Deflecting the Data Breach: Employee Equilibrium and the HR Balancing Act
Employees are the biggest risk to corporate data. How do HR leaders help deflect the chance of an internal data breach?
Employees are your biggest asset. But they're also your biggest risk. As noted by Dark Reading, 45 percent of businesses say staff members pose the largest threat to internal cybersecurity. This creates a paradox for human resource leaders: How do you empower staff with the critical information they need to do their jobs without exposing your organization to data breach threats? Here's a quick-start guide to finding employee equilibrium and empowering HR security.
Two Sides, Same Coin
If you're looking for good advice about handling insider threats, you'll notice a trend: CISOs are the typical target audience, with IT admins and other C-suite executives tossed in for good measure. Despite the human-centric nature of the problem, however, HR is mentioned only in passing. The problem? Technology controls can only do so much to stem the tide of inadvertent (or malicious) employee action. Think of it like this — both InfoSec and human resource professionals share the goal of securing corporate data. The difference? Methodology. While CISOs cover off tools such as access permissions, application monitoring and intelligent network defense, HR leaders have the equally important job of helping staff recognize the risks of specific behaviors. Success here leads to the ideal outcome: Staff members don't expose business networks to risk in the first place, in turn significantly reducing the chance of a malicious data breach.
Bottom line? HR and IT are two sides of the same security coin. Methods differ, but outcomes are shared.
Bad Apples and Odd Ducks
How are you being breached? Malicious hackers are typically front and center in this conversation given the huge amount of media coverage devoted to malware, ransomware and other threat vectors. The hard truth, however, is that many of these attacks don't succeed without the accidental help of employees — social engineering tactics are sophisticated enough that many employees are fooled into opening malicious attachments, following compromised links or providing confidential information by email. Another common route? Weak passwords, which hackers leverage to access accounts and create persistent backdoors. And in some cases, employees aren't even aware they've put corporate data at risk: As noted by the Society for Human Resource Management, a large aerospace engineering firm had the personal data of 36,000 employees potentially exposed to prying eyes when a staff member emailed a spreadsheet he was struggling to format to his spouse. Follow-up investigations determined there was minimal risk of data misuse due to the breach, but it reinforces the HR challenge: Employees may unwittingly put critical information and intellectual property under threat.
Bad apples are also a problem. These often take the form of recently terminated employees or those bearing a grudge against the organization for perceived mistreatment. Consider the recent case of a well-known supermarket, noted by Lexology: Despite making reasonable efforts to secure staff data, a malicious employee used his home computer to post employee financial data on a public file-sharing website. More worrisome? The business was found "vicariously liable" for this breach despite having fulfilled their data protection obligations.
Shared Security
Even with the increased risk of insider threats and expanding list of compliance requirements, it's not all bad news for HR leaders. Looking to boost data breach security? Start with:
Access Control
Meet in the middle with CISOs to create access control policies that leverage the principle of least privilege. This means restricting staff to data they need for day-to-day tasks and regularly reevaluating their access. That's the IT part; the HR part comes in handling access issues with full discretion to re-train staff, limit IT access or begin termination procedures. The key here? Put cyber-expectations and consequences in writing and make sure all employees are fully informed.
Regular Audits
Next up? Regularly audit how employees are using corporate networks. Use at least two auditors to ensure speed and security, and consider hiring a reputable third party to conduct more in-depth audits of data usage. While this isn't a small line item, these audits form the core of any solid defense if a data breach precipitates legal action.
Transparency
"Shadow IT" (applications, services and now connected devices used by employees without the knowledge or approval of tech departments) remains a serious problem for organizations since it exposes networks to undue risk. Here, HR leaders can help shine a light on these practices by bringing employees into the conversation about what's appropriate for work use and what needs to be left at home. By adopting a transparent policy of explanation and cooperation rather than expectation and condemnation, it's possible to help stem the tide of shadow IT.
Onboarding
Getting staff to care about IT security is critical. This means starting early — educating staff as soon as they're hired and ensuring that regular re-training sessions happen for all employees. But that's just the beginning for HR; the biggest job for human resource teams is creating a culture of inherent security compliance. This means encouraging employees to speak up about their concerns, ask for help when they need it and get the support they need if they make a mistake. Here's why: What you don't see happening is where data breaches flourish. Onboard employees and create a corporate culture to eliminate IT secrecy.
Worried about a data breach? Staff, not sophisticated attackers, are your biggest concern. Working with IT leaders, HR teams can tackle both sides of the compromise coin by implementing better access controls, introducing regular audits, encouraging transparency and effectively onboarding employees.
Stay up-to-date on the latest workforce trends and insights for HR leaders: subscribe to our monthly e-newsletter.
