In July, a Texas court sentenced a former Citibank technology executive to 21 months in prison for uploading malicious commands to the bank’s Global Control Center routers. Lennon Ray Brown’s self-proclaimed “revenge” against management after a poor job review congested network traffic and resulted in a network and phone access outage to about 90% of Citibank branches across the United States. Even more recently, London police arrested a Sage Group employee on suspicion of conspiracy to defraud the company, after Sage disclosed that an internal login had been used to gain unauthorized access to the personal details of nearly 300 customers.a
Could these acts – or in the case of Sage, alleged acts – of sabotage have been prevented? Possibly – if infosec was taking advantage of a significant source of intelligence already available in the company, and the company is already paying for this source.
It’s your HR team.
For example, the HR team could have informed infosec that Brown might potentially be an increased security risk, and infosec could have monitored him – and any abnormal behavior – to detect and prevent the issue before it even happened. While HR can’t legally disclose specific information about the negative work events (i.e. bad reviews, terminations, demotions) that preceded more than 90% of insider threat cases, they can notify infosec about increased security risks. As HR has a different viewpoint on employees and potential risks, it is important they become involved.
Not sharing vital information that could help prevent insider threats is far too common. In fact, according to the Insider Threat Spotlight Report (ITSR), crowdsourced by a group of companies and individuals in the security space, 48% of 500 infosec employees surveyed said a lack of collaboration between departments is a significant barrier to better insider threat management, up 10% since last year’s survey.
Getting HR on Board
So what should infosec do to ensure it’s getting all the intelligence that could make a difference without violating employee privacy? While infosec is responsible for all forms of corporate security, it needs HR involvement, not just before the hire is on board (conducting background checks, reference checks, etc.), but throughout the employment lifecycle.
So, how does infosec get HR to help?
First, talk to HR about how costly insider attacks can be to a company – estimated up to $500,000 or more to remediate, according to the ITSR – and the valuable role HR can play in reducing risk without compromising employee privacy. Ask for their suggestions on how to work together to detect and prevent these attacks. Get their buy in of the security process. Invite them to be part of a security task force comprised of representatives from HR, infosec and legal, an extension of an incident response team that will need to engage should an insider incident occur.
Once your core team is in place, work together to install policies to improve communication along with measures to protect privacy. Consider these steps:
• Determine a 10-point risk rating, giving every position a ranking
• Document what level of privilege and access each position requires, and think about worst-case scenarios. What is the worst thing(s) someone in this position could do in relation to company confidential information, key systems, finances or reputation? Translate that information into a “positional risk score” as well
• The greater the privilege and access to sensitive data, the greater the risk, and higher the ranking. Determine the appropriate level of employee scrutiny (or monitoring). Lower risk requires a different level of scrutiny than higher risk
• Create interdepartmental communications procedures. When events occur that may impact an employee’s behavior, HR should let infosec know to increase the position ranking (and level of review) if there is any reason to suspect a security risk. For example, HR can recommend the risk level associated with “Joe’s” position be elevated from “4” to “8,” because the team knows that a risk level “8” is monitored differently, and more actively, than risk level “4.” After it’s clear that the elevated risk is not translating into threat, a simple revert to “4’” request is all that’s needed. These actions can be taken without violating any employee’s confidential information.
HR might also be concerned about how infosec monitors employees, no matter their position risk rating. Technologies such as user behavior analytics look at patterns of behavior, and do not require inspection of the content of an employee’s activity to deliver on its promise of detecting insider threats. User activity monitoring software includes the ability to capture and review the specific actions of an employee’s activity, including their emails or texts, if needed. There are versions of both that enable you to configure the types of activity monitored to align to your organization’s goals, with privacy protections woven throughout to address HR concerns.
Use the intelligence you already have – your HR department. Getting HR involved and onboard with these policies will help the company determine the right balance between company security and employee privacy, while providing infosec with much-needed intelligence so you can be prepared to enhance employee monitoring after personnel issues, during times of corporate uncertainty, and when “outside factors” exist that are known to drive insider threat behaviors. This will help eliminate potentially costly attacks and keep your company from being the next international headline.