When thinking about preventing and detecting insider threats (whether negligent or malicious) within the workplace, the role of senior leadership and IT security teams is obvious. But the human resources (HR) team plays a significant role as well. Let’s review the ways in which HR can help monitor for, prevent, and mitigate insider threats.
Screen Candidates at Hiring
HR can help prevent a malicious insider from joining the team through the use of various background screening techniques. HR, security, and legal counsel should work together to create and maintain a screening program that takes into account complexities such as verifying credentials and qualifications; properly identifying and evaluating criminal history or security risks; complying with all federal, state and local laws and regulatory requirements; consistency and non-discrimination in application; and providing a positive candidate experience.
Contribute to Security Policy
The corporate security policy is another area where HR, security, and legal counsel should collaborate to ensure a comprehensive policy is shared with employees. Not only is this a critical document that employees must acknowledge, but it can play a critical role in the event of an insider breach. After a security breach occurs, employees, the media, and regulators often ask what measures a company took to try to prevent a breach. HR professionals should consider, therefore, whether their organization would be able to produce documents that demonstrate that it was attempting to secure sensitive information.
Protect Employee Data
The HR organization is the holder of a significant amount of personal data for each employee, including social security numbers, addresses, healthcare information, and family member data. Consequently, a central responsibility of HR is to protect the personal data of employees. HR should work with the security team to ensure proper access policies are in place to limit who can access and view this data.
Vet Service Providers
Most organizations contract with third-party providers for such services as health insurance, payroll, life insurance, and tax processing. All of these providers typically fall under the purview of the HR Team. What if your service provider suffers a data breach from an insider within the provider? To vet and monitor the security practices of third parties, consider the following guidance:
- A service provider that receives sensitive information concerning your employees should contractually represent and warrant that they are in compliance with law, and take reasonable and appropriate security measures to protect your employees’ information.
- You may want to consider negotiating the right to audit the security practices of the service provider.
- Evaluate the vendor’s breach notification process. Consider whether you want to negotiate data breach notification provisions that exceed statutory requirements in order to receive quicker notification.
Educate the Workforce
The corporate learning and development (L&D) role often resides within the HR organization. But regardless of where L&D resides, HR plays a crucial role in helping to determine proper role-based education and communicating the necessity of completing internal education. Security awareness training should be an element of the onboarding process overseen by HR. To ensure that employees remain security conscious and are aware of scams that prey on the negligent, HR should partner with L&D and the security team to deliver simulations that mimic tactics such as email phishing scams. To help HR and senior leaders assess their responses to an insider breach, simulations can be used to assess the HR internal communications plan.
Listen for Suspicious Behavior
While technology, in the form of employee monitoring software, can help security teams detect and alert on suspicious behavior – like downloading sensitive data and emailing it to a personal account – HR should be alert to characteristics that might signal a potential insider threat. Some descriptors of insiders at risk of becoming a threat are greed/ financial need, unexplained financial gain, compulsive and destructive behavior, ethical “flexibility”, and reduced loyalty. Then, HR should work with the security team to assess the potential need for further monitoring in the face of such behavior.
Notify IT of Changes in Status
Whether it’s a job role change, termination, resignation, or retirement, timely notification from HR to IT is extremely important to ensure access to systems and data is edited or revoked as necessary. This will prevent current and former employees from accessing data – either due to malice or curiosity. HR also typically has the role of collecting company property such as equipment and access badges.
Help with Incident Response
HR should also contribute to the development of an incident response plan by maintaining a list of key internal contact numbers (home, etc) in case of an emergency. The plan should also include how HR will manage internal communications. In the event of a breach, HR should partner with legal counsel to determine how to best manage the investigation. A primary benefit of involving counsel early in an investigation is to allow counsel to help you decide whether an investigation should be conducted under the cloak of attorney-client privilege. Click below to learn more about Teramind.