated and better funded — there are ways to ensure security teams are better equipped. Educating staff, conducting audits and fighting technology with technology are the foundation. Employing integrated teams that federate data on changes in policy, new initiatives and objectives give IT and cybersecurity teams a more robust understanding of where future vulnerabilities may happen so they can take more proactive measures. These can be small, such as enforcing firewalls as part of work-from-home standards, or go deeper, such as holding vendors and third parties to a higher standard to protect the organization’s secrets, whether past, present or future.

SUPPLY CHAIN

Threats: Fraud, Theft, Disruption

Solutions: Investing in technology and threat intelligence can secure supply chains.

Teams required: Logistics/Supply, R&D, Sales, Security

The global supply chain teetered on the brink of collapse for the better part of 2021 — and, in fact, did fail more than once last year — and 2022 stands to be no better. Most of the threats to supply chains that made the headlines focused on worker shortages, changes in consumer demand patterns and disasters. However, the risks start well before the product is distributed, and the threats cascade well before it arrives to its destination.

Deloitte’s CFO Signals Quarterly surveyed CFOs from nearly 100 firms that report $1 billion or more in annual sales. According to Bloomberg, 44% of those CFOs questioned said that the disruptions increased costs by 5% or more; and 32% of those same CFOs indicated that sales fell due to delays and other shortages. In addition, CNBC reported that China’s “industrial activity rose less than expected in September,” falling short of Reuters projections by about 1.4% for that period. This combination amounts to myriad impacts, with the most significant being a shift in sourcing that will temporarily alleviate bottlenecks in some regions before causing them in others. Additional vulnerabilities are sure to follow, creating new and unforeseeable instabilities.

Empowering a supply chain takes more than investing in the right technology and keeping a diversified pool of suppliers. Natural disasters, political instability, civil unrest and climate change are making it harder to procure goods and materials at the source. Understanding the geopolitical landscape that influences regions is crucial to gauging what may go wrong and instituting the redundancies to get ahead of them.

Threat actors, who are increasingly government-backed, are casting a wide net that targets governments, think tanks and public and private companies through malicious tradecraft, and supply is a casualty. This means thousands of entities are compromised whether or not they and/or their suppliers are the primary target. Most directly, the increased negativity among individuals can foster a breeding ground for insider threat that can result in theft, sabotage and worse.

COVID-19 will continue to add complications to organizations as well as create further access points for insider threats. The aim for companies of all sizes to achieve OR is a good start. Those who take it a step further to employ frameworks that continuously monitor, learn and adapt are moving toward a 360-degree view of risk, one we like to call agile operational resiliency. To get there, it takes the right tools used by a multi-functional team of stakeholders sharing knowledge and working together.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

People risk management and operational resiliency