Key Takeaways
- IPSA accreditation and an active insider threat programme are not the same thing, passing the audit doesn’t mean your processes are being delivered.
- The Personnel Reliability Framework (PRF) maps directly onto NPSA’s Insider Risk Mitigation Framework, this overlap is not accidental.
- Most insider events in defence SMEs aren’t espionage based, they’re due to stress, poor judgement, and aftercare that nobody followed through on.
- IPSA only protects you if it’s lived day-to-day, not filed in a binder and revisited at the next audit.
- IPSA ownership must sit with leadership. Delegating it entirely to HR or a security manager leaves the business open to compromise.
Picture this. A small defence contractor spends months earning their IPSA (Industry Personnel Security Assurance) accreditation. The processes in the PRF have been accepted by the Industry Security Assurance Centre (The Authority) and you can now manage your own security clearances. Then, twelve months later, a member of staff with security clearance leaves under difficult personal circumstances. It takes weeks for anyone to cancel their access. By then, and longer still to revoke their access across email, cloud platforms, and shared drives. By then, a sensitive document has left with them. The organisation had a policy that covered exactly this situation, but nobody was following it.
This isn’t an invented scenario. Many insider incidents unfold in defence businesses, not as a result of complicated espionage or sabotage initiatives, but because processes were written down but not implemented or reviewed. Management responsibility doesn’t stop when the policy is written, no policy is effective unless we follow the PDCA cycle:
- Plan – Define the requirement and produce the policy or procedure.
- Do – Implement the policy or procedure.
- Check – Ensure that the policy or procedure is effective and is being followed.
- Act – Apply corrective actions and improvements based on Check phase observations.
Insider Threat Isn’t a Spy Thriller
The phrase “insider threat” conjures images of briefcases changing hands in car parks. That framing is part of the problem. It lets most SME owners conclude, reasonably enough, that it doesn’t apply to them.
The NPSA’s Insider Risk Guidance, updated in December 2024, defines insider risk far more broadly. It spans four categories: accidental, negligent, coerced, and malicious. The vast majority of real incidents fall into the first two. For example, an employee, under time pressure, who takes a shortcut with classified documents. A departing contractor whose system access isn’t revoked promptly across email, shared drives, and remote access tools, not just a building pass. Or perhaps a line manager who noticed a colleague’s behaviour change but didn’t know there was a process for reporting it, or who feared doing so would cause problems.
NPSA’s (National Protective Security Authority) position is blunt: If you have people, you have risk. That applies to a twelve-person engineering firm with two SC-cleared staff, just as much as it applies to a prime contractor with hundreds of cleared staff.
Your Personnel Reliability Framework is an Insider Risk Tool: Whether You’re Using It That Way or Not
Here’s the connection that most IPSA-accredited organisations miss entirely.
The NPSA Insider Risk Mitigation Framework organises effective insider risk management around seven core elements identified in the personnel security maturity assessment:
- Leadership and Governance
- Insider Risk Assessment
- Employment Screening
- Ongoing Personnel Security
- Monitoring and Assessment of Employees
- Investigation and Disciplinary Practices
- Security Culture and Behaviour Change.
Look up the IPSA Personnel Reliability Framework and compare it to NPSA’s insider risk framework. The match is almost one-for-one, screening people before they join, monitoring behaviour while they’re employed, making sure they know their obligation to report personal changes, and building a security-aware culture. The PRF covers all of it. That’s not an accident it is based on ‘best practice’. The people who designed it knew that good personnel security and insider threat management are essentially the same thing.
The problem is that many organisations build the PRF document to satisfy the Industry Security Assurance Centre (ISAC) accreditation process and never connect it to the active, operational purpose it was designed to serve. They have the right framework. They just aren’t using it as one.
A further development raises the stakes considerably. IPSA accreditation is a formal prerequisite for MOD Facility Security Clearance (FSC). The regime that allows an organisation to hold and manage classified material at SECRET and above on its own premises. The ISAC assessment is not a ‘tick-box’ exercise, simply checking whether your PRF documentation is coherent. It assesses whether your personnel security processes are genuinely embedded and operational. Organisations pursuing or maintaining FSC that treat their IPSA framework as a compliance artefact, rather than a live control environment are exposed on both fronts.
The Gap Between Accreditation and Actual Protection
Attaining IPSA assures the ISAC your policies are coherent and your procedures are documented. It does not tell them, or you, whether those procedures are being followed on a Friday afternoon when your security lead is on leave.
This is where the real risk lives. NPSA’s guidance on Ongoing Personnel Security is clear that accreditation is a starting point, not an endpoint. Effective ongoing personnel security means regular security conversations with cleared staff, a functioning change-of-personal circumstances (CPC) reporting process, and a leavers procedure that moves at the speed of events rather than the next admin cycle. The leavers procedure must extend to digital offboarding revoking access across all systems, cloud services, email and VPN, not just the return of a physical pass or ID card.
None of these things happen automatically. They rely on cultural change and require someone to own them, check them, and maintain them. One of the challenges for SMEs is to fit these additional Security Controller and Personnel Security Controller responsibilities into an already busy day job. Employees are given many roles and responsibilities, which may result in personnel security fading into the background against a foreground of operational demand and urgency.
NPSA has also published specific guidance on communications during an insider risk incident covering what to say internally, how to manage external messaging, and when to bring in legal or HR functions. Most SMEs have no plan for this dimension of an incident. A response procedure that covers technical containment and access revocation but says nothing about who communicates what, to whom, and when, is incomplete. Preparing that messaging in advance, under the ‘Be Insider Risk Ready’ framework, is one of the more practical steps an organisation can take before an incident occurs.
Leadership Is the Missing Piece
NPSA’s guidance on Leadership and Governance in insider risk makes one point that every CEO or MD of a defence SME should understand: there needs to be a single, senior, accountable owner of people risk. Not a shared responsibility. Not something HR manages alongside contracts and leave requests. One named person with visibility and accountability. Leadership from the top is essential to developing the necessary culture that ensures processes and procedures are followed, when no-one is actively checking, on a Friday afternoon for example
NPSA research conducted with more than 250 senior decision-makers and found a gap between how confident leaders felt about their insider risk arrangements and how robust those arrangements actually were.
Leaders consistently described insider events as being unlikely or even irrelevant to their businesses. In general, business leaders found the subject of their employees causing harm and the term ‘insider risk’ uncomfortable. As a consequence, unrealistic faith can be placed upon employees to do the right thing and insider risk programmes can be dismissed as unnecessary bureaucracy. These perceptions point to a shortage of leadership attention and lack of an effective security culture which lead to the failure of an effective insider threat programme.
IPSA doesn’t ask you to build a dedicated security department. It asks that someone with authority owns the processes and checks they’re running.
When insider incidents happen, leadership almost always has the right policy in place. What they didn’t have was a clear answer to the question: “Who checked this was running last month?”
That question is yours to own, not to sign off and hand downstairs.
Where can Pera Prometheus Provide Support?
Bridging the gap between IPSA accreditation and a genuinely functioning insider risk programme is one of the more practical challenges we help SMEs and large Enterprises work through. At Pera Prometheus, we work with defence contractors to develop, implement and embed their IPSA/Insider Threat Programmes. Get in touch and let’s discuss where you are.
Frequently Asked Questions
Q: Do I need to do anything extra for insider threat if I already have IPSA accreditation?
A: Your IPSA Personnel Reliability Framework gives you the right structure and accreditation confirms the policy exists, not that it’s operating effectively. Reviewing how your ongoing assurance, change-of-personal circumstances reporting, and leavers processes actually operate day-to-day is a good place to start.
Q: What does “ongoing personnel security” actually mean in practice for a small team?
A: At its simplest, it means regular touchpoints with cleared staff not just annual reviews and a clear route for line managers to flag concerns about welfare, behaviour changes, or personal circumstances that might affect someone’s reliability. It doesn’t require a dedicated security team; it requires a named owner and a consistent process.
Q: Is insider threat only a risk if we hold SECRET-level material?
A: No. NPSA’s guidance applies to any organisation handling sensitive information, including OFFICIAL-SENSITIVE. Many supply chain incidents involve material at lower classification levels, the damage comes from aggregation, context, and timing, not just from the classification marking on a document.
Q: Who in our organisation should own IPSA day-to-day?
A: NPSA is explicit that there should be a single, senior, accountable owner of people risk. In most SMEs, this sits with the MD or a senior director. The operational aspects of IPSA can be delegated to the security manager or HR function but accountability needs to sit at senior leadership level.
Q: What does NPSA’s “Be Insider Risk Ready” campaign mean for defence SMEs?
A: The campaign is NPSA’s push to shift organisations from reactive to proactive on insider risk having plans in place before an incident, not scrambling after one. For defence SMEs, it’s an invitation to test whether your IPSA processes would actually catch and contain an insider event, rather than simply documenting that they should.
Q: Our organisation is working towards FSC. Does that change our IPSA obligations?
A: Yes, significantly. IPSA accreditation is a formal prerequisite for FSC, and ISAC will assess whether your Personnel Reliability Framework is genuinely embedded and operational, not simply documented. Organisations pursuing FSC, should treat their IPSA processes as live security controls from the outset, rather than as audit artefacts to be revisited at renewal.
Stay Safe, Stay Secure
