With how interconnected and cyber-connected nearly every job role can be, every employee is a cybersecurity risk. Research shows that internal actors are responsible for 94% of all lost and stolen assets, while the human element impacts 82% of data breaches.
It’s not to say employees are inherently malicious, but even unintentional clicks on phishing emails or weak passwords can have devastating consequences. You can mitigate this cybersecurity risk by carefully vetting candidates and implementing robust security practices through the hiring process and beyond. Below are some key strategies you can use.
PRE-HIRE
Behavioral Interviewing: Incorporate behavioral interview questions designed to assess a candidate’s past behavior in situations relevant to cybersecurity risk. For example, you could ask, “Tell me about a time you encountered a suspicious email at work. What steps did you take?” or “How do you handle confidential information?”
Technical Security Questions: Tailor technical security questions to the specific role and the candidate’s access level. These questions can assess their understanding of basic security principles like password hygiene, data protection, and identification of phishing attempts. You may even look for candidates with particular security certifications or degrees.
Background Checks: Conduct thorough background checks that include verification of employment history, education, and criminal records. While not a foolproof solution, this can help identify red flags related to financial impropriety or past security breaches. Just be sure that you stay within the legal rights of your jurisdiction. These days candidates can run their own pre-employment checks and even, perhaps, offer the report to potential employers. One example is this Pre-Employment Evaluation Kit (PEEK).
ONBOARDING AND TRAINING
Security Awareness Training: With cybersecurity risk so ubiquitous, security awareness training is imperative for all new hires, regardless of their role. Osterman Research found that smaller organizations could achieve a 70% return on investment (ROI) and larger organizations could achieve more than 500% ROI by implementing security awareness training. This training should cover topics like password management, identifying and avoiding phishing scams, reporting suspicious activity, and best practices for data handling.
Role-Specific Training: Provide additional, role-specific training for employees accessing sensitive data or systems. This training should delve deeper into specific security protocols, compliance requirements, and potential security risks relevant to their job function.
SAFEGUARDS AND BEST PRACTICES
Principle of Least Privilege: Consider implementing best practices like the principle of least privilege (PoLP), granting employees the minimum level of access needed to perform their job duties. This minimizes the potential damage if an employee’s credentials are compromised.
Strong Passwords with Equally Strong Authentication: If your password policy is stuck on forcing employees to change theirs every month, you’re missing the point (that practice can actually lead to easier-to-hack passwords). A strong password policy must be met with internal security measures, including encryption and multi-factor authentication.
Data Gathering, Encryption, Storage, and Backup: Encrypt sensitive data at rest and in transit to add an extra layer of security. It’s also important to up your game regarding storage and backup and be sure you’re following changing laws and industry standards when it comes to data collection.
Security Audits: Conduct regular security audits to identify and address cybersecurity risk factors in your systems and processes. This can be done strictly on the back end, but including the human element can be a smart addition. Some companies will run tests like a (benign) phishing campaign to determine how savvy their employees are (or aren’t).
Above all, remember that cybersecurity is an ongoing process, not a one-time activity. Regularly update your protocols, training materials, and employee awareness campaigns to stay ahead of evolving cybersecurity risk. Also, foster a culture of security within your organization where employees feel empowered to report suspicious activity and ask questions without fear of reprisal.
Remember, cybersecurity risk is pervasive these days. Preventing breaches is a shared responsibility throughout an organization. Hiring managers and HR professionals play a vital role as early as the hiring process.
