"A company culture is defined by HR because they're responsible for hiring people," said Erdal Ozkaya, author of Cybersecurity Leadership Demystified.
HR influences a company's security culture in the same way, he added. While CISOs and security teams are responsible for creating security policies, HR is ultimately responsible for enforcing them across the organization.
Simply put, HR has two main cybersecurity responsibilities. First, it's responsible for ensuring every employee hired -- no matter the department or role -- poses a low threat to the organization's cybersecurity posture. This includes conducting due diligence and ensuring employees receive proper security training during onboarding. Second, HR has an obligation to protect employees' personal data.
"Who has access to your address, mobile or home phone number, banking details and Social Security number?" Ozkaya asked. "HR."
In his book, Ozkaya included an entire chapter on cybersecurity for HR professionals and the integral role they play in data privacy and preventing negligence and insider threats.
In this excerpt from Chapter 4, Ozkaya advises HR teams on how to achieve their cybersecurity responsibilities, including tips on hiring practices and procedures, creating provisions for third parties and implementing cybersecurity best practices, such as multifactor authentication and secure internet access.
The management of the life cycle of employment processes is part and parcel of personnel security. Some of the procedures that should be managed to ensure personnel security include the following:
- Employment screening procedures: Before hiring employees, an organization needs to have in place employment procedures that they follow when employing staff members. These procedures ensure that hired staff members are suitable for the roles they will play in the organization. These procedures will include drug screening, background checks, credit checks and security clearance requirements.
- Employment policies and agreements: To ensure personnel safety as well as safety of an organization from threats emanating from employees, before hiring them an organization needs to ensure that they sign the following documents: non-disclosure agreements (NDAs), ethics agreements, code of conduct policies and conflict of interest policies. These documents ensure that employees follow the expected behavior, and it helps protect the information assets within an organization.
- Employment termination procedures: These are safety procedures followed when an employee is fired or has their contract terminated. These procedures encompass such actions as completing an exit interview, reviewing the NDA, revoking company identifier (ID) badges, returning company keys and any other company assets, disabling user accounts, changing passwords and escorting the individual off the premises.
Vendors, contractors and consultants -- procedures
Physical security procedures do not just deal with matters pertaining to employees -- they should also have provisions for third parties that visit an organization's facilities. These third parties include such people as vendors, contractors and consultants. Some of the procedures that should guide their visits to organizational facilities include the following:
- Escorting visitors while they are within the premises of the organization.
- Verifying their identities and ensuring that there are proper access-control mechanisms in place.
- Verifying visitors' licenses and other forms of identifications they may have.
- Asking visitors to complete a sign-in sheet as well as sign out when they leave the facilities.
- Issuing visitors with a name badge and requiring them to always carry these badges while within the premises.
- Ensure that appropriate agreements with these visitors are in place.
- Ensuring they sign NDAs.
- Ensuring that these visitors are screened properly before engaging them on a contractual basis.
While this section has provided a list of procedures that should be used to handle vendors, consultants and contractors when they visit an organization, the next section will address the issue of hiring practices and how to ensure they contribute toward tightening the security situation.
Tight hiring practices
A background check on new staff members is an effective means of keeping internal systems safe. An attacker can pose as an employee to gain access to a system from within -- therefore, investing time and resources into performing background checks is an important security measure that helps a business safeguard its systems. Background checks can be expensive, and an organization may not have the resources to perform them effectively. In this case, it is advisable to outsource these services to professional security firms that can conduct effective background checks to reveal more information than the HR department can access. Background checks can be performed not only on employees but on business partners and vendors as well. Before engaging a vendor or outsourcing work that may require granting access to your systems, an organization needs to perform background checks to assure them of the integrity of business partners or vendors.
Using strong authentication mechanisms
Passwords can be cracked. With increased hardware and software capabilities being readily available to people, it has become easier for this to happen; therefore, it is no longer prudent to use simple passwords. Employees should be educated on the need to use strong passwords for their computer systems. In addition, they should be discouraged from using the same password they use on personal devices and online accounts to safeguard company assets. Attackers focusing on an employee will hack easier accounts to determine a password used elsewhere and try the same password, as many employees prefer easy passwords they have used over the years. These habits should be discouraged as they put a business at enormous risk. MFA is one of the solutions that can be used to enhance password security.
Securing internet access
Companies can help secure their computers from access to certain sites and hence keep their employees in check. Group policies enable management to set configuration details on company computers that limit an employee from the kind of sites they can access while working with company systems. An organization can limit internet-based services to the company website and a handful of other sites that are considered necessary for an employee's work. This will limit employees from accessing all kinds of sites while using company devices that could provide an avenue for potential hackers targeting the company employees. Accessing company files should be restricted among employees and should be allowed only on a need-to-know basis.
Investigating anomalous activities
Log data is an important source of data that can be used to perform investigations into network activity. For internal users, the internal local area network (LAN) should be a good source of log data that can be used to investigate any anomalous activities among company staff. Based on recent investigations of insider data breaches, it has been shown that insiders often do not attempt to cover their tracks as they do not seem to expect to be caught. While external hackers go to great lengths to cover their tracks, insiders do not do the same. However, it is important to note that logging of data among non-domain controllers such as New Technology (NT)/Windows 2000 (Win2K) servers is often disabled by default, and this proves difficult during investigations due to insufficient log data on internal LANs. However, enabling this system enables the internal logs to keep data of internal staff operations, which can then be analyzed in case of investigations or in an attempt to detect anomalous activities.
Refocusing perimeter strategies and tools
In most company security strategies, the focus is on internet-based attacks and keeping malicious attackers away. Perimeter tools to keep external attackers away are vigilant and often do a thorough job. However, the same cannot be said of internal systems. By refocusing the perimeter wall strategies toward internal mechanisms, a lot can be achieved, and internal threats averted. Internal patching is one such strategy that is used on the external perimeter wall to safeguard email and web servers on the internet domain; however, it is rarely done on internal systems. Applying such strategies to internal systems will dramatically increase the safety of these systems and reduce the risk of internal damage.
In addition, vulnerability assessment for internal systems -- a strategy that is commonly used to safeguard external-facing services -- can be used on internal systems as well. The assessments can be done by scanning all critical servers that are used by employees to determine any weakness that can be exploited by internal staff and by taking the necessary steps to safeguard the systems from exploitation of vulnerabilities.
Monitoring misuse of assets
In addition to having security policies that employees need to follow to ensure a good security posture, monitoring of employees is often a requirement that radically improves the security posture. The use of video cameras and keystroke logging are examples of additional monitoring mechanisms that can be used in this case. However, some of these measures can be illegal -- for instance, they can be an invasion of privacy, and the company can be sued and suffer reputational as well as financial damage if found in breach of privacy laws. Therefore, any monitoring should be done within the confines of the law. Web content filters can be used to monitor and restrict employees' access to websites such as competitor websites, pornographic content and hacker tools sites where an employee can access tools to use for hacking. To be safe, organizations should inform their employees of all the mechanisms they use to monitor them so that the employees can agree to such monitoring or restrictive actions within their job environment that can lead to the exposure of information they would wish to keep private.
About the author
Erdal Ozkaya is a solutions-focused professional with a comprehensive background in information technology and cybersecurity. He worked at Standard Chartered, where he was regional CISO and managing director of the Middle East, Africa and Pakistan. Before working at Standard Chartered, he was a security advisor and cybersecurity architect at Microsoft. He is a well-known public speaker, an award-winning technical expert, an author and a creator of certifications for organizations such as Microsoft, EC-Council and other expert-level vendors. Ozkaya is a graduate of Charles Sturt University in Australia.