Managing insider risk is a challenge for many reasons, one of the largest being that it’s a very human problem. Security pros are accustomed to dealing with cybersecurity threats, most of which are technical in nature, even if they resulted from a human-element breach. Because insider risk is more about people than PCs, security and insider risk management (IRM) pros must make an unlikely new ally – their colleagues in HR.

Forrester data shows that 22% of data breaches are the result of insider incidents. Those incidents can be broken down into three broad categories:

  1. Malicious insiders: Purposeful acts committed by insiders to steal data, sabotage systems or infrastructure, or commit fraud.
  2. Accidental insiders: Accidental or negligent actions taken by insiders that result in data loss or harm to the organization.
  3. Compromised accounts: External actors who have taken control of legitimate user credentials.

Identifying which of these occurred during an investigation is crucial to determine next steps. Much of IRM, however, takes place well ahead of an incident. To make that happen, the IRM team must establish a strong working relationship with HR.

Partnering For Progress And Innovation

September is National Insider Threat Awareness Month, and this year’s theme is “Partnering For Progress.” Successful IRM requires a number of partnerships, but none is more important than the partnership with HR. Some IRM experts even advocate that IRM should report into HR.

Much of IRM happens well before an insider incident occurs. HR helps IRM by:

  • Conducting background checks and onboarding. Successful IRM starts before the user is hired.
  • Providing user data to identify risky users. HR has critical information about users that can be used to identify those at high risk of causing an incident.
  • Enabling user education and human risk management programs. Changing behavior and creating a positive security culture helps reduce insider risk.
  • Supporting insider incident investigations. HR works with investigators during the response process to provide data and support — and follows up with outcomes after the investigation.
  • Managing offboarding. Ensuring that an offboarding process exists and is rigidly followed, including revocation of access credentials, is critical to avoid incidents from insiders who have been terminated.

Organizations that don’t believe they have an insider risk problem likely aren’t looking. After all, every insider — employee, contractor, vendor, or partner — carries a level of risk. That risk increases due to a variety of factors like access to sensitive data or systems, disgruntlement, and intent to leave the organization. IRM teams and security pros can only get visibility to some of these by breaking down silos and partnering with HR.

Connect With Us

Jess Burn will join me in leading a session in the Prevention, Detection, and Response track at this year’s Forrester Security & Risk Summit, taking place in Austin, TX from November 5–7. Our session is titled, “Incident Response For Insider Threats,” in which we will provide guidance about insider incident response, including HR’s role. I’ll also be hosting a roundtable at the event called “Turning Insider Risk Inside Out: Protecting Against Insider Incidents.” We hope to see you there!

Forrester clients can also request an inquiry or guidance session with Jess (incident response) or me (insider risk management) to dive further into these topics.