Social Network For Security Executives: Help Make Right Cyber Security Decisions
Part 15 of 15: Personnel Management
What Is It? It seems like a long time ago when I began writing this series of fifteen articles, yet here we are at the final one of the Fortifying Fifteen. Thirty-two down, including these, the Essential Eight and the Necessary Nine, and just five more to go in the next series. I digress….
People are, unquestionably, highly valuable to any organisation but probably also the most overlooked, undervalued, mismanaged, and likely to cause you grief components when it comes to matters of cyber security. We’ve heard all the jokes about how the infrastructure would work perfect except for those darned users, but the fact remains the infrastructure exists to enable the personnel of an organisation to do their jobs.
Personnel management can include vetting them before they join your business, ongoing monitoring to ensure the security of your systems and data, and proper handling of departing personnel either by your choice or theirs, is a necessary part of the daily grind of running an organisation. The more there is at stake, the more important this becomes.
Where Do I Start? We don’t need extensive education to realise that different people are motivated by different things. While we could focus for hours on the good in all of us, when it comes to defending your interests and your business, we need to focus more on the bad in some of us. Sorry to be the bearer of bad news but you can’t trust everyone, and rose-coloured glasses ultimately end with bad things happening to good people. It’s also a fallacy to assume everyone that creates an issue does so from malicious intent. Part of being human is making mistakes. This is the part of Artificial Intelligence that troubles me: it’s created by humans, so human error is innate. A simplified view, I know, but let’s move on, shall we?
At the core of this mitigation strategy, personnel management intends to keep human resources (full or part time, contract, or associated in some way with your operations) from having or developing malicious intent or acting on their maliciously which may remain undiscovered until after the damage has been done. “Nip it in the bud” comes to mind.
So what drives people to do nefarious (my favourite word) deeds intentionally? Let’s forget, for a moment, incidents caused accidentally. Money, coercion, ideology, ego, or excitement…. the thrill of the hunt. Some may look to steal a customer’s details or intellectual property. Others are, more frequently, motivated by revenge or disgruntlement due to things like a negative performance review, denied promotions, and of course, involuntary termination. We’ve all seen them leaving our office, belongings rapidly stuffed into a cardboard box. The desire to cause damage such as destroying data and disrupting normal operations is powerful when emotions take over.
I have tremendous respect for people in the business of “managing people” and have held many leadership, management, and executive roles over the years that were not always smooth sailing. When it comes to the wellbeing of your organisation, you need to adopt an objective opinion tempered with a little empathy, a side-order of trust, and a sprinkling of scepticism. It’s hard to deal in absolutes when it comes to matters of the analogue kind.
You can implement all the safeguards you like, technical or otherwise backed up by policy and enforcement, but your people will always be the most important part and often the last line of defence in your cyber security defence-in-depth approach. A friend of mine likes to refer to this as “The Human Firewall”. I’m happy to introduce you to him and his team sometime.
How do I make It Work? Good question. You can’t simply buy a solution, but you are still going to pay for one. A common place to begin is when you need someone to join your team. Perform pre-screening and continue with ongoing vetting. This can include verifying previous employment, education, and credentials for all staff, and don’t underestimate a criminal history background check at least for those who will have privileged access to systems and data. That said, we all make mistakes, so I think it’s only fair to consider the nature of any past offences; none of us should be permanently blacklisted unless it’s an egregious offence.
On the opposite end of those coming in, consider those going out. Disable, without hesitation, all accounts and require the return of mobile devices (laptops, phones, tablets) for departing employees and remind them of their security obligations and any penalties for violations. Maybe even have them sign off on a document as an extra step. Also, have them return anything that could facilitate access to sites with computers and data, including their ID / Access cards and keys used to access the organisation's buildings and IT facilities.
While your team is with you, ongoing education is crucial. Educate employees to never share or otherwise expose their access (passwords, sharing access cards, etc.). This is a topic all on its own, so we could spend hours on things like getting employees to lock their computer screen whenever they are away from their computer and so on. Just make staff education and user training a regular part of your operations. We’re human. We forget things.
At the top end, a strong mitigation is keeping people engaged which can deter them from taking actions due to feeling unappreciated or “left out”. Executives and management can reduce some of these issues by facilitating a culture of appreciation through social activities, fair remuneration, and merit-based career advancement opportunities. I once worked in an organisation many years ago where people advanced simply because they outlasted everyone and not because they deserved it. The possibilities are endless.
It may sound a bit extreme, but I have seen this a few times where employees have access to highly classified or extremely sensitive data, a psychological assessment should be performed by qualified professionals. This can often expose allegiances and beliefs as well as weaknesses which could be exploited by nefarious entities. Nobody wants to be a rat, I get that, but employees should be encouraged to advise the appropriate teams of unusual behaviour by other employees, even being encouraged to talk about their own significant life changes such as financial, relationship, and health problems.
Look out for one another and take care of each other. Sound soft? Genuinely caring for someone can make all the difference in the world so don’t underestimate its power when it comes to the security of your business and data.
Pitfalls? There are far too many to mention here when it comes to personnel management, but there are just as many positives. The biggest pitfall can be from apathy, indifference, and not communicating with one another. Stay engaged.
Ghosts in the Machine? I’ve had one case where a dismissed employee returned after hours and was let in by staff that didn’t know he was let go. He managed to get maintenance to let him to the server room and, without going into details, bad things happened. Securing your enterprise from personnel threats often requires the assistance of everyone else. It’s tough to see it happen, especially if they were close, but necessary. Self-preservation is a powerful thing.
Anything Missing? It probably goes without saying but some underpinning technology to monitor activities from privileged account access to restricted data access to web and email content filtering, DLP, and more are a worthwhile investment.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock