Information security research isn't always about bits and byte, attack trends and new malware samples. Sometimes it challenges us to look instead at the human side of the industry – which is no less important. Recent research that caught my eye revealed that a majority of employees in the UK, US, Germany and Australia believe HR should take on a bigger role in IT security. This includes things like training, disciplinary action, and vetting of candidates for new roles with the company.
Given the nature of the insider threat we face today, I couldn't agree more that HR and IT should work more closely together. But it's senior decision makers on the IT side that need to make the first move.
The value of HR
While tales of nation state cyber espionage, shadowy transnational cybercriminal gangs and bedroom bound hacktivists capture many of the headlines, the threat of malicious behaviour or accidental damage caused by staff is also very much front-of-mind for CIOs and security bosses. Staff error is in fact a bigger source of breaches (26%) than malicious insiders (10%) or organised crime (23%), according to PwC's 2015 Information Security Breaches Survey.
How can HR help reduce these risks? Well fundamentally by becoming a department of "We" as opposed to IT's reputation as a department of "No". This means fostering a corporate culture where employees enjoy working there, believe in the company's core values and respect and value their colleagues. This might be easier said than done but it's by no means impossible. And one of the notable spin-off benefits for IT should be that staff are less likely to do something that harms the company – whether that is absent-mindedly sharing sensitive information online, interfering with IT systems to cause deliberate damage, or stealing and selling on corporate data.
Time to join up
That's really a long-term goal to work towards. But there are things IT and HR should be discussing together now which can result in quicker wins. The first is for HR to vet candidates for all roles in order to weed out any who may represent a malicious or accidental inside threat. Part of this is choosing those whose values align most closely with the company and its current staff, of course. But it's also important to find out whether they've had any part to play in a data breach or related incident at a previous employer. Vetting candidates at this stage could prevent a lot of pain further down the line.
IT should also be approaching HR to take on more of the workload when it comes to staff training and awareness raising programmes. The security department will need to share its expertise on the kinds of things that need to be included on such courses. But HR has a valuable role to play in communicating this in a compelling manner, and managing the courses as effectively as possible.
Similarly, HR could do more to help create, communicate and enforce IT policy. As with training and education, the IT side of the business is often prone to fill guidance with too much technical jargon. As experts in people skills, HR's job should be to soften this advice down and translate it into something every employee can understand. On the flip side, they should also be taking the lead in terms of enforcing this policy. Again with input from IT on what to look out for, HR staff should be able to spot tell-tale clues could indicate that an employee represents an insider threat. This could be anything from losing more than one device within a short time frame, to downloading sensitive corporate information onto removable media. Technology tools like data loss prevention can help here, of course, but there must be a well-thought out policy behind them.
In the end organisations can only do their best to minimise the risk posed by the insider threat. It's very difficult to catch a determined and tech savvy employee. But by liaising more closely with Human Resources, IT leaders could at best reduce the risk of data loss and business disruption, potentially saving significant sums of money and preserving the company's reputation. And at the very least, it could free up an ever-understaffed and overworked department to concentrate on more strategic IT tasks, driving business growth and innovation.
Raimund Genes is CTO of Trend Micro