Signals & Silence

Insider risk. In plain language.

A series of short articles drawn from practice — written for the leaders who carry the accountability.

The Noise Was the Cover
Signals & Silence No. 2

The Noise Was the Cover

Every year, organizations bring in a wave of temporary staff.

Interns. Seasonal hires. Graduate cohorts. Contract workers. People who are new, eager, and — almost without exception — not trying to cause harm.

They go through onboarding. They sign the Acceptable Use Policy. They complete the mandatory training. Data handling. Confidentiality. What you can and cannot share outside the organization.

Documented. Tracked. Signed off.

The organization has done what it's supposed to do. The boxes are ticked. The certificates are generated.

And then a significant number of those temporary staff find a workaround.

Not because they're malicious. Because they're practical.

Forwarding a document to a personal email so they can read it on the commute. Uploading a file to cloud storage so they can review it at home. Doing what people do when they're trying to get work done — without thinking too carefully about where the boundary is.

They signed the AUP. They completed the training. They just didn't let either of those things slow them down.

The DLP system sees all of it.

Every forwarded email. Every unauthorized upload. Every case requiring documentation, investigation, HR involvement, a formal outcome.

Multiply that across a large temporary population and it's no longer a security problem. It's a flood.

In many organizations, someone identifies a fix. A technical control. Block the external forwarding for temporary staff entirely, with a narrow exception process for legitimate needs.

It makes sense. Leadership endorses it. Most stakeholders agree.

Then the meetings start.

A business unit surfaces — late, as they always do. The same one that was on every distribution list. The same one that never engages during consultation but always has objections at the point of implementation. They want an exception. A blanket one, for all their temporary staff.

The timeline stretches. The control gets diluted. Deals get made.

And while the meetings are still running, the documents keep leaving.

Security, for some parts of the organization, is always someone else's problem — until it isn't.

And then there's the question of what to do with the cases already in the queue.

This is where programmes make a choice — and both options have a cost.

Handle them all the same way: full investigative treatment, documented outcomes, consistent process. Which sounds right. Except that your investigators — the people whose real value is pattern recognition, connecting dots across cases, finding what's actually wrong — are now spending their days processing low-level forwarding violations. They're administrators. The work that only they can do doesn't get done.

Or delegate the low-level cases to line managers. Which sounds efficient. Except that not all managers will handle them the same way. Some will address them properly. Some will quietly let them go. And you've now lost visibility over what's being resolved, how, and whether anything is falling through the gaps.

Either way, the signal suffers. Either way, the programme is looking in the wrong direction.

Most of the violations are exactly what they appear to be.

Someone trying to study. Someone trying to keep up. Someone who didn't think it through — even though they signed the policy that said they should.

But not all of them.

Some temporary populations — large ones, high-volume, high-turnover — also contain people who are doing something deliberate. Data theft through personal email. Documents walked out on a phone. Files printed quietly, in volume, over time.

And some of those people knew exactly what they were walking into.

Because organized crime has figured this out too.

Place someone inside. A seasonal hire. A temp. A short-tenure worker in a busy environment where oversight is stretched and one more DLP case looks exactly like everyone else's. They're not there by accident. They're there with a purpose — and a plan for what to take and how to take it. In and out before anything connects.

They signed the AUP on day one. They completed the mandatory training. Happily. Because none of that was ever going to be the thing that stopped them.

The organization's own well-intentioned employees — the ones just forwarding a document to read on the train — don't know they're providing cover.

But they are.

The question isn't whether organizations with large temporary populations have this problem.

They do.

The real question is whether anyone has the capacity, the visibility, and the programme design to tell the difference — between the person who forwarded a file without thinking, and the person who was counting on everyone else doing exactly that.

A signed AUP and a completed training certificate are a starting point.

They were never meant to be the finish line.

Ian M. Quinn   After Perfect Consulting
The Print Job Nobody Was Supposed to Notice
Signals & Silence No. 1

The Print Job Nobody Was Supposed to Notice

A well-respected senior manager spent the better part of an afternoon at the printer.

A colleague noticed. It was a lot of printing — more than you'd expect, taking longer than it should. But it was a busy office. They thought nothing of it and moved on.

A few days later, word came through that the senior manager had resigned. They were leaving for a competitor.

That's when the colleague paused.

They thought back to the printing. They knew what kind of work that office handled. The kind of material you don't want walking out the door.

They weren't certain. They weren't even sure it was their place to say something.

They liked the senior manager. Most people did. And what if they were wrong? What if there was a perfectly innocent explanation and they'd just put a colleague's career at risk over a hunch about a busy afternoon at the printer?

Most people in that position say nothing. They talk themselves out of it.

But they mentioned it to their supervisor. Who escalated it to the security team.

Every document printed that afternoon was sensitive material.

Here's what most leaders don't realize: in many organizations, printing controls are triggered by the offboarding process. They activate after an employee gives notice.

This senior manager printed before they resigned. They were still fully provisioned. No flags. No restrictions.

The control never fired.

A person did.

Ian M. Quinn   After Perfect Consulting

After Perfect Consulting advises organizations on insider risk—program design, control effectiveness, and response.

Get in touch