The Threat Already Inside the Fence

Every investment in perimeter security — cameras, fencing, biometric access, visitor management — is built on a single assumption: the threat is on the outside trying to get in. For most incidents, that assumption holds. But for a category of incidents that is consistently underreported, underestimated, and disproportionately damaging, it does not.

Insider threats are a distinct problem class. The person who causes the incident already has legitimate access. They know the site layout, the systems, and the schedules. They know where the cameras are. They are not trying to breach the perimeter — they are already past it. And in many cases, they have been past it for months or years before the incident occurs.

Critical infrastructure operators face a specific version of this problem. The SOCI Act recognises it explicitly: personnel security is one of the four mandatory hazard domains in the Critical Infrastructure Risk Management Program (CIRMP). Meeting that requirement means more than conducting background checks at onboarding. It means maintaining an ongoing, intelligence-informed understanding of the personnel risk environment across your operations.

The signals were there. The problem was that no system was connecting them.

The Anatomy of an Insider Incident

Insider incidents rarely emerge without warning. The challenge is not that the signals are absent — it is that they appear in separate data sources that no one is looking at together.

A typical high-risk pattern might look like this: a device associated with an employee begins appearing at a facility boundary at unusual hours — outside their normal shift, in a zone inconsistent with their role. The geospatial signal is recorded, but no single event stands out. Around the same time, the employee posts publicly about job dissatisfaction and financial pressure. The social media activity is visible to anyone looking, but no one in the security team is monitoring it. Separately, credentials matching the employee's profile appear on a dark web forum, suggesting their access has been offered or compromised. Each signal, viewed alone, is explainable and easy to dismiss. Viewed together, they form a coherent pattern of elevated risk.

The incident that follows — whether sabotage, removal of sensitive materials, or facilitated access for an external party — is rarely a surprise in retrospect. CRIMP addresses this fundamental gap not by flagging every anomaly as a threat, but by correlating signals across geospatial records and open-source intelligence to surface the combinations that are genuinely meaningful.

Geospatial Boundary Signals and Insider Risk

CRIMP monitors geospatial signals entering and exiting the boundaries of your defined asset areas, and builds a baseline of what normal looks like for each site, zone, and personnel group. The categories of geospatial anomaly most relevant to insider risk include:

OSINT and the External Indicators of Risk

The most consistent finding in post-incident reviews of insider threats is that external indicators were present and observable before the incident occurred. Financial stress, expressed grievance, outside contact with parties of concern — these are well-documented precursors that almost never appear in internal systems because the data lives in public-facing online environments.

CRIMP monitors the open-source environment for signals associated with your personnel — not invasively, but against publicly available indicators relevant to insider risk. Expressed grievance or hostility directed at the organisation. Financial stress indicators visible in marketplace activity or social content. Contact between a monitored individual and an entity that appears in CRIMP's broader threat intelligence. Each of these is a signal that warrants assessment, not a finding of wrongdoing.

The correlation between geospatial and OSINT signals is where the picture becomes coherent. A geospatial boundary event that occurs in isolation stays low priority. The same event, correlated with public posts expressing grievance, financial stress indicators, or credentials appearing on a dark web forum, elevates immediately — because the combination is the pattern that matters.

A risk management program that demonstrates systematic, ongoing monitoring of access anomalies — correlated with incident records and external intelligence inputs — is materially more defensible under regulatory review than one that relies on periodic manual audits.

The Contractor and Third-Party Risk Dimension

Insider threat management cannot be limited to direct employees. Contractors, maintenance personnel, system integrators, and third-party vendors all hold access credentials at many sites — often with broader access than equivalent permanent staff. They are also subject to less continuous oversight, and in many cases their access is retained beyond the active period of their engagement.

CRIMP extends its geospatial and OSINT monitoring to third-party personnel in exactly the same way as direct employees. A contractor whose engagement has ended but whose device continues to appear at asset boundaries is a risk profile that should surface immediately — visible in geospatial signals regardless of whether any formal access system has flagged the activity.

The SOCI Act's guidance on the personnel hazard domain explicitly includes supply chain personnel as a risk consideration. CRIMP's extension of monitoring coverage to contractor and vendor personnel closes the gap between what the regulation requires and what a direct-employee-only program can deliver.

SOCI Act Obligations

Many operators currently meet the personnel hazard domain through policy: background check procedures, access review schedules, HR incident reporting obligations. Policy is necessary but not sufficient. The personnel hazard domain requires ongoing identification and management of personnel risks — not just onboarding screening and annual reviews.

CRIMP's geospatial boundary monitoring, online behaviour monitoring, and dark web monitoring constitute exactly the kind of systematic, documented personnel risk management process the hazard domain requires. Every alert generated, every correlation surfaced, and every response actioned is logged as a durable record. When a regulator asks how the organisation identifies and manages insider risk on an ongoing basis, the answer is supported by data — not by a policy document describing a process that may or may not be followed consistently.