Key Takeaways
- IPSA accreditation and an active insider threat programme are not the same thing, passing the audit doesn’t mean your processes are being delivered.
- The Personnel Reliability Framework (PRF) maps directly onto NPSA’s Insider Risk Mitigation Framework, this overlap is not accidental.
- Most insider events in defence SMEs aren’t espionage based, they’re due to stress, poor judgement, and aftercare that nobody followed through on.
- IPSA only protects you if it’s lived day-to-day, not filed in a binder and revisited at the next audit.
- IPSA ownership must sit with leadership. Delegating it entirely to HR or a security manager leaves the business open to compromise.
Picture this. A small defence contractor spends months earning their IPSA (Industry Personnel Security Assurance) accreditation. The processes in the PRF have been accepted by ISAC and you can now manage your own security clearances. Then, twelve months later, a member of staff with security clearance leaves under difficult personal circumstances. It takes weeks for anyone to cancel their access. By then, a sensitive document has left with them. The organisation had a policy that covered exactly this situation, but nobody was following it.
This isn’t a made-up scenario. Many insider incidents unfold in defence businesses, not as a result of espionage or sabotage, but because processes were written down but not implemented. Management responsibility doesn’t stop when the policy is written, no policy is effective unless we follow the PDCA cycle:
- Plan – Define the requirement and produce the policy or procedure
- Do – Implement the policy or procedure
- Check – Ensure that the policy or procedure is effective and is being followed
- Act – Apply corrective actions and improvements based on Check phase observations
Insider Threat Isn’t a Spy Thriller
The phrase “insider threat” conjures images of briefcases changing hands in car parks. That framing is part of the problem. It lets most SME owners conclude, reasonably enough, that it doesn’t apply to them.
The NPSA’s Insider Risk Guidance, updated in December 2024, defines insider risk far more broadly. It spans four categories: accidental, negligent, coerced, and malicious. The vast majority of real incidents fall into the first two. An employee under time pressure who takes a shortcut with classified documents. A departing contractor whose system access isn’t revoked promptly. A line manager who noticed a colleague’s behaviour change but didn’t know there was a process for reporting it, or who feared doing so would cause problems.
NPSA’s position is blunt: If you have people, you have risk. That applies to a twelve-person engineering firm with two SC-cleared staff just as much as it applies to a prime contractor with hundreds of cleared staff.
Your Personnel Reliability Framework is an Insider Risk Tool: Whether You’re Using It That Way or Not
Here’s the connection that most IPSA-accredited organisations miss entirely.
The NPSA Insider Risk Mitigation Framework organises effective insider risk management around seven core elements identified in the personnel security maturity assessment:
- Leadership and Governance
- Insider Risk Assessment
- Employment Screening
- Ongoing Personnel Security
- Monitoring and Assessment of Employees
- Investigation and Disciplinary Practices
- Security Culture and Behaviour Change.
Look up the IPSA Personnel Reliability Framework and compare it to NPSA’s insider risk framework. The match is almost one-for-one, screening people before they join, monitoring behaviour while they’re employed, making sure they know their obligation to report personal changes, and building a security-aware culture. The PRF covers all of it. That’s not an accident. The people who designed it knew that good personnel security and insider threat management are essentially the same thing.
The problem is that many organisations build the PRF document to satisfy the Industry Security Assurance Centre (ISAC) accreditation process and never connect it to the active, operational purpose it was designed to serve. They have the right framework. They just aren’t using it as one.
The Gap Between Accreditation and Actual Protection
Attaining IPSA assures the ISAC your policies are coherent and your procedures are documented. It does not tell them or you, whether those procedures are being followed on a Wednesday afternoon when your security lead is on leave.
This is where the real risk lives. NPSA’s guidance on Ongoing Personnel Security is clear that accreditation is a starting point, not an endpoint. Effective ongoing personnel security means regular security conversations with cleared staff, a functioning change-of-personal circumstances (CPC) reporting process, and a leavers procedure that moves at the speed of events rather than the next admin cycle.
None of these things happen automatically. They require someone to own them, check them, and maintain them. One of the challenges for SMEs is to fit these additional Security Controller and Personnel Security Controller responsibilities into an already busy day job. Employees are given many roles and responsibilities, which may result in personnel security fading into the background against a foreground of operational demand and urgency.
Leadership Is the Missing Piece
NPSA’s guidance on Leadership and Governance in insider risk makes one point that every CEO or MD of a defence SME should understand: there needs to be a single, senior, accountable owner of people risk. Not a shared responsibility. Not something HR manages alongside contracts and leave requests. One named person with visibility and accountability.
IPSA doesn’t ask you to build a dedicated security department. It asks that someone with authority owns the processes and checks they’re running.
When insider incidents happen, leadership almost always has the right policy in place. What they didn’t have was a clear answer to the question: “Who checked this was running last month?”
That question is yours to own, not to sign off and hand downstairs.
Where can Pera Prometheus Interject?
Bridging the gap between IPSA accreditation and a genuinely functioning insider risk programme is one of the more practical challenges we help SMEs and Large Enterprises work through. At Pera Prometheus, we work with defence contractors exactly at the stage when the paperwork is in order but the processes need embedding. Get in touch and let’s discuss where you are.
Frequently Asked Questions
Q: Do I need to do anything extra for insider threat if I already have IPSA accreditation?
A: Your IPSA Personnel Reliability Framework gives you the right structure but accreditation confirms the policy exists, not that it’s running. Reviewing how your ongoing assurance, change-of personal circumstances reporting, and leavers processes actually operate day-to-day is a good place to start.
Q: What does “ongoing personnel security” actually mean in practice for a small team?
A: At its simplest, it means regular touchpoints with cleared staff not just annual reviews and a clear route for line managers to flag concerns about welfare, behaviour changes, or personal circumstances that might affect someone’s reliability. It doesn’t require a dedicated security team; it requires a named owner and a consistent process.
Q: Is insider threat only a risk if we hold SECRET-level material?
A: No. NPSA’s guidance applies to any organisation handling sensitive information, including OFFICIAL-SENSITIVE. Many supply chain incidents involve material at lower classification levels, the damage comes from aggregation, context, and timing, not just from the classification marking on a document.
Q: Who in our organisation should own IPSA day-to-day?
A: NPSA is explicit that there should be a single, senior, accountable owner of people risk. In most SMEs, this sits with the MD or a senior director. The operational aspects of IPSA can be delegated to the security manager or HR function but accountability needs to sit at senior leadership level.
Q: What does NPSA’s “Be Insider Risk Ready” campaign mean for defence SMEs?
A: The campaign (NPSA Be Insider Risk Ready) is NPSA’s push to shift organisations from reactive to proactive on insider risk having plans in place before an incident, not scrambling after one. For defence SMEs, it’s an invitation to test whether your IPSA processes would actually catch and contain an insider event, rather than simply documenting that they should.
Stay Safe, Stay Secure
