The Verizon Data Breach Investigations Report supports the long-believed adage that “an organization’s greatest vulnerability remains its own workforce.” Employees and others working within an organization, including consultants and contractors, can now work from almost anywhere, bring their own devices (BYOD), use cloud-based applications and access work files on their mobile phones and tablets. The result? A profound increase in threats to cybersecurity.
Have you prepared for these insider threats?
According to a 2015 report from the Council on Cyber Security (within the Department of Homeland Security), HR must play a critical role. The department has effectively managed many types of risks, from natural disasters and workplace violence to large-scale layoffs and lawsuits, meaning HR personnel have the exact experience needed to tackle cybersecurity threats as well. Namely, they have the organizational role and the communications and messaging skills that can help mitigate at least some of the known causes of any “insider” cyber-attack.
Start by identifying the most common causes of “insider” attacks.
1. Accidental Threats
One known cause of an “insider” attack is the result of a well-intentioned employee who makes a mistake, such as using a personal email rather than a work email or accidentally sharing something classified on social media. An IBM study found that well over 20% of breaches at work can be attributed to careless employee mistakes.
2. Disgruntled Employee Threats
Another known cause is strongly linked to disaffected employees who have ill will toward the company. For instance, a global survey from Symantec found that over half of fired employees steal important corporate data after departing their position.
3. Opportunist Threats
Some of the biggest cyber threats come from groups of hackers that target a company through a process known as “phishing” (which uses malware to access sensitive data), and third-party attackers who use social media to identify targets with a predisposition to break security controls and look for a trigger event that will break that employee’s psychological contract with the employer. Trigger events can include a demotion, change in role, redundancy or dismissal, and studies have shown that employees who act against their employer are most likely to do so within 30 days of one.
Prepare and/or react appropriately.
In the case of employee mistakes, HR can deal with these situations by ensuring that employees are properly trained and educated on a regular and continuous basis. Education should begin with the onboarding of new hires and continue with frequent follow-up communications recounting the in-place cyber awareness policies and procedures. HR must strive to alert the workforce on how to recognize cyber threats before they become attacks.
No one should be exempt from this mandatory education, and the need for strong adherence and enforcement is critical. In addition, effective HR technology will allow the department to access permission levels and limit the information different departments can see.
When deterring the threat of disaffected employees, experts agree that HR is the best department to notice the early warning signs that an employee could be disloyal or prone to acting in a malicious manner. HR is typically tasked with implementing programs that deal with the workforce’s health and well-being and, as such, are more prone to understand employee behavior – giving them time to properly prepare and respond to threats.
When dealing with malicious employees or third-party opportunists, keeping the HRMS master files and relevant documentation safe and up-to-date is one of the most critical of all the contributions that HR can make. Combined with the 30-day time period during which an affected employee is most likely to act, an effective HRMS can give the HR team a chance to intervene and take steps to increase monitoring to deter attackers:
- Set up workflows, email triggers and alerts for all appropriate departments.
- Disable passwords and email accounts within minutes not days.
- Ensure hardware is returned before the employee leaves the premises – or is quickly shipped (and closely tracked) from remote locations.
Team up with the IT department.
The connection between HR professionals and security professionals needs to be the closest it’s ever been in history,” says Pete Metzger, Vice Chairman at executive search firm DHR International. He goes on to say that “the Chief Human Resources Officer and the Chief Information Security officer, for example, should communicate with each other about important security issues, like securing mobile devices, hiring trustworthy people (more of an HR issue) and implementing effective authentication (more of a technical issue).”
Once HR and IT team up, they can work together to build an effective cybersecurity training program encompassing policy, procedures and penalties. HR can then publish and disseminate these policies while working closely with internal IT and Security to make sure there is corporate-wide adherence and governance.
Human Resources will also need to co-lead all efforts in support of instilling workforce cyber awareness in the following areas:
- Knowledge of the workforce and hiring procedures.
- Management of the HRMS and protecting HR data.
- Understanding and administration of workforce legal rights – especially privacy.
- Ongoing delivery of cyber awareness training to the workforce.
While the threat of a cyber security attack can never be completely eliminated, the risk can be curtailed through effective employee workforce management. After all, between Russia’s alleged influence over the American political arena, the proliferation of “tax filing scams” reported in the general news, and the recent hacking of major retailers such as Target, Best Buy and Yahoo, cybersecurity has taken a prominent role on the world’s stage.
About the Author: Marc S. Miller is President and Founder of Marc S. Miller Associates, a Leading Independent HR Technology Consultancy. Considered an HRIS, HR Technology Thought Leader, and one of only a few independent sole proprietor consultants in the industry, Marc is a well-known educator and speaker on HR Technology topics.