The term “malicious insider” may conjure up an image of a faceless individual sitting in front of a screen in a dark room. Yet, it presents a very real threat that is increasingly concerning to CHROs and CISOs alike. According to a new report by Proofpoint, 36 per cent of Singapore based CISOs say they experienced a malicious or criminal insider incident over the last 12 months.
Globally, this number soars to 83 per cent of surveyed organisations experiencing at least one insider attack in the last year, with some leaders indicating the number of attacks multiplying by up to five times, as reported in the Cybersecurity Insiders’ 2024 report.
The rise of these “insider threats” or “internal security risks” is troubling as they are often harder to detect, and the cost per incident is significant. The same report uncovered that 1 in 3 organisations (32 per cent) estimate the price they pay for such crimes is in the range of $100K-$499K. From there, it increases significantly, with leaders saying it costs between $500K up to $2M plus.
Although HR teams are not inherently required to protect businesses, they hold the power to shape cyber secure work cultures and ensure that they “secure the front door” by leveraging proactive measures like comprehensive background screening during recruitment to reveal if the applicant is who they are.
The role of HR in mitigating insider threats
To ensure businesses are protected from insider threats, safety guardrails should be in place at the beginning. Any new individual with access to your systems must undergo a robust screening practice and background check.
Additionally, according to Corporate Compliance Insights, organisations must stay on “high alert” but they can reduce insider threats by implementing strong access controls to data, comprehensive security training, vigorous background checks and screening processes and worker exit procedures that ensure timely data access restrictions.
Although, HR teams can influence insider threat protection, we also recommend a cross-functional team approach that includes not only HR but members of IT security, legal and compliance combined to “prevent, detect, and respond” to malicious insiders while safeguarding legal compliance. Below, we outline the top ways to mitigate inside threats from happening in the first place.
The top 5 ways to guard against malicious insiders
1. Foster cross-collaboration and open communication
Promote a culture with an open-door policy to let employees feel safe to report suspicious activity. Cultivate a risk-aware culture and ensure teams collaborate to secure organisations by promoting clear communication and accountability among all employees to mitigate risks.
2. Conduct comprehensive background screening
HR leaders must verify a candidate’s credentials, work history, criminal record, and other relevant aspects before hiring. This meticulous evaluation reduces hiring risks, ensures compliance, and ensures you hire the right-fit candidate for the job.
3. Provide security awareness training
One of the key barriers to strengthening malicious threats and cybersecurity awareness within organisations is that security is perceived as being “boring” or “complicated”. Leaders can make cybersecurity training more human-centric and influence change by nudging employees at certain high-risk behaviour points.
4. Establish clear policies
Maintain a comprehensive risk management framework that integrates risk identification, assessment, and mitigation processes across all levels of the organisation. Monitor and review your risk management strategies to adapt to evolving risks and ensure your controls remain effective.
5. Conduct regular internal audits
A key strategy to detect malicious insiders and mismanagement or misappropriation of assets is through internal audits. But also implement internal data controls and checks for unauthorised or unusual activity. Combined these practices can comprehensively help protect your business.
Building a security-conscious workplace
With the threat of theft and your business’s reputation at risk, HR leaders must cultivate a security-conscious workplace with baked-in procedures and checks and balances to ensure malicious insiders are thwarted before even entering your workplace and critical systems. It starts with rigorous background checks and requires ongoing training to allow HR leadership to leverage their team as security advocates. Cybersecurity and business intelligence are not just one team’s or person’s job within an organisation; they take the entire organisation to work together to stop incidents and threats before they happen.
While National Insider Threat Awareness Month is still months away in September, we challenge you to review your policies now and ensure your team is vigilant and collaborative in terms of security but also has the tools they need to protect your organisation. It’s too costly and damaging not to be prepared.
To learn more about the RMI approach, read one of our latest blogs: Know your new hires – don’t make these common background screening mistakes.
