Analecta Cyber Company Blog: Including Cybersecurity in Human Resources Practices

2019-03-12

Including Cybersecurity in Human Resources Practices

Employee screening cybersecurity in human resources practices Including cybersecurity in Human Resources Practices - Analecta Cyber graphic banner Business owners may not consider their Human Resources (HR) department to be a vital component of the cybersecurity picture, but their day-to-day business practices have a direct impact on the protection of a company’s most sensitive data. HR professionals manage and protect personally identifiable information (PII) data - the most sought-after resource for criminals involved with identity theft. They also play a critical role in the hiring and termination of employees and can protect the organization from an insider threat.

HR actions before hiring


During the hiring process, where can HR practices make the most impact on cybersecurity? NIST guidance suggests that there are three key steps at this phase:
  1. Establish a risk designation for every position in the organization
  2. Establish screening criteria for the employees that will fill those positions
  3. Screen applicants prior to allowing access to information systems
A risk designation is a rating or code based on a risk assessment of the position. Risk designations can help the organization determine which authorizations individuals receive when accessing organizational information and information systems. Things to take into consideration include government policy and guidance, job function, security clearances and training. This is a great time to enforce the principle of least privilege (PoLP).

Based on the position risk designation, HR and information security professionals need to establish appropriate screening criteria and review the applicants based on that criteria. This protects the organization from potential insider threats. Current employees need to be screened with the same criteria at periodic intervals and when an employee is promoted to a position of a higher risk designation.

Employee screening cybersecurity in human resources practices

Protecting critical information


Cyber criminals often target HR departments because these professionals have access to valuable data, and their systems may not be as protected as other targets within the organization. Thankfully, it doesn't have to cost a lot to protect this data.

  • First and foremost, keep HR systems segmented and unreachable by other systems on the network. Put the HR department on their own network - either virtual or physical. There is no reason for non-HR personnel to have access to HR data or vice versa. Eliminating the connection from HR systems to production systems keeps cyber criminals from traversing your network if they do have a successful breach. 
  • Secondly, keep the HR personnel educated on their role in preventing cybersecurity incidents. In addition to staying up-to-date on information security best practices, HR professionals need to know what risk factors to look for when screening applicants and current employees. HR, IT and information security personnel must work together and share information between their departments to keep management informed of any potential risk to the organization. 

When employees depart


Employees come and go for a variety of reasons, and the HR department can have a significant impact on threats to cybersecurity if they are vigilant when an employee departs. Even if an employee is departing the organization for positive reasons, they can still pose a risk to the organization - especially if they had access to sensitive data.

Reduce risk when employee departs organization

Here are some ways to reduce risk when an employee departs the organization:
  1. Disable information system access within a specified timeframe.
  2. Terminate or revoke any information system credentials associated with the employee.
  3. Conduct exit interviews that include a discussion of information security topics specific to your organization.
  4. Retrieve all security-related organizational information and system-related property. This includes hardware authentication tokens, system administration technical manuals, keys, identification cards and building passes.
  5. Retain access to organizational information systems formerly controlled by the employee. Keep in mind laptops, removable drives and mobile devices. These are frequent targets of those wishing to cause harm to their former employer.
  6. Notify appropriate personnel of the employee's departure within a specified timeframe. This will be employee- and job-function-dependent.


Termination


In the case of terminated employees, some of these steps need additional emphasis. Those conducting exit interviews must ensure that terminated individuals understand the security constraints imposed by being former employees. At the same time, they can verify that proper accountability is achieved for information-system-related property. Some security topics of interest at exit interviews can include reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals for a variety of reasons, but it is important to make them a priority when possible. Exit interviews are especially important for individuals with security clearances.

The task of notifying appropriate personnel is critically important in cases where individuals are terminated for cause. In larger organizations, it may be beneficial to set up automatic alerts to notify others when an employee is terminated. Such automatic alerts or notifications can be conveyed in a variety of ways: by telephone, email, text message, chat message or website. The automatic notification should set in motion specific actions related to removing the former employee’s access to information and information systems. In certain situations, organizations should consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.

Education is key!


If you are not sure how to integrate cybersecurity in your human resources practices, contact us at info@analecta-llc.com or visit our Cybersecurity website. We can come up with a custom solution that addresses your specific business needs.

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives. 
Analecta LLC logo

Further Resources

1 comment :