HR leaders who don’t take a proactive, holistic approach to cyber-security are on the back foot, says Deloitte’s Bill Windle

It’s a celebrated fact that technology continues to place unprecedented power in the hands of individuals. However, this can be a double-edged sword for organisations.

Research consistently finds that malicious insider acts – where an employee or contractor with inside access to a company’s systems intentionally damages their employer – account for more than 20 per cent of high-impact cyber-attacks.*

Yet in many organisations the malicious insider is still an unacknowledged, misunderstood and unaddressed risk. Data does not lose itself and sabotage is a human act typically motivated by revenge. HR leaders need to stop and think: how does your business address and govern employee risk?

Monitoring can do more harm than good

No one wants to work in an organisation where intrusive monitoring and investigations happen and – worse still – happen routinely. Insider threat programmes should be founded on ethics and core values.

Employee monitoring, one of the key defences to stop such attacks, is a good example of where this can often go wrong. Too few businesses have a risk-based and proportionate approach with controls that are both sensible and legal.

Beware the alienated employee

High-achieving organisations usually consist of driven colleagues who share a company culture of values and behaviours. To the surprise of many, research shows that the malicious insider is most often a formerly loyal, permanent employee who has become alienated from their organisation.**

It is a common misconception that the malicious insider is synonymous with the disgruntled employee. The majority of disgruntled employees never come close to betraying their employer. But organisations need to be sensitive to the risk of an employee’s transition from disgruntled to alienated.

The Centre for the Protection of National Infrastructure has found that 76 per cent of insider attacks were self-initiated, meaning the attacker was not recruited or exploited by a third party. The overwhelming majority of attacks are opportunistic. Poor management practices were found to be a key enabler for insider acts.

Companies need to provide the right level of training and support to their core functions, particularly HR, security, legal, privacy and IT – and to line managers across the business.

Adopting a holistic approach

Organisations that are serious about managing their employee risk need to take the initiative and establish a holistic approach. This means managing employee risk in the same way as any other corporate risk, with a single accountable owner at board level, aligned across core functions. The premier UK national guidance in this field is Holistic Management of Employee Risk (HoMER), which is free to use.***

Tactical responses are ineffective

The main barrier to tackling the insider threat usually lies at the top. Most often the CEO and HR leaders place unquestioned trust in long-standing employees. These organisations have no insider threat programme and engagement is confined to pre-employment screening.

An approach like this can be summed up as tactical – always responding to the next attack – and ineffective. Such organisations are on the back foot and manage the wrong risks, opening themselves up to the next high-impact malicious attack.

*IBM-Ponemon 2015, Vormetric, 2016, ‘The Danger from Within’, David M Upton and Sadie Creese, Harvard Business Review, Sept 2014

**The Insider Threat to Critical Infrastructures, National Infrastructure Advisory Council, Insider Threat Study, Final Report, 2008; and Insider Data Collection Study – Report of Main Findings, Centre for the Protection of National Infrastructure, 2013

***Centre for the Protection of National Infrastructure. Contains public sector information licensed under the Open Government Licence v3.0

Bill Windle, FCIPD, is associate director and consulting lead for insider risk for Deloitte UK, and co-author of HoMER