| Cultural Heritage Risk Management & Security Consulting

Insider Risk in Cultural Institutions

The STEMA Team

An Underrated but Persistent Vulnerability
Cultural institutions rely on trust. Every day, staff, contractors, and temporary personnel work around objects, buildings, and systems that carry cultural, historical, and financial value. This trust is central to how museums and heritage organisations operate, but it also creates a form of vulnerability that is often overlooked. Insider risk appears when individuals with legitimate access unintentionally or deliberately create harm. These incidents often hide within normal routines where problems can remain unnoticed.

How Insider Incidents Usually Occur
Insider incidents in cultural environments tend to fall into three broad categories.

The first is unintentional or negligent behaviour. This includes inconsistent key control, doors that are not secured properly, shortcuts in handling or storage routines, informal sharing of internal information, or a lack of attention during opening and closing procedures. Most of these actions are not malicious, but they can expose sensitive areas or objects to avoidable risk.

A second category involves the accidental exposure of sensitive information. Behind-the-scenes photos posted online, casual conversations in public spaces, or misconfigured digital systems can reveal storage layouts, object routes, or security routines. Even small details can create opportunities for opportunistic behaviour or targeted theft.

The third category involves deliberate misuse of access. These cases are rare, but the impact can be significant. The British Museum incident, where an internal employee removed items over a long period of time, showed that insider activity can continue when documentation, oversight, or inventory controls have gaps. Well-known institutions are not exempt from internal vulnerabilities.

Why These Incidents Are Hard to Detect
Insiders are difficult to identify because they are authorised to be in restricted areas. Their presence and routines match normal operations, and their behaviour rarely draws attention. Many cultural institutions value a collegial environment, which can make reporting concerns uncomfortable. Older governance structures may not match current operational demands, while limited staffing and large buildings make continuous oversight difficult. These conditions allow insider incidents to remain undetected longer than most external threats.

Organisational Conditions That Increase Exposure
Several factors common in cultural institutions increase insider risk. Staff, contractors, and temporary personnel often have routine access to high-value or sensitive areas. Exhibition rotations, loans, and events create constant movement and can introduce procedural drift. Many buildings still rely on outdated access control, incomplete inventories, or manual record-keeping. Complex or historic buildings can also create blind spots that limit visibility.

Reducing Insider Risk Through Structure and Clarity
Managing insider risk is not about suspicion. It is about building predictable, visible systems that reduce opportunities for mistakes or misuse. Clear governance is the foundation. Defined access rules, structured key control, documented handling procedures, and separation of duties provide a stable baseline for daily work. Recruitment, role-specific training, and regular reviews of access levels support consistency and transparency.

The Importance of Culture and Reporting
Organisational culture plays a major role. Institutions that treat reporting as a routine part of stewardship gain early insight into emerging issues. Normalising the reporting of near misses, irregularities, or procedural gaps strengthens collective responsibility and removes the stigma often attached to raising concerns.

Why Integration Matters
Integration remains one of the strongest mitigations. People who feel informed, respected, and included are more likely to follow procedures, communicate openly, and report concerns. Disengagement is one of the clearest predictors of internal vulnerability.

Strengthening Trust Through Oversight
Insider risk is a sensitive topic because trust is a core part of cultural work. Trust and oversight do not conflict. When combined, they support each other. With clear governance, consistent procedures, and a supportive culture, cultural institutions can reduce insider vulnerabilities while reinforcing stewardship, safety, and resilience.

If your organisation would like support with insider-risk assessments, governance frameworks, or training tailored to cultural environments, STEMA Risk Management is ready to assist.

Written By
Stephan Krutå – Director STEMA Risk Management

Categories:
, , , , , , ,

Latest Posts

Categories

Tags

Art ArtInsurance ArtLogistics Art Storage Security ArtTransport asia business Conservation cultural awareness Cultural Heritage Protection Cultural Property Protection Culture Cyberattack Display Experience Fire Insider Risk Insurance learning Logistics loss of face Museum Museum Security Physical security Protection resilience Risk Risk Assessment RiskManagement Safety scandinavia security Security Risk Analysis Security Staff STEMA STEMA Risk Management Threat Assessment Transport