Posts

What Can HR Do to Prevent Insider Threats?

Every day, businesses contend with all sorts of threats. Like it or not, these risks have become a fact of organizational life in the modern digital world. While some dangers come from external sources — like cybercriminals — insider threats are also surprisingly prevalent. In fact, insiders are the biggest risk some companies face.

Fortunately, many HR teams are stepping up to play a critical role in locating and mitigating these dangers. To learn more about these threats and how HR can help prevent them, read on…

What Are Insider Threats?

Anyone who currently or previously worked for an organization can pose an insider threat. Employees, contractors, business partners, and others can put your company or staff at risk. These instances include intentional and unintentional attacks that are physical or digital in nature (such as cyberattacks).

Organizations are feeling more vulnerable lately, and these concerns are not unfounded. In fact, 60% of companies say they experienced at least one insider threat during the past year.

Why Do Attacks Happen?

Insider threats can develop for various reasons. A member of your workforce may be struggling with a health condition, financial challenges, family issues, or other personal problems. Business changes can also trigger an attack. For instance, organizations are likely to be more exposed during a reorganization, a merger or acquisition, or as the result of staff layoffs.

However, unintentional threats can arise during daily work activities, as well. Often, when people are anxious, fearful, unaware, or distracted, they may not rely on security best practices. This can open the door to phishing attacks or data breaches that inadvertently harm your organization.

For example, in 2019, 885 million personal accounts were compromised when systems at First American Financial Corporation accidentally leaked customer data. Also during that same year, a third-party data breach at WhatsApp exposed 1.5 billion user accounts.

Although insider threats can occur anytime, multiple warning signs usually build up in advance. Behavioral indicators like these deserve attention:

  • Is an individual refusing to participate in mandatory security audits or training activities?
  • Is the individual threatening staff members or your company in social media posts?
  • Do disputes with colleagues and managers occur frequently?
  • Has disciplinary action been required — suspensions, demotions, or removals?
  • Are personal difficulties apparent? (For example, obvious frustration from work stress, financial issues, or other problems.)

Types of Insider Threats

It’s important for HR professionals to know about common types of insider threats. Here are a few scenarios to keep in mind:

  • Workplace Violence
    Any physically aggressive acts or threats that harm on-site employees or company property. This includes intimidation, hazing, assault, or harassment.
  • Property Theft
    When employees or others steal company devices, equipment, data, or materials, especially assets involving proprietary information or national security.
  • Sabotage
    Damaging, destroying, or modifying company property to harm employees, customers, business allies, or the organization overall.
  • Insider Fraud
    When someone changes, removes, or uses company information or systems for self-gain, including insider trading or embezzlement.
  • Accidental Insider Threat
    An unwitting oversight or operational negligence that harms colleagues, customers, or the company. This includes actions that lead to unintended security breaches, phishing attacks, or lost/misplaced confidential information.

5 Ways HR Can Help Prevent Insider Threats

HR can play a key role in preventing these threats throughout every stage in the employee life cycle — including hiring, ongoing performance management, job changes, and offboarding. Here are five ways HR professionals can minimize these issues:

1. Conduct Thorough Background Checks

Smart organizations take every precaution to anticipate and mitigate insider threats from the start. Before extending an offer to any potential employee, conduct an extensive criminal background check and verify the candidate’s resume by calling listed references.

Careful screening can identify past behavior, such as workplace violence, fraud, or criminal actions. If red flags arise, the interview process is a perfect opportunity to clarify and understand the story behind any situation.

2. Implement Mandatory Security Training

Newly hired employees should participate in security training and activities. This helps educate people about cybersecurity risks and gives you a forum to clearly explain company policies and best practices. It’s also an opportunity to reinforce your company’s commitment to security as a top priority.

3. Define a Baseline for Normal Behavior

By working closely with IT leaders to determine standards, you can specify behavior that is normal/acceptable versus abnormal/unacceptable. Establishing this baseline enables your IT teams to monitor network activity, so they can identify potential dangers. When incidents are detected, IT can alert appropriate departments for necessary action.

It’s worth noting that when employees believe policies are overly strict or unfair, they may choose not to comply. This only increases the likelihood of insider threats. To avoid this, be sure you clearly communicate relevant standards and explain why those standards are in place. Also, be transparent about how IT teams monitor behavior, and what kind of actions they consider unacceptable or out-of-the-ordinary.

4. Foster a Supportive Workplace

Employees should feel comfortable and supported at work. A toxic environment where people are regularly embarrassed, belittled, humiliated, or forced to work under excessive rules only increases the potential for insider threats.

Successful workplaces cultivate a culture of trust, respect, and support where employees feel comfortable discussing personal or work issues. In this type of environment, managers and supervisors take discretion seriously.

Employees should know that co-workers with behavioral issues will be helped and not punished. This ensures that everyone will feel more comfortable sharing concerns about others.

For this reason, consider implementing an employee assistance program where anyone who is struggling can receive support and counseling. Make it a priority to help anyone who is at risk, and also address any grievances brought to your attention.

5. Terminate Employees With Respect

When employees depart, it’s vital to make the offboarding process as smooth as possible. Regardless of whether an employee chooses to resign or is terminated, thoughtfully managing the offboarding process can significantly reduce security risks.

If termination is required, proceed with care, so you preserve a sense of dignity. If possible, conduct the termination meeting in a room that lets the employee leave the premises quietly, without public embarrassment or shame.

Also, plan to remove the individual’s access to devices and systems as quickly as possible. In addition, remember to collect all company property and review nondisclosure agreements to avoid any misunderstanding about rules the employee previously agreed to follow.

A Final Word on Avoiding Insider Threats

HR plays a critical role in minimizing exposure to insider threats throughout the lifecycle of every employee. Proper planning, precautions, and proactive communication can make a tremendous difference. Above all, focus on creating and sustaining an environment where employees feel respected, trusted, empowered, and supported.

Keeping It Real: 3 Fundamentals Of An Authentic Employer Brand

Pondering the recent data breach of 21.5 million Federal Employees, I’m in one of those bottom line moods, so let’s talk bottom line. For many brands, that means a genuine relationship between employer and employee, and that has everything to do with a strong, firmly rooted employer brand.

One common misconception: that a good employer brand starts with pricey image consultants. Yes: marketing that awesome employer brand is a great idea. But let’s take care of the inside first. Top talent often comes equipped with a healthy dose of self-preservation, and that’s a good thing — it breeds savvy, competitiveness and self-reliance. Without an authentically trustworthy employer brand, that same instinct for self-preservation will turn against you: it says you’re more interested in façade than fact, and that leadership really has other priorities. And all the fancy logos in the world won’t save your ROI.

When employees don’t trust an organization, they naturally hold back from wholehearted engagement, with far-reaching, corrosive consequences — churn and retention among them, some far more subtle. And really, we can’t get around this one: a truly authentic, engaging employer brand starts with an authentic, engaged concern for your workforce.

Here are three ways, glamorous or not, to keep it real.

Prioritize Security

Not glamorous, but critical: the latest glaring security breach is a perfect storm of a fallible personnel system and the unwieldy, apparently very permeable frontier of Big Data (not the adjectives we want to use about the future of work). Just ask those 21.5 million government workers whose sensitive (and very personal) data was hacked right out of personnel.

That they willingly provided extremely private information as part of an HR screening process to gain security clearance: the essence of HR irony. Now that we dwell in the Cloud, do your workforce a solid and invest in the strongest security systems you can, and then maintain it, improve it, and invest some more. The worst kind of disengagement is one based on fears that turn out to be justified.

Take A Holistic Approach

My friend and colleague Susan LaMotte defines a solid employer brand as founded on an understanding that employees aren’t driven by their jobs, they’re driven by their lives. The friction between real-life needs and work lives is another tremendous disengager — but a workplace that supports and develops all sides (what LaMotte calls the whole self) of an employee is one of the clearest signs that you care about your talent.

A strong, engaging, and clearly defined employer brand provides an arena where employees can engage themselves and be productive. This can and should happen across all levels, from recruitment to onboarding to training to business as usual.

Always Check In

Not just for engagement, but for success, you need the opinions and input of your workforce. Never assume things are fine. Never stop looking for better ways to check in: the workforce’s pulse has to be taken in myriad hard and soft ways, from pop-up surveys to interviews, on screen, video conference, face to face.

Don’t underestimate the value of regular debriefing meetings: our ability and need to practice hindsight after major efforts is as primal as our instinct for self-preservation. All those tales around the campfire after the hunting party have stayed in our mindsets. Providing multiple channels for feedback conveys a respect for your employees’ positions, personal preferences, and the nature of what they have to say. Then innovate ways to dovetail that input into every facet of the workplace.

Authenticity dwells in action, not image, and one common misconception posits that a good employer brand starts with pricey image consultants. Actually, it doesn’t start there, but it does need to be there. Take care of the core first: the very folk who make it happen. Then, yes, the active promotion of that well-rooted, beautifully clothed employer brand can and should happen: a strategic, multi-platform branding campaign that reinforces the reputation you know you have a right to promote. 

A version of this was first posted on Forbes.

Photo Credit: david_topolewski via Compfight cc