How to Protect Employee Privacy while Battling Insider Threats

Last Updated: December 16, 2021

HR departments need to work together with security and leadership teams to create a healthy employee privacy plan while still protecting themselves against insider threats, writes Samantha Humphries, senior product marketing manager, Exabeam.

Five to  ten years ago, a cybersecurity professional would likely never hear the words “insider threat.” Today this is not the case. Organizations are so busy fighting threats outside of the company, that they sometimes forget to look within their walls. While it is essential for security teams to protect against outside threats, insider threats present an equally frustrating challenge. According to a recent Forrester surveyOpens a new window , nearly half of all data breaches in participants’ organizations were due to insider threats.

An insider threat is a term coined to describe the category of risk posed by individuals who have access to an organization’s physical or digital assets. The danger could be intentional or by accident. Typically, these threats can be attributed to employees or former employees, but they may also come from additional vendors, temporary workers, or partners.

Every organization would agree that there needs to be a firm cybersecurity policy in place to protect the business from threat actors in and outside of the company’s walls. However, regulations such as the General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA) are paving the way to better privacy and protection for employees and consumers alike. Due to this, HR departments and security teams are struggling with the balance of protecting their company from insider threats and maintaining a level of privacy for their employees.

Below is a breakdown of the reasoning for the increase in insider threats as well as how HR teams can work together with organizations to create a healthy employee privacy plan while still protecting the company. 

The reasoning behind the increase in insider threats 

The workforce has been undergoing a critical shift over the past several years. Before, it was common to have employees who have been in the same organization for over 20 years. Now, it is a lot more common for people to switch their job every few years. According to a recent Gallup reportOpens a new window on the millennial generation, 21 percent of millennials say they’ve changed jobs within the past year, which is more than three times the number of non-millennials who report the same.

A renewed sense of ownership of the data they produce combined with “job-hopping” means more and more individuals are taking data with them when they leave the company. Using the data, a person could become an insider threat because they might be upset at being let go from the company or being passed over for a promotion. Also, some users of the dark web will buy data from an individual to compromise the original organization.

As mentioned above, not all insider threats are malicious. Some will unknowingly compromise an organization with no intention of harming. Employees who do not use a secure password or connect to an unprotected WiFi network become an insider threat by complacency. Many organizations are still struggling with a “casual” mindset amongst their employees when it comes to security. There’s a general lack of understanding surrounding the consequences that could come from an external adversary accessing a corporate account.

Due to the shift in mindset and increase in insider threats, it has become necessary for security teams at organizations to monitor employee activity and user behavior to prevent malevolent behavior. However, this can naturally create a culture of mistrust for some as employees raise concerns over their business being surveilled.

Learn More: 5 Tools for Employee Compliance and CybersecurityOpens a new window

Creating a culture of employee privacy while protecting against insider threats 

The most important message on security versus privacy that must be relayed to employees is that the individual is not being monitored–it’s the account. The security teams are merely trying to see if an account is exhibiting any suspicious signs of compromise, rather than following its every move. In addition to outlining this message, organizations should also look into deploying a user entity behavior and analytics (UEBA solutions.) This allows a security team to monitor data from a general data repository and identify malicious behaviors.

Under the GDPR and CCPA regulations, what data is being used must be clear. Another key message that must be driven home: none of the information gathered can be legally used to impact employment status unless they have broken a broad company rule or the law.

Companies need to be transparent about what they are monitoring and why. Together with the HR team, security teams should not use jargon. Instead, there should be security awareness and a policy in place that can be consumable to the employee, or it will be inadequate. The plan must be straightforward, and it must be in multiple formats. Also, there should be a point person that all employees can contact to reach out to with questions.

The core of an employee privacy plan

Even for organizations that are not required to comply with data privacy laws like GDPR or CCPA, it’s still a good idea to use these five points as guiding principles when creating a data privacy plan:

  • Is the data monitoring lawful, fair, and transparent?
  • Will the personal data collected to be used for a specific purpose?
  • Is every reasonable step being taken to erase or rectify data that is inaccurate or incomplete?
  • Is data deleted once it is no longer necessary?
  • Is the data being appropriately secured?

Learn More: Social Media’s Impact on Culture and Cybersecurity in the WorkplaceOpens a new window

To achieve and maintain privacy, the key is education. Every individual should recognize the importance of a company who takes security seriously. When using a company’s machines or networks, employees need to understand it is the organization’s right to protect the company that extends down to each individual. An insider threat can do a lot of damage to a company and leave any unsuspected employee’s data exposed. With the right data privacy plan in place, companies can protect themselves while still allowing their employees to feel trusted at work.

Sam  Humphries
Samantha has 20 years of experience in cyber security, and during this time has held a plethora of roles, one of her favorite titles being Global Threat Response Manager, which definitely sounds more glamorous than it was in reality. She has defined strategy for multiple security products and technologies, helped hundreds of organizations of all shapes, sizes, and geographies recover and learn from cyberattacks, and trained many people on security concepts and solutions. In her current role as global product marketing team at Exabeam, she has responsibility for EMEA, compliance, security strategy, and all things related to cloud.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.