Insider risk is a growing concern for organisations in Australia and around the world. For clarity, when I talk about Insider risk I mean the potential for employees, contractors, or other authorised individuals to misuse their access to an organisation's systems or information, either intentionally or unintentionally. Insider risk can result in data breaches, intellectual property theft, reputational damage, and financial loss. In mitigating insider risk, organisations must also consider both legal and ethical considerations.

What are the Legal Considerations

Privacy Laws: Australia has strict privacy laws that regulate the handling of personal information. The main privacy law is the Privacy Act 1988, which sets out the Australian Privacy Principles (APPs). The 13 APPs outline how personal information should be collected, used, and disclosed, and require organisations to take reasonable steps to protect personal information from unauthorised access or disclosure.

Organisations must comply with the Privacy Act and the APPs to ensure that personal information is handled appropriately. Failure to comply with privacy laws can result in significant fines and reputational damage. For example, in 2019, the Australian Information Commissioner (OAIC) fined Facebook AUD $9 million for breaching the Privacy Act by sharing the personal information of millions of Australian users with third-party developers.

Corporations Act: The Corporations Act 2001 is the main legislation that governs corporations in Australia. It sets out the duties and responsibilities of directors and officers of companies, including their obligation to act in the best interests of the company and to avoid conflicts of interest. The Corporations Act also includes provisions related to insider trading, which is illegal in Australia. Insider trading occurs when a person trades on confidential information that is not available to the public.

The consequences of insider trading can be severe, including fines, imprisonment, and reputational damage. In 2020, the Australian Securities and Investments Commission (ASIC) charged a former employee of an Australian financial services company with insider trading, alleging that he used confidential information to trade shares in a company before it announced a merger.

Criminal Code and Criminal Law: There are a number of legislated criminal offences, in both Federal and Australian State law related to computer misuse. These include offenses related to unauthorised access, modification, or impairment of data. Legislation in some states also includes provisions related to offenses committed by insiders, such as the unauthorised disclosure of information.

Organisations must comply with legislation to ensure that their systems and data are protected from unauthorised access or modification. Failure to comply with legislation can result in significant fines and legal action.

What are some of the Ethical Considerations

Employee Morale: Insider risk can have a significant impact on employee morale. Employees may feel that their trust and loyalty have been betrayed if a colleague or supervisor engages in activity which could be described as insider risk. This can lead to a decline in productivity, increased turnover, and damage to the organisation's reputation.

To promote employee morale, organisations must create a culture of trust and transparency. This includes providing employees with clear policies and procedures related to data privacy and security, promoting ethical behaviour, and providing training and support to employees.

Intellectual Property Protection: Insider risk can also pose a significant threat to an organisation's intellectual property (IP). Intellectual property includes patents, trademarks, copyrights, and trade secrets. If an insider breaches their obligation to protect IP, it can result in significant financial losses and reputational damage.

To protect their intellectual property, organisations must implement strict policies and procedures related to access control, data encryption, and data loss prevention. Organisations should also provide regular training and support to employees to ensure that they understand the importance of protecting IP.

Insider risk is a complex issue that requires organisations to consider both legal and ethical considerations. Legal considerations include data privacy laws, liability for employee actions, and intellectual property protection, while ethical considerations include employee morale and trust. To mitigate insider risk, organisations should implement comprehensive security policies and procedures, provide employee training, and monitor activity. One of the key pillars to the insider risk challenge is monitoring of staff activity. That solution is here! ShadowSight is a proven platform, used in government and corporate organisations, which was built by a team of experts with years of experience in the Insider Threat space. ShadowSight delivers a pragmatic approach to Insider Threat monitoring with rapid return on investment and measurable cultural change.

Christopher McNaughton

Strategic Advisor, ShadowSight

Who is Christopher McNaughton

Chris is a proficient problem solver with a strategic aptitude for anticipating and addressing potential business issues, particularly in areas such as Insider Threat, Data Governance, Digital Forensics, Workplace Investigations, and Cyber Security. He thrives on turning intricate challenges into opportunities for increased efficiency, offering pragmatic solutions derived from a practical and realistic approach.

Starting his career as a law enforcement Detective, Chris transitioned to multinational organisations where he specialised and excelled in Cyber Security, proving his authority in the field. Even under demanding circumstances, his commitment to delivering exceptional results remains unwavering, underpinned by his extraordinary ability to understand both cyber and business problems swiftly, along with a deep emphasis on active listening.

What is ShadowSight

ShadowSight is an innovative insider risk staff monitoring tool that proactively guards your business against internal threats and safeguards vital data from unauthorised access and malicious activities. We offer a seamless integration with your current systems, boosting regulatory compliance while providing unparalleled visibility into non-compliant activities to reinforce a secure digital environment. By prioritising actionable intelligence, ShadowSight not only mitigates insider threats but also fosters a culture of proactive risk management, significantly simplifying your compliance process without the overwhelming burden of false positives.