✔ Check criminal records   ✔ Fast verifications   ✔ Safe and secure (ISO)

EN / SE
Blogs

Minimise internal risks within your organization

Why certain roles require greater attention when it comes to security

In the industrial and energy sectors, technical safeguards often get the most attention. Yet organisations are increasingly realising that risk is not just about technology or external threats. Employees with access to critical infrastructure can play an equally important role in keeping operations secure.

When thinking about internal risks, it’s easy to assume they mainly arise from people deliberately making mistakes or acting with ill intent. In reality, most risks stem from errors, oversights, or unintended consequences of everyday decisions. It’s not always a person’s intent that determines the impact a situation may have.

This is especially true in environments where permanent staff, contractors, and suppliers work closely together. Some roles can carry more risk than organisations often anticipate. It’s not the employment type that matters, but the access, responsibility, and influence a role carries. Even when everyone is acting in good faith, roles with broad access can still pose an internal risk.

So the real question is not whether internal risks exist, but whether organisations have a clear and realistic understanding of which roles require extra attention – and why.

Two employees talks about background checks
Two employees talks about background checks

Internal risks are becoming a higher priority in the industrial and energy sectors


Internal risks have become an increasingly prominent area of focus for organisations responsible for critical infrastructure. This is driven not only by past incidents, but also by stricter regulatory requirements, more extensive audits, and increased use of external suppliers.

Industrial and energy environments are complex by nature. Physical sites, operational technology, and IT systems are closely interconnected. Individuals with authorised access to these environments can, intentionally or unintentionally, affect safety, operational continuity, and the public interest.

At the end of 2025, Poland’s energy sector experienced a major cyberattack, which led Swedish authorities, including the Swedish National Defence Radio Establishment (FRA), to advise the energy sector to increase security and vigilance, even though there was no immediate threat to Sweden at the time, reports TV4. At the same time, a survey conducted by Ekot shows that the number of suspected crimes against critical societal functions in Sweden more than doubled compared with the previous year. According to Ekot, "over 2,000 reports were classified by the police as suspected crimes against critical societal functions in 2025."

As a result, an increasing number of organisations in the industrial and energy sectors are shifting their focus from solely external threats to also managing internal risks. This is particularly important for roles with high access, significant responsibility, and substantial influence.

 

What we mean by insider risk and what is often overlooked

Insider risk is commonly linked to sabotage or fraud, but this perspective is incomplete. It refers to vulnerabilities that arise because individuals have legitimate access to systems, locations or processes. That access creates exposure, even in the absence of malicious intent.

Human error, negligence, external pressure or conflicts of interest can all contribute. Precisely because these factors are less visible, they are often identified only after an incident has occurred.

 

Risk is determined by access, not intent

The level and type of access a role has defines its internal risk. The broader the access and the greater the influence, the higher the potential risk.

 

A job title doesn’t tell the whole story

Critical roles are often associated with senior or highly specialised positions. In practice, job titles are a poor indicator of actual exposure.

Within Industry and Energy, risk is defined by access to production systems, energy networks, operational technology environments, physical installations or escalation authorities within operations.

Temporary staff, contractors and suppliers increasingly hold such access, without always being recognised as occupying critical roles.

Temporary and external roles require greater focus

Labour shortages and project-based delivery models have increased reliance on external personnel. Access is often granted quickly to prevent operational disruptions.
 

Michelle Piergoelam VALIDATASEPT24 110

 

Influence: the hidden factor behind internal risks

In addition to access, influence is a significant but often underestimated factor in internal risks.

Influence can arise from financial pressures, dependence on external interests, long-term engagement within the same organisation, or conflicting loyalties within complex supply chains. These dynamics are difficult to detect, especially in fragmented operational models. The problem with traditional screening and control methods is that they are rarely designed to address this type of risk.
 

Recurring checks to detect internal risks

In many organisations, the focus is primarily on risks during the recruitment process. Security checks and assessments are often carried out only at the point of hiring. However, risk does not remain static once someone joins the organisation.

Over time, an individual’s personal circumstances may change. For example, financial pressure, legal issues, or other life events can affect a person’s risk profile. When background checks are treated as a one-time activity, these changes often remain unnoticed, allowing new risks to develop over time.

Responsibility for risk management is often fragmented across different departments, such as HR, Security, and Operations. Access management, role definitions, and reliability assessments are often handled in isolation, without a complete organisational overview.

As a result, internal risks can develop undetected, even in organisations with established procedures. Continuous monitoring and cross-departmental coordination are therefore essential to minimise the likelihood of incidents.
 

Increased Focus on Internal Risks as Legislation Tightens

Requirements for how organisations manage access to critical functions and systems are becoming stricter. The NIS2 Directive introduces clearer obligations for risk management, governance, and accountability for organisations operating essential services. Organisations are expected to demonstrate how access to systems, networks, and other critical infrastructure is controlled and monitored over time.

The Swedish Security Protection Act (Säkerhetsskyddslagen) also requires organisations handling security-sensitive operations to screen individuals who are granted access to sensitive functions, systems, or information. Assessments should not only be conducted at the time of hiring but also reviewed whenever roles, responsibilities, or access levels change.

Auditors and supervisory authorities are increasingly focused on the rationale behind access decisions: Why was access granted? On what basis? And how are these decisions followed up over time? Internal risks are therefore not only a matter of security but increasingly a question of governance, accountability, and traceability within the organisation.

 

Shutterstock 345105452

The question organisations are increasingly expected to answer

Which roles within the organisation have access to critical infrastructure, and what level of protection is proportionate to that access – including contractors and other external parties?

 

The way forward

How can organisations manage insider risks in a structured and sustainable way? Not through isolated controls, but through a coherent process that connects roles, access, and reliability – without disrupting operational continuity.

Critical infrastructure under increasing pressure Audits and access control