Insider risk — Security starts with you

Infographic - Text version

Insider risk

Are some of our security threats from within?

Threats aren't limited to spies or cyber criminals, it can come from anyone that is or has been employed within the DND/CAF: an employee, a CAF member, contractor, or student - anyone who has access to sensitive information, assets, people, facilities, who can cause harm to the organization.

The intent can be malicious, careless, or even unknowing… but the damage is the same.

It affects our people

Security risks can:

• Compromise classified information or IT systems
• Jeopardize operations and personnel safety
• Damage Canada's international reputation and partnerships
• Cause financial and operational loss

Types of Insider Risks

Intentional or unintentional

• Careless
  • EX: Leaving systems unlocked, clicking phishing links, oversharing info in public, poor Operational Security (OPSEC).
• Radicalized/Ideological
  • EX: Promoting extremist views or group affiliations conflicting with DND/CAFvalues.
• Compromised
  • EX: Exploited by a third party: Access hijacked via malware, phishing, or coercion.
• Disgruntled Former Personnel
  • EX: Using residual access or knowledge for harm.
• Malicious
  • EX: Selling or publicly leaking classified info for revenge, sabotage, espionage.
• Criminal
  • EX: Engaging in violence, fraud, theft of DND/CAFproperty.

Behavioural Indicators

Report changes and security concerns:

• Significant changes in circumstances or behaviour (drug or alcohol misuse /unexplained frequent absences, unexplained wealth or debt)
• Divided loyalties/obligationsto foreign family members
• Security issues (pattern of security violations, wilful non-compliance, disregarding policy)
• Unauthorized searching, requests, access, retention of classified or sensitive information
• Unexplained or unreported security incidents or interactions with known security threats
• Expressing ongoing disgruntlement with their unit or employer
• Unexplained or unusual work during unsupervised hours
• Unexplained or unreported foreign travel/foreigncontact (when reporting is required)
• Secretive workplace behaviour (hiding documents, blanking computer screen, avoiding colleagues)
• Atypical online activity or profile (dark web use, foreign contacts)
• Criminal activity or involvement with law enforcement (new/previouslyconcealed)

Remember to

• Protect DND/CAFinfo, assets & systems
• Complete security training
• Follow OPSEC rules (don't hold secure doors, verify unknowns)
• File a Notice of Intent to Travel (NOIT) before trips
• Always apply the Need-to-Knowprinciple when sharing/discussingsensitive information in the workplace

Report Insider Concerns

Official channels:

1. Your Chain of Command/Supervisor
2. Unit Security Supervisor (USS)
3. Information Systems Security Officer (ISSO)
4. Submit a Change of Circumstance form (DND 4151)
5. CF National Counter-Intelligence Unit (CFNCIU) [email protected]
6. DGDS Administrative Investigation Bureau (AIB) [email protected]
7. CF Military Police (CFMP)

Supervisors at all levels

Help mitigate insider risk!