Join our panel during Black Hat 2024 – Blurred Lines: Investigating the Convergence of Internal and External Threats



Insider Risk Insights - DTEX Blog

HR’s Growing Role in Cybersecurity

HR’s Growing Role in Cybersecurity

Companies worried about cybersecurity should know that the real risk is inside their corporate firewall. Corporate leaders spend a lot of time worrying about nation-state actors and ransomware gangs, but in Gartner Predicts 2023: Cybersecurity Industry Focuses on the Human Deal, the analyst firm reports that in the next two years, roughly 50% of major cybersecurity incidents will be attributed to human failure or a lack of talent.

Looking at our investigations, roughly 50% of the people who work at any given company are cybersecurity risks. Most employees don’t think of themselves as cybersecurity risks. But our research has shown that roughly 50% of people in any organization regularly save confidential IP from projects where they have been a contributor to personal databases for later access in case they leave the company.

Just in time intervention from IT and HR

Most of these internal cybersecurity lapses aren’t malicious. It’s often employees who are lax about following cybersecurity protocols or are unaware of policies prohibiting this type of behavior. For these employees, providing intervention at the point of the incident is usually enough to strengthen the organization’s cybersecurity posture. IT can set up alerts for when people are veering off recommended cybersecurity best practices and HR can reiterate policies about intellectual property.

What is more concerning for enterprises is 12% of these employees take data from projects that they haven’t worked on. Think of salespeople who are trying to get their hands on the Glengarry leads or a biopharma scientist downloading her company’s latest drug to cure cancer even though she’s working on diabetes medicine. As for the 12% of employees who are stealing IP that does not belong to them, that number is rising.

Layoffs and increased risk

Another contributing factor to the loss of IP is the current climate of mass layoffs. As companies trim their budgets to prepare for the impact of global economic headwinds, employees see the same storm clouds and worry that their professional careers could be torpedoed without warning. Workforce reductions and perceived job insecurity have made employees who are leery of finding a pink slip in the morning email accelerate the exfiltration of content that they have access to.

Since the onset of the pandemic, employee loyalty has waned. In-demand remote workers know that if they can work from anywhere, they can work for anyone. Employees’ lack of connection to the corporate homebase has made them more prone to engage in acts that don’t benefit their employer, like grabbing as much IP as possible before they bolt for a competitor.

Because so much risk to an organization is insider risk, companies have needed to reevaluate the relationship between their IT departments and HR. For years, we’ve expected security teams to sound alarms regarding cybersecurity risks and hand over the problems that they find to HR departments, but like many things in the current work-from-anywhere era, that model has been upended. HR teams are starting to flag alarms for IT teams. In fact, a review of real-life investigations revealed a 75% increase in the number of HR departments starting security investigations in 2022.

It makes sense. HR certainly knows which employees will suffer in the next round of layoffs, and a well-run HR department also knows which employees are the biggest risk to an organization, whether it’s a disgruntled employee who was passed over for a key promotion or someone who has recently received a performance improvement plan. Today’s HR departments need to engage in proactive cybersecurity alongside security teams to safeguard their institutions. Waiting for IT to find and flag a potential security concern is like being on the Titanic and asking about the number of lifeboats after the ship hit the iceberg. It’s a good question, but a little too late to avert a disaster.

Until further notice, IT and HR need to collaborate on cybersecurity. HR needs to recognize that every employee is an insider risk, and the company should proactively be thinking about how they can stop those risks from turning into threat – whether through education, awareness or policy change. HR needs to have conversations with security teams to gain a deeper understanding of its role in improving cybersecurity hygiene. These often-siloed departments need to talk. It’s time for you to start those conversations.

Register to join the DTEX i3 Team for a deep dive into the top early warning indicators for insider risk and the technical trends associated with employee attrition and data loss. Our investigators will draw on the insights from our 2023 Insider Risk Report to provide hands-on guidance for how to shift the needle, and get left of boom, for proactive risk mitigation.