top of page
Search

Nurturing Corporate Information Security: Mitigating Employee-Related Risk

  • Writer: Tal Albarak
    Tal Albarak
  • Jun 25, 2023
  • 4 min read

Updated: Aug 5, 2024


A woman in blue and

How to manage employee confidentiality and vetting risks


In addition to cyberattacks, one of the hottest topics in information security is dealing with the risks posed by employees. As technology has advanced, it is not emails or internal systems but human resources that have become one of the most serious risks to organizations. What is natural for managers in key positions is a level of confidentiality that is not at all obvious to subordinates. This, in turn, leads many to inevitably mishandle the trade secrets entrusted to them. In this article, we take a look at this phenomenon and offer some tips on how to mitigate the information security risk posed by employees.


What are corporate information security risks?


Information that is properly managed and protected contributes to a business's efficiency and effectiveness, but it can be costly when it is lost or tampered with, both directly in terms of the time it takes to repair or recover it and indirectly in terms of lost business opportunities or missed deadlines.


Leaking sensitive information can result in a loss of competitive advantage, regulatory infractions, or the erosion of long-established trust among customers and workers, all of which can result in missed business opportunities - hence, corporate information security risks.


Employees in the center of confidentiality issues

Most organizations today have at least some level of IT network protection, including firewalls, spam filters, and antivirus programs, to protect against external attacks and potential attempts to gain information.


Behind the myriad solutions, however, is the actual steward of corporate information, the individual himself, who unfortunately remains one of the greatest sources of danger.


Some examples of the human resources risk factor:

● An employee achieves a great business success with his team, which he shares and celebrates on social media.

● Company data, passwords, and other critical information can easily be read from the employee's carelessly guarded laptop. All it takes is one poorly chosen public Wi-Fi network, and all the information on the computer can fall into the wrong hands.


Why is an information leak a problem for a company?

Information leaks are cases in which data and other information intended for internal use come into the possession of people who are not authorized to have access to them. There are simple and completely harmless cases, but also very complex and serious ones.


Some examples of information leaks that are harmful to organizations are:

● Details of a new product or service (e.g., blueprints or patent details) reach the market prematurely, allowing competitors to prepare to "defend" themselves.

● Details of a future strategic plan are shared with competitors.

● Internal correspondence is leaked, which can damage the company's image.


As mentioned earlier, leaks can be caused by hacking (e.g., the 2014 SONY attack that exposed thousands of sensitive internal emails), accidentally, or intentionally (in the latter case, Julian Assange and the WikiLeaks scandal come to mind).


There are also situations where the whistleblower wants to influence the market directly - in such cases, it is part of a pre-planned strategy (for example, Formula 1 teams use this strategy to provide competitors with false information about technical developments for the next season).


How to avoid information leakage - putting a policy in place

Organizations can use a variety of techniques and practices to limit the risk of workers leaking information, whether purposefully or accidentally.


To begin, it is beneficial to develop and update policies so that employees are aware of possible hazards and may intentionally avoid them. The main objectives of information security governance are:


● To identify threats that have the potential to exploit the company's resources' vulnerabilities,

● To identify the vulnerabilities of individual resources,

● To include only those resources that handle valuable data in the analysis,

● To take into account existing protection measures,

● To calculate the risk to be left after the implementation of risk management plans,

● To provide a clear overview of how to support compliance with the various data security standards that are currently in force.


However, it is not enough to create and constantly update an appropriate policy; it must also be communicated and consciously applied by employees. This type of policy deserves exactly the same weight, attention, and priority as a fire safety policy or office escape plan.


How to avoid information leakage - Risk assessment

Updating the policy is only possible if the risks in the organization are continuously analyzed. A changing business environment, such as the emergence of a new, aggressively expanding competitor, is as important and difficult to manage as the introduction of home-based or hybrid work.


A classic, modern-day example of the latter is when spouses working for different competing companies are forced to work from home - monitoring and managing such a situation is clearly in the interest of both organizations.


How to avoid information leakage - Tools

Information security can be enhanced by other means beyond traditional network security solutions. Monitoring internal and external communications, restricting file transfers, and even recording keystrokes on company computers are all ways employers can prevent potential leaks. Today, it's easy to ensure that corporate files and programs can only run on highly secure company computers and that no data falls into unauthorized hands.


How to avoid information leakage - Employee assessment

When hiring employees, many companies today attach importance to pre-screening, which goes beyond the mere verification of professional criteria. In addition to soft and hard skills, criminal background checks and various other critical indicators can help employers avoid information leakage. Among other things, a professional background check can rule out the hiring of industrial spies.


How to avoid information leakage - Involving private intelligence companies


Private intelligence agencies can support companies in avoiding the recruitment of hostile individuals who later provide data or other critical information to competitors.


This support can include:

● software tools

● HR pre-screening activities

● monitoring the activities of critical employees and managers

● necessary intervention in case of suspicion


At the same time, screening and monitoring during the employment contract must not infringe on an individual's rights or come at the expense of job performance - so it is important that employers strike a critical balance in the work environment where all necessary information can be gathered without compromising morale or performance.




Comments

bottom of page