Boost your security: Get IT and HR to collaborate

As has been said many times, security flaws are not just a technology problem. They are also a people problem.

Ask what department is responsible for data security in an organization and the most likely answer is, “IT.” But some experts are saying it shouldn’t be IT alone – that better security requires a closer collaboration with Human Resources (HR).

One example, they say, is a breach this past Feb. 26 at the Federal Deposit Insurance Corporation (FDIC), when a departing employee inadvertently downloaded 44,000 customer records, including personally identifiable information (PII), to a USB thumb drive.

Fortunately, officials said, there was no apparent harm done. The breach happened on a Friday, the agency’s data-loss-protection software detected it the following Monday, the FDIC contacted the ex-employee immediately and she returned it the following day.

She also signed an affidavit saying she had not used or shared the information. And the FDIC noted that the former employee was authorized to access the data. She just wasn’t supposed to have brought any of it home with her.

But this was not the only such incident. The Wall Street Journal reported about a month ago that the FDIC has reported seven such breaches in just the past eight months, all from departing employees taking data with them and potentially compromising the PII of 160,000 Americans.

So, could better collaboration between IT and HR have prevented any of those incidents? Expert opinions are mixed.

Even though this was very obviously a “human” problem, and it has been obvious for decades that people are the so-called “weakest link” in the security chain, most security awareness training is done by IT, not HR.

It is also IT that is responsible for protecting data, for knowing where it is and who has access to it when – otherwise known as Identity and Access Management (IAM). Even software designed to detect months in advance that an employee is exhibiting behavior that he is likely to leave is managed by IT, not HR.

[ RELATED ON CSO: How to prevent data from leaving with a departing employee ]

Still, Joseph Loomis, founder and CEO of CyberSponse, said it is, “always good practice to have a strong connection between IT and HR.”

joseph loomis

Joseph Loomis, founder and CEO, CyberSponse

When there is a failure, he said, it is likely due to “bad process.” In tracking an organization’s, “headcount turnover, demands for talent and shifts in culture, all information is often lost with the former IT admin,” he said. “We call this the ‘House of Cards for IT.’ Things go up and down every time someone comes and goes.”

And tracking the coming, going and transitioning of employees, he said, is very much within the purview of HR. “Anytime there is human behavior involved, HR should also be involved,” he said.

Ira Winkler, president of SecureMentum, said it ought to be obvious that, “HR should inform IT when people are leaving. HR has very specific purposes in ensuring the appropriate separation of employees.”

Charles Choe, product marketing manager for Guidance Software, agreed. He said while data loss prevention (DLP) technologies focus on data-in-motion, “they are often turned off due to the high rate of false positives that effectively hinder effective business operations.”

charles choe

Charles Choe, product marketing manager, Guidance Software

So, he said, it is important for HR to notify IT when employees are leaving, even when the separation is planned and amicable, so the activities of those employees can be more closely monitored. “It is also HR’s responsibility to properly educate employees that any work produced during employment legally belongs to the organization, and not the individual, at least in the United States,” he said.

Dana Simberkoff, chief compliance and risk officer at AvePoint, said HR and IT should be “joint partners” both in training and supervision of employees – especially those who are transitioning out of an organization.

At a minimum, she said, organizations should enforce policies that require when employees are leaving that, “the data they are removing is reviewed and approved before they go, and their access to systems with customer data on them is limited and supervised.”

dana simberkoff

Dana Simberkoff, chief compliance and risk officer, AvePoint

Trevor Hawthorn, CTO of Wombat Security Technologies, said HR, “needs to closely coordinate with IT to communicate when employees are leaving, if they are a security risk, and ensure that an ‘off-boarding’ checklist is followed. For employees that are moving within the organization, a strong IAM capability will allow the organization to audit user rights and privileges.”

And Steve Conrad, managing director at MediaPro, said he thinks many breaches, including those at the FDIC, are a result of multiple problems – among them training and data classification.

“Data of different classifications seemed to have been comingled and the (FDIC) employee didn’t readily identify PII was at risk,” he said. “This breach may have been stopped with a more effective security awareness program. HR could definitely help IT design a better training experience that produces better overall results.”

Nobody disputes that all departments in an organization need to work together, and that this may be especially true of HR and IT. But some experts say when it comes to breaches like those at the FDIC, the greatest responsibility lies with IT.

Yonatan Striem-Amit, cofounder and CTO at Cybereason, said the FDIC was fortunate that the incident involving the ex-employee who took 44,000 customer records, “was not intentional and was without malice.”

But he noted that since she had sufficient permissions to access the data, “anyone else could have as well if they simply impersonated her.”

yonatan striem amit

Yonatan Striem-Amit, cofounder and CTO, Cybereason

And catching an intruder impersonating an actual employee is clearly an IT responsibility. “It is essential for companies to have control both at the data level and endpoint level and with it an improvement of policies overall,” Striem-Amit said.

There is also general agreement that better data governance – knowing what and where it is and properly classifying it – will help organizations keep track of it and protect it. And that is an IT function.

As Simberkoff put it, “do you need to put the same security protocols around protecting pictures from your company picnic as your customer’s critical infrastructure design or build information, credit card information, or your employees’ benefits information?”

But she also said she believes, “HR should play a critical role in ensuring that employees are not intentionally or inadvertently provided with too much access to data that they should not have.

“As a general rule, employees should be given the least amount of access/privilege possible to allow them to do their job,” she said. “Unfortunately, overburdened IT administrators tend to work in the opposite way, giving users excessive access so that they (IT) do not sink under the burden of excessive and sometimes impossible workloads.”

The bottom line, Conrad said, is that each department can help the other – while IAM is nominally a function of IT, HR is more likely to know when an employee’s privileges or access should change. They need to be closely linked, he said, “to ensure privileges and access levels are in sync with the employees position and duties. Many times, once privileges are granted, they never go away. This definitely increases a company’s risk profile.”

Finally, there is broad agreement that employee training should be both a regular event and a cooperative effort. It can’t be, “a once a year training course, but rather it must be pervasive throughout the culture of your company,” Simberkoff said.

Conrad said good training should involve the marketing team as well as IT and HR, since the goal is to “sell” employees on good security practices.

“IT should partner with marketing to learn how to deliver a message that sticks and gets better results,” he said. “Most awareness training is of such low quality that it’s a wonder it works at all.”

Indeed, the best technology in the world can’t trump a careless or clueless employee. “If people aren’t trained, then bad things can happen,” Winkler said.

Join the CSO newsletter!

Error: Please check your email address.

More about AvePointAvePoint,CSOCybereasonDLPFederal Deposit InsuranceGoogleGuidance SoftwareWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts