Why insider risk is moving up the agenda in Industry & Energy
Insider risk has become a growing point of attention for organisations responsible for critical infrastructure. This is driven not only by incidents, but also by tighter regulatory expectations, more demanding audits and increased reliance on external parties.
Industry and energy environments are complex by design. Physical locations, operational technology and IT systems are closely interconnected. Individuals with authorised access to these environments can, intentionally or unintentionally, affect safety, operational continuity and public interest.
As a result, organisations are shifting their focus from external threats alone towards internal exposure.
What we mean by insider risk and what is often overlooked
Insider risk is commonly linked to sabotage or fraud, but this perspective is incomplete.
Insider risk refers to vulnerabilities that arise because individuals have legitimate access to systems, locations or processes. That access creates exposure, even in the absence of malicious intent.
Human error, negligence, external pressure or conflicts of interest can all contribute. Precisely because these factors are less visible, they are often identified only after an incident has occurred.
Access, not intent, defines the risk profile
Trust in people remains essential, but it cannot function as the sole control measure.
The level and nature of access determine the risk associated with a role. The broader the access and the greater the influence, the higher the potential impact of misuse, error or external influence.
Critical roles: why job titles provide a false sense of security
Critical roles are often associated with senior or highly specialised positions. In practice, job titles are a poor indicator of actual exposure.
Within Industry and Energy, risk is defined by access to production systems, energy networks, operational technology environments, physical installations or escalation authorities within operations.
Temporary staff, contractors and suppliers increasingly hold such access, without always being recognised as occupying critical roles.
Why temporary and external roles require particular attention
Labour shortages and project-based delivery models have increased reliance on external personnel. Access is frequently granted quickly to prevent operational delays.
Reassessment, monitoring and structured documentation do not always keep pace. This creates blind spots: individuals with sustained or extensive access whose risk profile is not periodically reviewed.
Influence: the least visible driver of insider risk
In addition to access, influence is a significant but often underestimated factor in insider risk.
Influence may arise from financial pressure, dependency on external interests, prolonged engagement with a single organisation or conflicting loyalties within complex supply chains. Such dynamics are difficult to detect, particularly in fragmented operating models.
Traditional screening approaches are rarely designed to address these forms of risk.
Why traditional screening approaches fall short
In many organisations, screening is treated as a one-off activity at the point of onboarding. Once access is granted, risk profiles are rarely reassessed in line with changes in role, responsibility or duration of access.
At the same time, accountability is often fragmented across HR, Security, Compliance and Operations. Access management, role definition and reliability assessments are handled in isolation, limiting organisational oversight.
This fragmentation creates the conditions in which insider risk can develop unnoticed.
Regulatory expectations are increasing without prescribing detailed solutions
Legislation and regulatory frameworks do not always explicitly define how insider risk should be managed. However, there is a clear and growing expectation that organisations can demonstrate control over who has access to critical functions and infrastructure.
Auditors and contracting authorities increasingly focus on the rationale behind access decisions. Why was access granted? On what basis? And how is this assessment reviewed over time?
Insider risk therefore extends beyond security and becomes a matter of governance and accountability.
The question organisations are increasingly expected to answer
Which roles within your organisation have access to critical infrastructure, and what level of protection is proportionate to that access?
Could you explain and substantiate this today, including for contractors and other external parties?
Looking ahead
In the following pieces of content, we will explore how organisations can address insider risk in a structured and sustainable manner. Not through isolated controls, but through a coherent approach that connects roles, access and reliability, without disrupting operational continuity.