These days, human resource department leaders must wear many different hats. From talent acquisition strategist to culture ambassador, from conflict resolver to benefits guru, from legal compliance watchdog to diversity and inclusion advocate, the breadth and depth of their responsibilities touch every box in the company org chart.
Given the expansive and cross-functional role of HR within the organization, it should come as little surprise that security leaders are eager to tap the collective expertise of these experts as they attempt to combat what is perhaps the most challenging and insidious threat that the enterprise faces today: Insider risk.
Quantifying the human element of risk
The term "insider risk" represents a wide spectrum of behaviors. Whether it’s a scorned employee who intentionally leaks sensitive company information, a negligent worker who inadvertently exposes critical data, or a well-meaning staff member who falls prey to sophisticated phishing attacks, every potential insider risk incident shares one common attribute: the human element.
From an HR perspective, people are the engine that fuels innovation in the modern enterprise. HR teams view people as our greatest asset. For security teams, however, humans are often regarded as the "weakest link" in the security chain, as they can be duped by clever social engineering tactics. In other words, it doesn’t matter how good or strong your security systems might be if the individuals entrusted with safeguarding an organization’s most valuable assets can themselves be easily compromised.
Unfortunately, most organizations don’t fully appreciate the cost of an Insider Risk incident until they’ve experienced it firsthand. According to the 2023 Data Exposure Report, the average cost of an Insider Risk event is estimated at a staggering $16 million per incident. More worrying still, over three quarters (76%) of CISOs expect data loss from insider events to increase at their company in the next 12 months.
Further complicating the insider risk calculus is the nature of the modern mobile workplace itself. Employees have grown accustomed to using a mix of personal and corporate-owned devices. They connect from their home, the office and everywhere in between. They also rely on an ever-increasing assortment of web-based services and platforms to collaborate and stay productive.
Of course, this convenience and flexibility comes with a price – the easier it is to connect, the greater the chance that an employee can either intentionally or accidentally become a future security liability.
5 ways HR can help mitigate insider risk
Because insider risk is fundamentally rooted in the behaviors, motivations and actions of an organization’s employees, it requires a human-focused approach. HR leaders should consider the following five strategies as they look to reduce their insider risk exposure:
- Lead with empathy: Humans are not machines. We often make emotional decisions, and sometimes, we make honest mistakes. It also means creating an environment where employees are not automatically blamed when a policy is breached. Take a common scenario, in which a busy employee shares a document to an unsanctioned cloud service. Rather than punishing them, an empathetic approach might instead trigger an alert and share educational materials that remind users about proper data-sharing protocols. Employees who are equipped with the necessary knowledge to understand risks are then given an opportunity to correct their behavior without fear. This allows for an organizational culture that is supportive and understanding, facilitating improved compliance and fostering mutual respect and cooperation between employees, security, and leadership.
- Assess, improve, repeat: Minimizing the possibility of Insider Risk requires that we are able to not only identify potential vulnerabilities in our internal processes but also to continuously improve the feedback loop so employees can incorporate these learnings into their day-to-day work routine. This process should begin on day one with an employee’s onboarding, where the importance of security is made abundantly clear. Initial onboarding sessions should focus on clarifying the different levels of data classification, distinguishing between personal and company property as well as between public, restricted, and confidential information. By ensuring that employees are educated early and consistently over time, they will be able to make better decisions regarding what information the company considers proprietary.
- Transparency builds trust: Generally speaking, employees don’t want to feel like they’re being constantly monitored. They value autonomy, independence and self-direction. It’s essential to be fully transparent about organizational data policies not just for compliance but also to foster a sense of trust and mutual respect between an organization and its employees. It also helps in addressing concerns employees might have regarding how their data is being handled, used, or monitored. Moreover, when organizations are open about their intentions and actions, it empowers employees to voice their concerns, ask questions, and suggest improvements. When workers understand why certain policies are in place and how they serve to protect both their own and the organization’s interests, they will be far more likely to adhere to these policies.
- Identify early indicators: Mature security teams have learned that recognizing the early indicators of a network compromise can dramatically accelerate the time frame of response — which directly correlates to monetary impact. While internal threats can be more challenging to root out, there are often subtle but telling behavioral indicators that can signal a potential internal security risk. These may include sudden and unexplained changes in work habits, unusually frequent access to sensitive or confidential information, or attempts to bypass security protocols. By closely monitoring these behavioral signals, organizations can gain valuable insights into potential internal threats, allowing for timely intervention. HR can be a partner with security teams to help address these early indicators and raise them up to an employee’s manager.
- Connect to protect: Because HR plays a foundational role across every phase of an employee’s work lifecycle — from screening and hiring, promotions and reassignments, through their post-employment departure — they are integral in establishing and maintaining a secure organizational environment. Sitting at the nexus of employee development and training, HR leaders must work closely with their security counterparts to ensure that all employees are properly trained on existing security protocols and know about the latest threats. This partnership is especially critical when an employee or contractor leaves an organization, as HR and security will need to be well coordinated to ensure that access to internal systems is promptly revoked, and that departing individuals aren’t taking any proprietary intellectual property with them.
Given the velocity and dynamic nature of today’s digital enterprise, there’s no doubt that the threat of Insider Risk will only proliferate in the coming years. The HR leaders who are able to appreciate these risks and work effectively with their security teams will not only help safeguard and maintain competitiveness of their own organization, but will also help them maintain their seat at the executive table.