Ask what department is responsible for data security in an organization and the most likely answer is, “IT.” But some experts are saying it shouldn’t be IT alone – that better security requires a closer collaboration with Human Resources (HR).
One example, they say, is a breach this past Feb. 26 at the Federal Deposit Insurance Corporation (FDIC), when a departing employee inadvertently downloaded 44,000 customer records, including personally identifiable information (PII), to a USB thumb drive.
Fortunately, officials said, there was no apparent harm done. The breach happened on a Friday, the agency’s data-loss-protection software detected it the following Monday, the FDIC contacted the ex-employee immediately and she returned it the following day.
She also signed an affidavit saying she had not used or shared the information. And the FDIC noted that the former employee was authorized to access the data. She just wasn’t supposed to have brought any of it home with her.
But this was not the only such incident. The Wall Street Journal reported about a month ago that the FDIC has reported seven such breaches in just the past eight months, all from departing employees taking data with them and potentially compromising the PII of 160,000 Americans.
So, could better collaboration between IT and HR have prevented any of those incidents? Expert opinions are mixed.
Even though this was very obviously a “human” problem, and it has been obvious for decades that people are the so-called “weakest link” in the security chain, most security awareness training is done by IT, not HR.
It is also IT that is responsible for protecting data, for knowing where it is and who has access to it when – otherwise known as Identity and Access Management (IAM). Even software designed to detect months in advance that an employee is exhibiting behavior that he is likely to leave is managed by IT, not HR.
[ RELATED ON CSO: How to prevent data from leaving with a departing employee ]
Still, Joseph Loomis, founder and CEO of CyberSponse, said it is, “always good practice to have a strong connection between IT and HR.”
When there is a failure, he said, it is likely due to “bad process.” In tracking an organization’s, “headcount turnover, demands for talent and shifts in culture, all information is often lost with the former IT admin,” he said. “We call this the ‘House of Cards for IT.’ Things go up and down every time someone comes and goes.”
And tracking the coming, going and transitioning of employees, he said, is very much within the purview of HR. “Anytime there is human behavior involved, HR should also be involved,” he said.
Ira Winkler, president of SecureMentum, said it ought to be obvious that, “HR should inform IT when people are leaving. HR has very specific purposes in ensuring the appropriate separation of employees.”
Charles Choe, product marketing manager for Guidance Software, agreed. He said while data loss prevention (DLP) technologies focus on data-in-motion, “they are often turned off due to the high rate of false positives that effectively hinder effective business operations.”
So, he said, it is important for HR to notify IT when employees are leaving, even when the separation is planned and amicable, so the activities of those employees can be more closely monitored. “It is also HR’s responsibility to properly educate employees that any work produced during employment legally belongs to the organization, and not the individual, at least in the United States,” he said.
Dana Simberkoff, chief compliance and risk officer at AvePoint, said HR and IT should be “joint partners” both in training and supervision of employees – especially those who are transitioning out of an organization.
At a minimum, she said, organizations should enforce policies that require when employees are leaving that, “the data they are removing is reviewed and approved before they go, and their access to systems with customer data on them is limited and supervised.”
Trevor Hawthorn, CTO of Wombat Security Technologies, said HR, “needs to closely coordinate with IT to communicate when employees are leaving, if they are a security risk, and ensure that an ‘off-boarding’ checklist is followed. For employees that are moving within the organization, a strong IAM capability will allow the organization to audit user rights and privileges.”
And Steve Conrad, managing director at MediaPro, said he thinks many breaches, including those at the FDIC, are a result of multiple problems – among them training and data classification.
“Data of different classifications seemed to have been comingled and the (FDIC) employee didn’t readily identify PII was at risk,” he said. “This breach may have been stopped with a more effective security awareness program. HR could definitely help IT design a better training experience that produces better overall results.”
Nobody disputes that all departments in an organization need to work together, and that this may be especially true of HR and IT. But some experts say when it comes to breaches like those at the FDIC, the greatest responsibility lies with IT.
Yonatan Striem-Amit, cofounder and CTO at Cybereason, said the FDIC was fortunate that the incident involving the ex-employee who took 44,000 customer records, “was not intentional and was without malice.”
But he noted that since she had sufficient permissions to access the data, “anyone else could have as well if they simply impersonated her.”
And catching an intruder impersonating an actual employee is clearly an IT responsibility. “It is essential for companies to have control both at the data level and endpoint level and with it an improvement of policies overall,” Striem-Amit said.
There is also general agreement that better data governance – knowing what and where it is and properly classifying it – will help organizations keep track of it and protect it. And that is an IT function.
As Simberkoff put it, “do you need to put the same security protocols around protecting pictures from your company picnic as your customer’s critical infrastructure design or build information, credit card information, or your employees’ benefits information?”
But she also said she believes, “HR should play a critical role in ensuring that employees are not intentionally or inadvertently provided with too much access to data that they should not have.
“As a general rule, employees should be given the least amount of access/privilege possible to allow them to do their job,” she said. “Unfortunately, overburdened IT administrators tend to work in the opposite way, giving users excessive access so that they (IT) do not sink under the burden of excessive and sometimes impossible workloads.”
The bottom line, Conrad said, is that each department can help the other – while IAM is nominally a function of IT, HR is more likely to know when an employee’s privileges or access should change. They need to be closely linked, he said, “to ensure privileges and access levels are in sync with the employees position and duties. Many times, once privileges are granted, they never go away. This definitely increases a company’s risk profile.”
Finally, there is broad agreement that employee training should be both a regular event and a cooperative effort. It can’t be, “a once a year training course, but rather it must be pervasive throughout the culture of your company,” Simberkoff said.
Conrad said good training should involve the marketing team as well as IT and HR, since the goal is to “sell” employees on good security practices.
“IT should partner with marketing to learn how to deliver a message that sticks and gets better results,” he said. “Most awareness training is of such low quality that it’s a wonder it works at all.”
Indeed, the best technology in the world can’t trump a careless or clueless employee. “If people aren’t trained, then bad things can happen,” Winkler said.