Where are you most at risk?
Are your employees safe and are you safe from your employees?
As a critical node within an organization, the Human Resources Department (HR) is a potential gold mine full of personally identifying information (PII), such as pay rates, bonus pay information, and annual reviews for all of the organizations’ employees. In addition to being a potential target of malicious insiders, HR is the first line of defense for preventing such insiders from being hired in the first place.
What can HR do to help mitigate insider threats?
Ensure applicants are who they say they are and who you want them to be by checking for:
- Identification theft/fraud
- Fictional references
- Criminal history
- Financial history
- Substance abuse
- Psychological issues
Make sure new employees are informed
- Expectation management
- Security Awareness and other training
Have policies and processes in place to address issues
- Obligatory reporting
- Investigations/Incident reviews
- Corrective actions
Support other departments in the organization
- Control Intellectual Property access
- Reinforce physical security
- Monitor high-risk employees
- Provide continuous/periodic updates
Provide Employee Support
- Report employee status change
- Report changes to benefits/compensation
- Promote employee assistance programs
- Deliver bonuses and rewards
RELATED BLOG POSTS
An employee was a bank sales associate working in their company’s call center and was responsible for changing accounts and ordering new credit cards. For at least a year, the employee printed screen captures of customer data, including social security numbers (SSNs) and account numbers, then sold at least 300 accounts to an outsider for $1,000 – $1,500. In addition, the employee passed client data to the outsider via phone calls. All of this activity occurred while on site and during work hours.
The employee’s activity was only detected when consumers reported the fraudulent charges and an investigation connected the employee to the fraud. Although the employee was ultimately arrested and convicted, the victim organization’s incident related loss was in excess of $200,000 and the cost to their reputation is still adding up, even a few years after the event.
The companies after-the-fact investigation revealed the employee’s co-workers were aware of his association with criminals, specifically counterfeiters, and that he had a prior criminal history. A few other things learned was the organization had no acceptable usage policy and did not perform background checks.
How could human resources have reduced the risk posed by this employee?
- Conduct background checks on all applicants and have a policy in place to address any issues that could arise.
- Ensure your organization has an “Acceptable Usage Policy” in place, which provides employees specific guidelines on usage of company computers and phones.
- Educate employees on expected behavior and reportable behavior and develop policies and procedures for employees to report suspicious activity.