[BreachExchange] Why HR and IT Are Teaming Up to Prevent Data Breaches

Destry Winant destry at riskbasedsecurity.com
Mon Apr 29 09:40:00 EDT 2019


https://www.cmswire.com/information-management/why-hr-and-it-are-teaming-up-to-prevent-data-breaches/

In our increasingly data-driven workplaces, an interesting partnership
has emerged to prevent and minimize the impact of a data breach: human
resources and IT. By working with security, privacy, risk and
compliance teams, HR and IT departments can support the core
principles needed to combat the threat of data breaches. It's only
logical that the two would team up. As I've said before, security and
privacy should be everyone's job. And in the case of HR, one of its
biggest responsibilities is collecting and storing a lot of sensitive
employee data, so partnering with IT to ensure that data's safety only
makes sense.

Establishing a good program starts with ongoing education of your
employees. In the absence of security education or experienced people
(including employees, users and customers), the risk of making poor
security decisions with technology increases. This means your internal
and external systems need to be easy to use when they're secure and
difficult to use when security controls are lacking. Training and
education surrounding data security cannot be a one-time or annual
training course: it must pervade the culture of your company.

Once the right educational efforts are in place concerning security,
privacy and risk and compliance, HR and IT can consider several areas
to support a “risk-based approach” to protecting your organization.

Understand What You Need to Protect

Many companies worry about “dark data” or data that exists across
various enterprise systems that may not be properly managed. This can
include file shares, SharePoint, social systems or other collaboration
systems and networks. To set the appropriate levels of data
protection, organizations need a clear understanding of what and where
this data lives as well as how to classify it. For example, many
companies apply security controls in broad terms using the same
security procedures for all data. But pictures from a company picnic
shouldn't have the same protocols as those protecting an
organization’s critical infrastructure design, customer credit card
data or employee benefits information.

To determine — and safeguard — your organization’s crown jewels, ask
yourself the following questions:

- What kind of data is your organization trying to protect and from whom?
- What are the systems used within your organization, as well as those
used with partners, vendors and customers? Which of these systems hold
protected data — protected or governed by law, regulations or
contractual requirements?
- How will data be stored in and flow through these systems, so the
appropriate security controls can be applied?
- How will your organization prevent sensitive data from being stored
in the wrong place?

Upon answering these questions, HR and IT can work together to
identify and catalog data that needs to be protected.

Establish Role-Based Access

After identifying the data your organization holds and making
decisions about where it should live, it’s time to consider who can
access it and how it needs to be protected. As a rule, employees
should have the least amount of access or privilege needed to allow
them to do their job. With data that is sensitive in nature, such as
personally identifiable information or protected health information,
limited and appropriate access remains critically important. The right
identity and access management is a necessary part of preventing data
loss. User-based controls can also be layered in to support data
centric audit and protection (DCAP), a type of holistic data-centric
security that applies an organization’s data privacy measures to
specific pieces of data.

Organizations must remain vigilant in monitoring roles within the
company and the data access that accompanies those job functions. Both
HR and IT play a critical role in ensuring employees are not
intentionally or inadvertently provided with “too much” data access.
Unfortunately, overburdened IT administrators may default to the
opposite approach, giving users unauthorized or unnecessary access to
avoid sinking under the burden of excessive and sometimes impossible
workloads. Keep an eye on this to make sure HR and IT are on the same
page with the user-based controls granted to each employee.

Actively Monitor Data Access

On any given day, employees begin or end their employment at a
company. And when employees leave their role, HR and IT must take a
fast approach to ensure all of their access is managed effectively
until the moment they leave the company. While it’s hard to say how
common it is for exiting employees to have access to their
workstations, there are significant risks to allowing them to do so
without supervision. Some companies immediately terminate access to
exiting employees, while others provide supervised access to data and
work environments as employees transition out of the organization. At
a minimum, organizations should consider the following:

- Enforcing a policy that states that when an employee is exiting
their job, the data they are removing should be reviewed and approved
before they go.
- Enforcing a policy that states once an employee is exiting a job,
their access to systems with customer data on them should be limited
and supervised.

HR and IT should have oversight into the permissions of employees to
sensitive data as discussed above.Remember the case of the FDIC, when
an employee accidentally exposed the data of 44,000 customers?
Intentional or unintentional, breaches caused by employee behavior are
the easiest to prevent and solve.

Implement Sensible Controls

The right security controls should make it easier for people to do the
right thing rather than the wrong thing with data. Data without
controls can create operational, privacy and security gaps that put
company assets at risk. It can also create unintended consequences and
increase the potential for inadvertent or unauthorized disclosure of
sensitive information. Make sure that controls are built and centered
around the data they are intended to protect.

One of the key drivers of shadow IT, or any IT-based systems used
without organizational knowledge and approval, is the approved
corporate systems are too difficult and cumbersome to use. Employees
flock to their own personal storage systems as a result. HR and IT
share the responsibility to avoid this fundamental mistake, and
instead, make it easier for people to use corporate systems with the
proper controls. Limiting the availability (and need) for shadow IT is
a major component of bolstering security and data protection, while
reducing risk.

To encourage business users to do the right thing when it comes to
adhering to established corporate data policies, HR and IT departments
can work together to:

- Make it easy and attractive for employees to use approved company
systems to do their jobs, but also trust and verify that employees are
doing so.
- Consider enforcing a policy that requires all “company” data to be
scanned, tagged and classified, so it cannot possibly be intermingled
with and/or inadvertently removed from a company system by a departing
employee.

By consistently tagging and classifying corporate data, organizations
can effectively layer in other security and data protection controls,
such as those that direct and contain data within appropriate systems
or manage appropriate identity management and access controls.

Data Security Is Everyone's Job

Preventing data breaches is an important job — but it can’t be done
alone. Both HR and IT have a job to do when it comes to establishing
and maintaining successful security, privacy and compliance
initiatives. Effective and lasting data protection centers around
understanding data, determining its appropriate containers and then
layering in protection to that data.


More information about the BreachExchange mailing list