[BreachExchange] How HR and IT departments can join forces to bolster security strategies

[Audrey McNeil]

http://www.itproportal.com/features/how-hr-and-it-
departments-can-join-forces-to-bolster-security-strategies/

The threat of data breaches, and the rising costs of dealing with the
aftermath of security incidents, are pushing security strategies to the top
of the corporate agenda and boardroom discussions.

The impact of a breach can be far reaching: from reduction of share values,
to lost client contracts and the operational impact of downtime. The
average cost of a data breach has risen 29 per cent since 2013, to about $4
million per incident and the results on the bottom line can be devastating.
As a case in point, TalkTalk reported a more than 50 per cent decline in
pre-tax profit after suffering an attack last year.

Whilst cyber security may once have been thought of as the exclusive domain
of the IT department, it’s time to enable a more collaborative,
cross-departmental approach. The HR department plays a critical role in
supporting and reinforcing security strategies. Opening communication
channels between HR and IT can make a significant difference to the way in
which organisations can identify and manage risks.

An organisation’s security posture has to be set at the top level, then
implemented through HR and IT working together.

A collaborative approach

Whilst IT is responsible for protecting, controlling and managing sensitive
data within an organisation’s network, the ‘human factor’ often represents
the weakest link in IT security. Cybercriminals will typically take the
easiest route when trying to access a system, which is why hackers continue
to target employees with social engineering attacks. It is usually much
easier to trick a user, than it is to bypass security systems.
Organisations need to train employees to be their first line of defence.

HR has a responsibility to properly educate and train employees in security
best practice. Luckily, HR can support IT Security strategies in practical
ways, which include:

Training and Education

HR, in coordination with IT and security teams, should provide regular
training for all staff on security risks, how to identify things like
phishing emails, and what employees’ responsibilities are in protecting
data. The most effective training programmes will be relevant to their
department and job roles and will clearly define their responsibilities
when it comes to handling sensitive information.  Educating employees on
how data can proliferate through an organisation via the careless
management of documents, USB storage devices, third party file shares, etc.
is an important example of helpful training that underlines the employee’s
role in protecting against data loss.

Without this kind of training, sensitive information can leave the
organisation simply by accident. For example, it’s all too easy for
sensitive data to leave an organisation when it’s embedded in a long email
thread, or hidden rows in an Excel spreadsheet or even notes in a
PowerPoint presentation.

Training should also include how employees should report and follow up on a
cyber-incident, the lines of communication processes and protocols to
follow.    It’s also important to note that education such as this is a
continuous process; training is a first step, but not an end in itself.
Ensure that there are tools and processes to keep the message at the top of
employee’s minds, whether it’s through emails or newsletters, regular
refresher courses or even notices in shared office areas.

Taking Control of Access Rights

The massive growth of data and proliferation of different devices within
the workplace poses considerable challenges when it comes to placing
controls around, and preventing the spread of, sensitive data. In most
organisations data moves freely and is constantly updated, changed and
moved.

IT departments are responsible for understanding and managing how this
sensitive data travels within an organisation by proactively monitoring
and, if necessary, removing sensitive data from unauthorised locations or
users. However, HR also plays a critical role in establishing processes to
strengthen IT security practices.

Working with IT, HR should establish processes to manage access rights to
sensitive data – ensuring that appropriate controls are in place – and
preventing employees from accessing data that they don’t need. HR can also
support IT in identifying gaps in terms of departments or individuals, like
contractors or temporary staff, with permissions that have not been
withdrawn or privileges that may need to be re-defined. They can implement
processes and technology for managing access rights and to ensure that
these are regularly audited to close any security gaps.

Full co-operation between HR and IT is essential in projects of strategic
importance such as IAM (Identity Access Management) deployments. This is a
common pitfall, but without internal co-operation there can be
misunderstandings, or at worst, projects can unravel entirely.

Finally, the exit processes will always be a critical time with regards to
security. HR and IT need to collaborate to ensure proper protocols are
followed for everything from returning devices, to closing off access to
services, and removing sensitive corporate data that may have been
inadvertently left on a device. This is particularly important as the lines
between corporate and work devices are blurring in the BYOD era, Involving
HR leaders in defining the policies governing the protection of data is of
growing importance. From education and training, to involvement in BYOD
strategies, a joined-up approach is essential in an era when cyber
incidents come with a heavy cost.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160919/06d0e31a/attachment.html>