BreachExchange mailing list archives
Insider Threat detection - Joining up HR and IT helps with training and revealing insider threat indicators
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 30 Sep 2015 15:59:18 -0500
http://www.cio.co.uk/insight/security/insider-threat-detection-joining-up-hr-it-3626421/ Information security research isn't always about bits and byte, attack trends and new malware samples. Sometimes it challenges us to look instead at the human side of the industry – which is no less important. Recent research that caught my eye revealed that a majority of employees in the UK, US, Germany and Australia believe HR should take on a bigger role in IT security. This includes things like training, disciplinary action, and vetting of candidates for new roles with the company. Given the nature of the insider threat we face today, I couldn't agree more that HR and IT should work more closely together. But it's senior decision makers on the IT side that need to make the first move. The value of HR While tales of nation state cyber espionage, shadowy transnational cybercriminal gangs and bedroom bound hacktivists capture many of the headlines, the threat of malicious behaviour or accidental damage caused by staff is also very much front-of-mind for CIOs and security bosses. Staff error is in fact a bigger source of breaches (26%) than malicious insiders (10%) or organised crime (23%), according to PwC's 2015 Information Security Breaches Survey. How can HR help reduce these risks? Well fundamentally by becoming a department of "We" as opposed to IT's reputation as a department of "No". This means fostering a corporate culture where employees enjoy working there, believe in the company's core values and respect and value their colleagues. This might be easier said than done but it's by no means impossible. And one of the notable spin-off benefits for IT should be that staff are less likely to do something that harms the company – whether that is absent-mindedly sharing sensitive information online, interfering with IT systems to cause deliberate damage, or stealing and selling on corporate data. Time to join up That's really a long-term goal to work towards. But there are things IT and HR should be discussing together now which can result in quicker wins. The first is for HR to vet candidates for all roles in order to weed out any who may represent a malicious or accidental inside threat. Part of this is choosing those whose values align most closely with the company and its current staff, of course. But it's also important to find out whether they've had any part to play in a data breach or related incident at a previous employer. Vetting candidates at this stage could prevent a lot of pain further down the line. IT should also be approaching HR to take on more of the workload when it comes to staff training and awareness raising programmes. The security department will need to share its expertise on the kinds of things that need to be included on such courses. But HR has a valuable role to play in communicating this in a compelling manner, and managing the courses as effectively as possible. Similarly, HR could do more to help create, communicate and enforce IT policy. As with training and education, the IT side of the business is often prone to fill guidance with too much technical jargon. As experts in people skills, HR's job should be to soften this advice down and translate it into something every employee can understand. On the flip side, they should also be taking the lead in terms of enforcing this policy. Again with input from IT on what to look out for, HR staff should be able to spot tell-tale clues could indicate that an employee represents an insider threat. This could be anything from losing more than one device within a short time frame, to downloading sensitive corporate information onto removable media. Technology tools like data loss prevention can help here, of course, but there must be a well-thought out policy behind them. In the end organisations can only do their best to minimise the risk posed by the insider threat. It's very difficult to catch a determined and tech savvy employee. But by liaising more closely with Human Resources, IT leaders could at best reduce the risk of data loss and business disruption, potentially saving significant sums of money and preserving the company's reputation. And at the very least, it could free up an ever-understaffed and overworked department to concentrate on more strategic IT tasks, driving business growth and innovation.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Insider Threat detection - Joining up HR and IT helps with training and revealing insider threat indicators Inga Goddijn (Oct 01)