Canadian Small Business Women

Connection, Synergy, Community

  • Home
  • Shop
  • Media
    • Advertise with Us
    • Inside Conversations
  • Partners
  • Events
    • 2022 Startup Pitch Conference
    • Strategy Brunch – August
    • Accelerator Program
  • Resources
    • Market Research
    • Community Hubs & Co-working Spaces
    • Tech Resources
    • Human Resources
    • Financial Resources
    • Courses
  • Innovation
    • Clean Technology
    • Green Technology
    • Medical Technology
  • Blog

Apr 13 2018

Insider Threats And Data Breaches: They’re Not Always What You Think …

There’s something you should know before you invest your entire IT and information security budget on technical solutions – if a smart thief wanted to steal your intellectual property and/or your client’s confidential information (e.g., credit, financial, and contact information taken during the Equifax data breach), they’d act like a gangster and walk in the front door and take it.

Why? When it comes to protecting what’s worth stealing, it’s your employees, not your computers, that are the weakest link.

Employees are within the human resources (HR) wheelhouse, so this is a topic of great importance to me. Some years ago, I worked in an organization that invested a lot of effort to keep its intellectual property and confidential employee information protected. This was done in two ways: (1) careful hiring and HR processes and (2) technical measures including firewalls, information security protocols, etc. Both approaches were necessary. It hasn’t become a popular concept, as yet, but it’s easy to argue that cybersecurity alone is not enough.

Many of us have heard of Edward Snowdon, the former NSA Subcontractor who disclosed an immense volume of confidential information to journalists and online sources. After working in an organization that shares some similarities with the NSA, I think it’s safe to say that the presence of sophisticated technical measures was not enough to prevent the intentional disclosure of confidential information. In fact, this scenario is an example of an Insider Threat.

“Insider threats can be defined as risks posed by rogue employees who deliberately cause harm, or by those who may be negligent in the workplace.

Security Hinges on its People, FrontLine Security Magazine, October 2017).

 

 

If insider threats are a real problem why isn’t it better known?

 

analog insider threats

Not all data breaches are external or digital …

Most of us have heard about data breaches that have occurred in organizations that have much bigger security budgets than ours. For example, the NSA and Equifax breaches that I just mentioned. Plus, there have been big breaches at Yahoo, Home Depot, Target, and others. I’ve done extensive research on this topic and one thing is crystal clear: 75% of these data breaches originate inside organizations. Often, we don’t hear about the causes of those breaches because they make the organization look terrible. It has a negative impact on the public’s trust and confidence in the organization’s ability to protect corporate information, including clients’ and/or customers’ personal information. When an organization experiences a security breach, their current and future clients, strategic partners/affiliates, and members of the general public are likely to see the organization as irresponsible. Negative financial consequences usually follow. Approximately 60% of smaller companies are bankrupt within 6 months of a major security breach, so it’s no wonder this is kept quiet.

How can HR, based on I/O psychology help?

I’m addressing this topic because I understand that HR has an important role to play in preventing these insider threats. One problem is that most organizations don’t recognize that HR can make valuable contributions to the risk management process. Another problem is that the C-suite and the IT/information security folks don’t necessarily recognize the role that HR could be playing to keep confidential intellectual property and client information from leaking out of the organization. For example, many organizations don’t address workplace bullying as proactively or completely as they could. They haven’t understood the link between malicious insider threats that are inspired by anger or a desire for revenge that comes from being severely mistreated at work. The consequences of ongoing suffering in toxic workplaces are even more severe when essential government services and critical infrastructure are at risk. So, if the threat of lost productivity and lawsuits aren’t a big enough justification for improving HR policies and practices, the likelihood of insider threats should catch the attention of key decision-makers.

no wonder this is kept quiet.

 

How can HR, based on I/O psychology help?

I’m addressing this topic because I understand that HR has an important role to play in preventing these insider threats. One problem is that most organizations don’t recognize that HR can make valuable contributions to the risk management process. Another problem is that the C-suite and the IT/information security folks don’t necessarily recognize the role that HR could be playing to keep confidential intellectual property and client information from leaking out of the organization. For example, many organizations don’t address workplace bullying as proactively or completely as they could. They haven’t understood the link between malicious insider threats that are inspired by anger or a desire for revenge that comes from being severely mistreated at work. The consequences of ongoing suffering in toxic workplaces are even more severe when essential government services and critical infrastructure are at risk. So, if the threat of lost productivity and lawsuits aren’t a big enough justification for improving HR policies and practices, the likelihood of insider threats should catch the attention of key decision-makers.

If you’d like to learn more about how psychology and HR can help prevent insider threats, listen to Episode 27 of The Insider Threat Podcast where I speak to host Steve Higdon about this topic. Note – since the time that this article was published, I was an invited guest on Scott Wright and Tom Eston’s Shared Security Podcast and we spoke about different aspects of this issue.

Have a sensitive career or HR-related concern? I invite you to contact me by email, phone, or via direct message on Twitter, Facebook, or LinkedIn if you’d like to discuss any of these topics in more detail.

More than career coaching, it’s career psychology®.

I/O Advisory Services – Building Resilient Careers.

Share this:

  • Twitter
  • Facebook
  • Pinterest
  • LinkedIn
  • Reddit
  • Email

Written by Dwania Peele · Categorized: Dr. Helen Ofosu · Tagged: Cyber, cyber security, data, HR, Intellectual Property, IP, security

Jul 13 2017

What Do HR And Psychology Have To Do With Cyber Threats?

Where is the Real Threat?

In the internet world festooned with apps we know it’s important to use strong passwords to secure our own email, social media accounts, and electronic devices. On the corporate side, another important consideration is the role that humans play in cyber threats. People with access to big data, personal information, intellectual property (IP), and critical infrastructure (e.g., power supplies, water treatment, hospitals, railways) can sometimes be the weak link in the chain.

HR as Part of Risk Management

For a while, I’ve been thinking about cyber crimes and cyber security and how to adapt what I learned and applied when I worked in a very secure (Top Secret) environment. In that workplace, we were extremely careful about how people were hired. Also important was how they were treated after being hired. I call my adaptation of those processes and policies “HR as Part of Risk Management.” I’ll admit that this may not be a stylish title but it does address something that most approaches to risk management are missing.

Employees: Often the Weakest Link 

Ominous Dark Buildings

Traditionally, risk management includes “human factors” but to date, relatively little attention has been paid to this source of risk. Normally, 90% of our collective efforts have focused on technical or IT-related interventions to protect us from cyber threats. Yes, these are important. However, to focus on them and not address the human element, psychology or employees’ behaviour is like locking the

front door but leaving the back door open. The fact is that sometimes security breaches reported as cyber attacks are caused by actions that take place inside the organization. As Dermot Williams, the CEO of  IT security firm Threatscape says, “when it comes to organizations, often the employees who are the weakest link.”

Although I have a lot more to say on this topic, for now, I’ll share an article that I wrote called Is Cyber Security Alone Ever Enough?, published in FrontLine Security in October 2016. Take a few minutes and read.

In the meantime, if you have HR or career-related matters that you’d like to discuss, please contact me by email, phone, or via direct message on Twitter, Facebook, or LinkedIn if you’d like to discuss any of these topics in more detail.

More than career coaching, it’s career psychology®.

I/O Advisory Services – Building Resilient Careers.

Share this:

  • Twitter
  • Facebook
  • Pinterest
  • LinkedIn
  • Reddit
  • Email

Written by Dwania Peele · Categorized: Dr. Helen Ofosu · Tagged: Cyber, Dr Helen Ofosu, HR, IP, risk management, Threats

Stay Social with Canadian Small Business Women:

  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube
  • Home
  • About
  • Contact
  • Privacy Policy
  • Login

© Copyright 2012 Canadian Small Business Women · All Rights Reserved