Written by Josh Lefkowitz, CEO of Flashpoint
Today, corporate security is everyone’s responsibility. Whether you work in procurement, finance, sales, or legal, you need to identify and manage risks—digital and physical—related to your department. The human resources department is no different and this team faces a specific security risk that is now a major concern for organisations: insider threat. Businesses and their HR teams need to make sure they’re not inviting risk into their ecosystem in the guise of employees who may not be all they seem, or who become a risk during employment.
Recognising the human factor in security breaches
Security breaches, whether deliberate or unintentional, almost always involve a human element. It could be a mistake by a worker who accidentally clicks a malware link, or a deliberate attempt to steal the organisation’s intellectual property. Either way, the impact can be devastating because the employee has privileged access to the company’s systems and data. While IT security departments can deploy a range of technologies to detect and counter threats, there is an important psychological and behavioural element that must also be understood and managed. That is why human resources (HR) departments should be fully involved in insider threat programmes (ITPs).
There are three key high-risk moments in the employee lifecycle when HR and security teams should work together:
Before you hand over the keys to the kingdom: pre-employment screening
Taking references on prospective employees has always been the responsibility of the HR department. These usually focus on competence and suitability for the role plus legal factors such as criminal records and Disclosure and Barring Service (DBS) checks. However, with the wealth of data available on individuals, we’re now seeing wider due diligence checks on the employee’s digital footprint in social media and internet presence to identify red flags that could cause a problem for the organisation’s security and reputation. This is a sensible precaution, but it doesn’t always give the whole picture.
A prospective employee’s presence on illicit online communities—such as deep & dark web (DDW) forums and marketplaces, chat services platforms, and other sites frequented by threat actors—is unlikely to be picked up in general screening. Those using these types of communities want to exist below the radar, yet these individuals are the ones likely to pose a threat to businesses. For example, Flashpoint analysts observing a DDW forum uncovered links between a prospective employee of a Fortune 500 retailer and a threat actor with a history of recruiting insiders to steal corporate data. Once alerted, the retailer was able to halt the individual’s employment application and apply intelligence-led countermeasures to reinforce security of sensitive data which was specifically being targeted.
Without that intelligence from the DDW forum, the retailer would have unwittingly weakened its risk posture. DDW access and the understanding of illicit communities, however, is not something that most HR professionals have. Business risk intelligence can close the gap and enhance the ITP with specialists who have visibility into the DDW and other illicit online communities where insider threat activity is planned, and agents are recruited.
During employment: monitor for disgruntled or compromised employees
Even if an employee is low risk when they join a company, that doesn’t mean they will stay that way.
The internet is home to various active communities aimed at recruiting company insiders to provide access to networks or extract data. After all, it is easier to recruit someone who is already on the inside than place a ‘plant’ from the outside. Operating via forums or through chat services apps, cybercriminals offer very attractive rates of pay to willing insiders at high value targets such as banks, technology companies, and retailers. Companies operating in territories where legitimate pay rates are low are particularly susceptible. Employees who find themselves under financial pressure may be tempted to sell their services to a high bidder.
Alternatively, employees who become dissatisfied with the company may aim to “punish” it and make money at the same time. HR teams need to be aware of staff well-being and potential red flags, such as low morale or if an employee is undergoing a formal grievance procedure or official reprimand and inform the ITP team as a matter of process.
Having identified employees with grievances or known financial pressures, HR can work with IT teams using tools such as user behaviour analytics to track their access to systems and data that wouldn’t usually be part of their remit. Additionally, business risk intelligence gives insight into the organisation’s profile on the DDW and other illicit online communities to indicate the threat level facing the business. If threat actors are actively seeking insiders at your organisation, you know that your employees are being targeted and can mitigate risk accordingly.
At termination: secure off-boarding
An obvious high-risk moment is when an employee leaves an organisation. Even if they exit on good terms, research shows that workers often have a proprietary attitude towards data that they have worked on during their employment. HR should firmly remind departing employees of data security policies to avoid becoming an unwitting threat as they exit the company.
HR teams should also supply security teams with details of all departing employees so that network access can be revoked immediately when they leave their post. An analysis of the employee’s network activity prior to departure should be done to identify any incidents of breach.
We know that the human factor is one of the biggest unavoidable weaknesses in corporate security strategy and the most difficult to manage. That is why HR teams need to work alongside Insider Threat Programme teams to gain a full overview of employee risk and deploy employee verification procedures, robust policies, and intelligence to mitigate insider threat and avoid inviting risk into the organisation.