Insider Threat detection - Joining up HR and IT helps with training and revealing insider threat indicators

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.cio.co.uk/insight/security/insider-threat-detection-joining-up-hr-it-3626421/

Information security research isn't always about bits and byte, attack
trends and new malware samples. Sometimes it challenges us to look instead
at the human side of the industry – which is no less important. Recent
research that caught my eye revealed that a majority of employees in the
UK, US, Germany and Australia believe HR should take on a bigger role in IT
security. This includes things like training, disciplinary action, and
vetting of candidates for new roles with the company.

Given the nature of the insider threat we face today, I couldn't agree more
that HR and IT should work more closely together. But it's senior decision
makers on the IT side that need to make the first move.
The value of HR

While tales of nation state cyber espionage, shadowy transnational
cybercriminal gangs and bedroom bound hacktivists capture many of the
headlines, the threat of malicious behaviour or accidental damage caused by
staff is also very much front-of-mind for CIOs and security bosses. Staff
error is in fact a bigger source of breaches (26%) than malicious insiders
(10%) or organised crime (23%), according to PwC's 2015 Information
Security Breaches Survey.

How can HR help reduce these risks? Well fundamentally by becoming a
department of "We" as opposed to IT's reputation as a department of "No".
This means fostering a corporate culture where employees enjoy working
there, believe in the company's core values and respect and value their
colleagues. This might be easier said than done but it's by no means
impossible. And one of the notable spin-off benefits for IT should be that
staff are less likely to do something that harms the company – whether that
is absent-mindedly sharing sensitive information online, interfering with
IT systems to cause deliberate damage, or stealing and selling on corporate
data.
Time to join up

That's really a long-term goal to work towards. But there are things IT and
HR should be discussing together now which can result in quicker wins. The
first is for HR to vet candidates for all roles in order to weed out any
who may represent a malicious or accidental inside threat. Part of this is
choosing those whose values align most closely with the company and its
current staff, of course. But it's also important to find out whether
they've had any part to play in a data breach or related incident at a
previous employer. Vetting candidates at this stage could prevent a lot of
pain further down the line.

IT should also be approaching HR to take on more of the workload when it
comes to staff training and awareness raising programmes. The security
department will need to share its expertise on the kinds of things that
need to be included on such courses. But HR has a valuable role to play in
communicating this in a compelling manner, and managing the courses as
effectively as possible.

Similarly, HR could do more to help create, communicate and enforce IT
policy. As with training and education, the IT side of the business is
often prone to fill guidance with too much technical jargon. As experts in
people skills, HR's job should be to soften this advice down and translate
it into something every employee can understand. On the flip side, they
should also be taking the lead in terms of enforcing this policy. Again
with input from IT on what to look out for, HR staff should be able to spot
tell-tale clues could indicate that an employee represents an insider
threat. This could be anything from losing more than one device within a
short time frame, to downloading sensitive corporate information onto
removable media. Technology tools like data loss prevention can help here,
of course, but there must be a well-thought out policy behind them.

In the end organisations can only do their best to minimise the risk posed
by the insider threat. It's very difficult to catch a determined and tech
savvy employee. But by liaising more closely with Human Resources, IT
leaders could at best reduce the risk of data loss and business disruption,
potentially saving significant sums of money and preserving the company's
reputation. And at the very least, it could free up an ever-understaffed
and overworked department to concentrate on more strategic IT tasks,
driving business growth and innovation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!