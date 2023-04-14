One of the biggest threats to enterprises today isn't external sources like hackers or cyber criminals, but employees who have privileged access to information (AKA insiders). Studies show that more than half (60%) of organizations experienced an insider threat in 2022. Intentionally or unintentionally, when insiders expose or leak sensitive information, businesses not only risk losing proprietary data but also risk losing revenue, reputation, employee morale, and competitive advantage. When such situations arise, the role of cybersecurity suddenly becomes obvious. However, not many realize that human resources also has a major role to play, especially when it comes to monitoring, preventing, and mitigating insider threats. Let's explore the ways in which HR can contribute to the cybersecurity function.

1. Educate and Train Employees

If you look at data from the past few years, a majority of cyberattacks and breaches are the result of negligent insiders. Cybercriminals regularly target and phish employees with clever social engineering scams. Even former disgruntled employees, armed with enough knowledge and understanding of the operational aspects of the organization, can target current employees with highly convincing phishing messages. It is therefore important for organizations to regularly educate and train staff around emerging security risks.

That said, security awareness doesn't automatically translate into secure behavior. To mold secure behavior, organizations must celebrate a culture of security. HR must work with leadership teams to build a culture that not only trains staff but also celebrates security in a way that is infectious so that employees embrace it, value it, and are compelled to practice cyber mindfulness in their everyday activities.

2. Create a Supportive Environment

Insider threats seldom develop in isolation. Personal factors such as financial difficulties, family stressors, health-related issues, and other external factors such as a pandemic or industry-wide layoffs can trigger emotions like fear and anxiety among employees, limiting their ability to practice secure behaviors. A toxic work environment, controversial policies, humiliation, a lack of counseling support, and other related factors can set individuals into becoming malicious insiders.

Therefore, it is important for HR to promote employee assistance programs (EAPs) so they can identify such stressors and intervene proactively by offering support, practicing empathy, encouraging feedback, and allowing staff to express their opinions and grievances. Such an open, transparent, trusted, and supportive environment can go a long way in mitigating insider threats and preventing employees from going rogue.

3. Contribute to Risk Management

HR can collaborate with information security teams to leverage the combined knowledge of employee performance, behavioral, and other technical metrics to keep a watchful eye and identify risky insiders ahead of time. Since every employee is not a cybersecurity expert, HR must work with cybersecurity teams to develop security content and messaging that is tailored to different levels of security maturity. HR can work with leadership teams in building a holistic risk management strategy that involves safeguarding trade secrets and intellectual property while maintaining relationships with key customers, vendors, and partners.

Working with cybersecurity teams, HR can also play an active role in developing and maturing an organization's incident response and crisis management programs. Last but not least, HR information systems (HRIS) usually contain a lot of confidential information about employees (addresses, contact information, financial data, education, etc.). It is important that HR work with cybersecurity teams to maintain the privacy and security of current and former employees.

4. Embed Security in Hiring, Onboarding, and Offboarding

Security must be a key consideration throughout the employee lifecycle (from the time an employee is hired to the time they are off-boarded) and HR can play a big part here. For example, as part of a routine hiring process, HR can help conduct more thorough background checks to identify any previous convictions, credit issues, or workplace issues with previous employers. HR can also introduce mandatory security training as part of the onboarding and training process so that new hires understand right from the start that the business takes its security seriously.

From an offboarding perspective, HR must ensure all corporate access is de-provisioned from all systems (such as networks, servers, applications and developer tools, CRMs, intranets, knowledgebase, ERP, project management platforms, third-party and contractor systems... the list is long) including company resources such as laptops, devices, and building access badges. Studies show that 12% of employees carry intellectual property (IP) out the door when they leave.

Insider risk has more to do with human psychology and less with technology; that's why HR is a complementary function to cybersecurity. Given the common perception around security staff as lacking "soft" people skills, HR can play an active role because, after all, reducing insider threats is about building trust, transparency, and a culture of resilience to cyber threats.