Join our panel during Black Hat 2024 – Blurred Lines: Investigating the Convergence of Internal and External Threats



Insider Risk Insights - DTEX Blog

The Value of HR in Your Insider Risk Management Program

The Importance of HR Data in your Insider Risk Management Program

Companies hire people, and while every one of those individuals presents a potential risk, not all (hopefully none) will manifest as an insider threat to the company. As a human challenge, one cannot identify or address insider risks (or threats) without human-driven data and input. This is one but many areas where the value of HR shines most. By virtue of its function, HR can offer valuable insights to the insider risk mission by surfacing concerning behaviors, motivations, and intentions of individuals, and helping to ensure the most appropriate and proportionate means for mitigation.

HR: The earliest gatekeeper of insider risk

In the context of an IRM program, HR’s input and data brings the most value at the “open requirement” stage.

The HR department reviews, sorts, and passes candidates to the hiring manager for review. They ensure that each candidate has an in-person or virtual interview, and then sift and sort the interview results to evaluate both the candidate’s suitability for the specific task and their fit with the company.

HR is also responsible for verifying that the professional and education credentials are accurate and, most importantly, that the individual is who they say they are.

Most companies (though not all) conduct a background check pre-EOD (Enter on Duty). The more thorough the investigation, the higher the confidence level that the pre-employment responses regarding experience, education and identity are accurate. Recent U.S. indictments of individuals who supported North Korean IT workers in infiltrating over 300 companies by using stolen or borrowed identities demonstrates the importance of pre-employment vetting.

At the end of the day, HR has their hand on the front door and opens it only for those who have been appropriately vetted.

The HR-IT relationship

Every interaction with HR – be it employee recognition, promotion, reprimand, demotion, or employee assistance program referrals – presents high fidelity data points that are of keen importance when understanding the risk of an individual from a holistic perspective. Importantly, none of these data points show up in traditional cybersecurity log files.

Where HR and IT departments should be joined at the hip is when an employee transfers or departs. In both instances, the employee’s role changes as does their authorized access to information and company resources. The time between when an employee or former employee’s access is no longer necessary and when the access is effectively restricted presents a delta of unnecessary risk.

Close coordination of personnel moves can provide insider risk analysts with an accurate data stream, empowering them to establish and enforce the most appropriate level of access and authorization at any given time.

Preserving employee privacy

When Pseudonymization is used, the insider risk analysts are given events and anomalies to review without individual bias. This review may lead the analyst to determine whether there is a need to escalate by identifying the person whose behavior has crossed the threshold from risk to threat. That is not to say that the processes and procedures may not have already stopped the anomalous behavior or curtailed the flow of unauthorized information. Indeed, when operating at machine speed, such may be of paramount importance.

The need to unveil is where HR has a role to play to ensure the privacy of the individual has been protected.

Furthermore, should the threat have legs and a deeper investigation into the employee/contractor is needed, HR should be present to ensure all is completed according to the IRM playbook, with appropriate escalations to legal, finance, and management as necessary.

The golden goose of employee content

HR also brings to the table a depth of knowledge surrounding Emotional Intelligence/Quotient (EQ) and matters relating to the employer-employee relationship. The reality is people (your employees) bring with them their feelings, their emotions, self and social awareness, and of course their own style of self-management and relationship management with colleagues.

How we treat each other is of vital importance.

An area where HR can and should be involved is ensuring that training is availed not only when a new skill is to be acquired or knowledge obtained, but also in the moment, when employees are given immediate course correction. Ensuring this course correction is completed in a positive and constructive manner is more welcome than a form of draconian admonishment.

One must remember, the IRM program’s intent is to reduce the risks, and to affect a course correction – not paralyze the employee in fear.

That said, the infusion of EQ considerations does not exclude punitive engagement altogether. It ensures that risk is being reduced and the consideration of the individual has been appropriately addressed – regardless of whether the correction is designed to make the employee a better employee, or to show them the door.

HR is the gateway to trust

The 2023 Cost of Insider Risks Global Report highlights the importance of HR to insider risk management; 51% of survey respondents said the IRM program must be composed of “a dedicated team from legal, human resources, lines of business, and security.”

Periodic review of employees during their tenure has value. In years gone by, those who enjoyed the trust of the U.S. government with national security clearances were subjected to review every five years. Now, vetting is continuous. Continuous vetting in the government environment is a reality, and it should be in the private sector. This is not a contradiction, for vetting begets trust.

Vetting normalizes “See something, say something”, as the goal is not to play “gotcha” with your colleagues. Rather, the goal is to reduce risk to the entity that has placed the individual in a position of trust.

HR’s opportunity

HR’s opportunity to make a difference isn’t obscure – it is right there in front of us. HR must be an integral part of the trust equation within the IRM program.

As I’ve written before, “Understand that trust forms the bedrock of the environment where employees are fully invested and engaged, so much so, they go to great lengths not to put it at risk.”

In conclusion, the adage, “If it involves an employee, it involves HR” is not too strong as the IRM teams strive to sort identified and credible threats.

Quick FAQ

What is the role of HR in preventing insider threats?

HR plays a crucial role in preventing insider threats by acting as the earliest gatekeeper of insider risk and continuously monitoring (and encouraging positive) employee behavior. By thoroughly vetting candidates during the hiring process and conducting comprehensive background checks, HR helps to ensure that only trustworthy individuals join the organization.

HR’s insights into employee behavior – gained from interactions such as performance reviews, “See something, say something” programs, and disciplinary actions – provide valuable human-centric data for identifying potential risks early. Close coordination with IT (as well as legal, compliance and security) ensures that changes in employee roles or departures are managed appropriately to minimize risk. Importantly, HR’s involvement in training and maintaining a positive work environment plays a significant role in mitigating potential threats by fostering a culture of trust and responsibility, where employees are motivated to do right by the company.

What is the difference between a trusted insider and an insider threat?

The key difference between an insider threat and a trusted insider lies in intent and action. A trusted insider is anyone within an organization who has access to sensitive data, from executives to junior employees, including partners and third-party suppliers. These individuals inherently pose an insider risk because human error is inevitable. Mistakes such as losing devices or accidentally sending sensitive information to the wrong recipients exemplify how trusted insiders can inadvertently cause data loss.

On the other hand, an insider threat refers to those trusted insiders who act with malicious intent. These are individuals who deliberately plan and execute actions to steal, leak, or sabotage corporate data and systems.

Effective data protection requires shifting focus from reactive insider threat management to proactive insider risk management. This involves identifying and addressing risky behaviors early to prevent them from escalating into insider threats. By understanding and managing these risks, organizations can better safeguard their sensitive information and reduce the likelihood of data loss incidents.

For support in maturing your IRM capability, or to find out how to maximize HR’s value in your IRM program, contact DTEX.