I’ve written on this topic before, and despite the danger of sounding like a broken record, I will repeat myself: Cybersecurity is all about risk management. Many of you are likely working with your company’s chief information security officer (CISO) and security teams to help assess and control this cyberrisk. (At least I hope you are.) And one of the first things most security professionals recommend is taking an inventory of your IT assets. In fact, it’s embodied in the first Function of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework:
“The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.”
NIST, and my security colleagues, are absolutely correct. How can we secure something if we don’t know what it is? The answer is, we can’t. So, in order to know what we are attempting to secure, we need to identify it, and part of that process is creating an inventory.
Data within the organization may contain personally identifiable information (PII), personal health information (PHI), or credit card and financial data – all of which warrant additional security than less sensitive data, like the company vacation policy or office supply list. This inventory process helps us assess security needs.
Another theme that plays a big role in cybersecurity, and also in the NIST framework, is one I’ve discussed in this space before – the risk introduced by our greatest assets, our employees. We can add layer upon layer of technical defense to our environment, and yet the weakest link will continue be the human element. Be it through malicious action or, much more commonly, innocent error, our people pose the biggest cyberrisk we face. Attempting to mitigate this risk includes implementing security philosophies such as least-privilege access control and the integration of business needs into cyberstrategy, as well as employee training and education.
These are all important topics, and they deserve our attention. Today, I want to discuss a related but slightly different topic: HR inventory. Just as we take an inventory of our IT assets prior to making technical security decisions, we need to take an inventory of our employees prior to making decisions on subjects like policy, access control and education.
Treating each employee the same from a cyberrisk viewpoint is just as inappropriate as treating all IT assets the same. Our finance team likely needs to receive more training on how to identify fake invoice scams, while our executive team needs to understand whale-phishing tactics more than our front-line employees. Traveling employees with laptops should be educated on the risks of local storage of data, as well as the benefits of encryption – and how to implement it. Office-based employees likely need more education on Shadow IT and the risks of introducing unsecured equipment, like personal WiFi routers, into the corporate environment.
Each employee has access to company data that could be impacted if they suffer a breach. This access can be thought of as their data surface area and should be understood and reconciled against the employee’s role and responsibilities within the organization. Just as we assess our IT systems according to the type and sensitivity of data they contain, such as personal, health, financial and company intellectual property, we should be assessing our employees in a similar way. Our HR Inventory should identify which employees have access to which data, and what type of data that is. We can then apply education and training to those individuals in a manner that is appropriate to that level and type.
As we apply perimeter defenses to our technical infrastructure at a general level, and then apply in-depth defense policies to specific assets, we should create a baseline that applies to all employees, and then tailor it to fit different employee groups and roles. As Kevin Mitnick, renowned hacker turned security consultant, has stated: “If an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.”
While this statement is true, it includes two requirements for a breach. The first is stated: the employee complies. This can be addressed through education, and can be enhanced by training tailored to the employee’s position and responsibilities. These can help employees identify when trusted people overstep their authority, and help employees verify that people are who they say they are. The second requirement is implied: The employee has access to data desired by the attacker. Employees should only be granted access to data that is appropriate and required for their role in the organization, and they should be aware of the sensitivity and proper care of that data. This can be addressed through strong access control policies and role-specific education and training.
Cybersecurity and risk management all too often have limited resources and budgets. Given unlimited budget and resources, we might be able to address all cybersecurity requirements; but without it, we need to apply our resources in an intelligent, thoughtful manner to maximize the return on investment. If we are overlooking areas to enhance our security posture at a relatively low cost, that’s a disservice to our organization.
Creating and incorporating an HR inventory isn’t simple, and it requires us to give our organizations and practices a hard look. However, it can make a significant difference in our ability to defend ourselves. Do you know your employee-based cyberrisk?