This article contains information on managing insider risks associated with new employees, including best practices for prevention, detection, and response, as well as the roles of HR, Legal, and Security teams in ensuring data protection and compliance.
Overview
When you introduce a new employee into your organization, there is a significant level of unfamiliarity on both ends. This unfamiliarity creates risk, which can lead to mistakes, negligence, and overall lack of security awareness. This course will cover industry best practices when it comes to preventing, detecting, and responding to insider risk of new employees.
Prerequisites
- You are an Incydr Administrator or Security Practitioner, with beginner to intermediate experience level.
- You are familiar with Incydr.
Why are New Employees a Risk?
New hires bring fresh ideas and unique skills but can also pose a threat. They can endanger your organization’s sensitive data and IT systems due to carelessness, lack of cybersecurity awareness, or malicious intent. Incydr's Annual Data Exposure Report confirmed two-thirds (63%) of employees take data with them from one employer to the next. AND, three in five (59%) employees move to a company in the same industry.
The consequences of this behavior can be more damaging to a new business when a new employee takes data from a former employer and goes to work for a competitor. But most people aren't trying to steal data. They’re doing things like taking their best work to "hit the ground running" in their new position, which might include things like templates and client information. A vast majority of new employees have the very best intentions, but regardless of intention – good, bad, indifferent – their actions put their new company at risk.
Real World Examples
Waymo v. Uber
“Epic” Trade Secret Case Involving Autonomous Vehicles Settles for $244 Million
In a 2018 lawsuit, Waymo said that one of its former engineers who became chief of Uber’s self-driving car project took with him thousands of confidential documents. The lawsuit cost Uber precious time in its self-driving car ambition, which is a key to its long-term profitability. Uber fired its self-driving chief after Waymo sued, and it is well behind on its plans to deploy fleets of autonomous cars in one of the most lucrative races in Silicon Valley
As part of the deal, Waymo gets a 0.34 percent stake in Uber, worth about $245 million based on Uber’s current $72 billion valuation, a Waymo representative said. The settlement includes an agreement to ensure that Waymo confidential information is not being incorporated into Uber technology, which Waymo has said was its main goal in bringing the lawsuit.
People
It Starts with Stakeholders
Stakeholders help identify key inflection points that can increase or decrease the level of risk within an organization. We recommend that Human Resources, Legal Departments and Security are part of every IRM Program stakeholders team. Specifically, this team helps to establish IRM success metrics, provide process recommendations, and assess results. Active team participation creates a shared sense of responsibility for security across the entire organization and ensures that the IRM program aligns with company culture.
Why Human Resources?
They own the new hire journey. An effective human resources (HR) management department can help provide organizational structure and the ability to meet business needs by managing your business’s most valuable asset – your employees. The HR team will also be involved in key employee life cycle inflection points such as talent management, compensation and benefits for employees, training and development, compliance, and workplace safety.(opens in a new tab)
The role and responsibilities of the HR department can vary depending on the size and structure of the organization, as well as the specific needs of the business. However, there are some general tasks and functions that an HR department might perform in a calendar year that can be included as part of an IRM Program:
- Acclimate new employees with the company and its culture.
- Maintain compliance with relevant laws and regulations, such as those related to equal employment opportunity, health insurance, retirement plans, and paid time off.
- Manage employee development to include providing feedback and coaching to employees, and performance reviews.
Why Legal?
They own the policies that defines acceptable new employee behavior. The legal department is typically responsible for all legal and legal related external matters such as litigation, investigations, compliance, mergers and acquisitions. This is a diverse, complex, and often unpredictable portfolio of challenges. The role and responsibilities of an in-house legal department can vary depending on the size and type of organization, but some common tasks and functions that an in-house legal department might perform in a calendar year include:
- Provide legal advice and counsel related to contracts, employment law, intellectual property, regulatory compliance, and more.
- Review and negotiate contracts to ensure that they are fair and favorable to the organization, and negotiate any necessary changes.
- Lead litigation such as lawsuits or arbitration, which can involve negotiations settlements or agreements.
Knowledge Check
Question: What are the roles of your stakeholders?
- Human Resources.
- Legal Department.
Choose from:
- Owns the new hire journey.
- Owns the policies that define acceptable employee behavior.
- Human Resources - Owns the new hire journey.
- Legal Department - Owns the policies that define acceptable employee behavior.
Process
Define the Process
No single response is appropriate for all situations because risk varies greatly based on the files and users involved. Therefore, we focus on giving you the information you need to respond to insider risks quickly and appropriately, which may include automated action, corrective conversation, legal action, engaging other stakeholders in your organization, or anything in-between.
Consistency is Key
Playbooks, run books, manuals, and how-to guides are all designed to help those in a situation perform the steps needed to respond to the situation at hand. When it comes to new employees, it's important for each team involved to know their specific duties, and how they fit within the organization's larger on-boarding process. Not only does this make the transition easier for the new employee, it also ensures that security and data protection remains a priority.
As owners of the employee lifecycle and experience, Human Resources is heavily involved in the new employee process. HR's handling of the new employee process can reduce risks the organization faces. Documented procedures lower the chance of unintentional data loss due to mishandling or missteps, and they can also lower the occurrence of a new hire bringing unsanctioned data with them from a previous employer. (opens in a new tab)
Some of the tasks HR will be in charge of perform include:
- Clearly communicating the Acceptable Use Policy
- Provide security awareness training
- Manage expectations around employee monitoring of company devices
Along with HR, Legal should be involved in the creation and enforcement of the organization's acceptable use policy, non-disclosure agreement(s), and any other employment agreements to which the employee agreed as part of their hiring process or throughout their tenure at the organization.
A documented investigation procedure should include high and critical risk situations in which the employee's manager and potentially HR and Legal are brought in to determine the appropriate action(s). We recommend an empathetic investigative approach that presumes positive intent.
Empathetic Investigations
Learn more about how to conduct an empathetic investigation, with our step by step approach.
As with any insider risk investigation, maintaining the privacy of and respect for the affected individual(s) is of the utmost importance. Some organizations require analysts who investigate insider risk events to sign a non-disclosure agreement (NDA) to maintain confidentiality.
What Policies Should be in Place?
Every organization is different, so the required policies will also be different for every organization. Organizations may also have a different name for a policy or have a policy within a larger document (e.g. maybe the acceptable use policy is inside of the larger corporate security policy). With that in mind, here's are a few of the key principles that should be documented throughout the employee's tenure and be able to reference at their departure:
- Who owns information created by the company or while on the company time
- What tools and resources can be used
- What can(not) be kept on company-owned resources
- Personal use of company-owned resources and/or Bring Your Own Device (BYOD)
- Data classification and how to handle data at each classification
Still not sure? Take a look at our Acceptable Use Policy template to get started.
Looking for more in-depth information on a specific team or topic mentioned in this course? Check the Additional Resources section at the end of this course for additional modules.
Technology
Incydr is designed to help detect risk events: suspicious file movement, unapproved sharing, and exfiltration activities. When new employees arrive, they may wish to transfer data from their old company-owned resources to their new company-owned resources. With strong policies in place, new employees should be made aware of what they can and cannot do with new and old company data. Incydr is here to verify data policies are being followed and if a risk event happens, detect it and help respond appropriately.
Detection
Incydr's New Employee Watchlist is specifically designed to help security teams monitor for risk events performed by new employees. By integrating Incydr with your Human Resources Information System (HRIS), new employees can automatically be added to the New Employee Watchlist for increased visibility at speed.
Incydr's Alerts allow security teams to configure alert rules that are triggered when certain actions and/or thresholds are met with data. Users added to the New Employee Watchlist automatically get added to two default alerts, too.
Response
- Incydr's Cases help security teams manage and respond to investigations with tools that collect, organize, and retain user file activity.
- By taking an Empathetic Investigations approach, security is in a much better place to understand why employees are making mistakes and breaking policy. With this understanding, security teams can offer employees the assistance and guidance they truly need to make better decisions with company data.
Incydr Instructor is specifically designed for adult learning to guide employees and help companies prevent and respond to risk events. Instructor's proactive and situational videos are designed to be given before an event occurs (such as annual training or when a role change occurs), while responsive videos can be triggered to send after certain risk criteria have been met.
(To view any videos mentioned below, navigate to the Instructor page in your console or reach out to your CSM for more information).
Proactive
Proactive lessons promote safe security and data handling. These lessons presume positive intent and teach new employees security best practices.
-
Insider Risk & You:
- Remind users about the risks we all pose to data in our day-to-day work, and how to avoid them.
- Sent annually.
-
Risk of Not Separating Personal / Business:
- What are the dangers of using a company-owned device for personal use?
- Sent annually.
-
Templates (requires login) to keep company data ownership in mind, throughout their tenure.
- Poster templates, communication templates, and response templates are available for Instructor customers for a variety of instances, such as chat applications, iCloud, email, USB, etc.
Situational
Situational lessons empower a more risk-aware workforce based on the employee lifecycle. These lessons are engaging, and teach users how to handle data as their roles and responsibilities change.
-
Instructor includes multiple versions of this video, depending on the role of the recipient.
- This could be sent along with any other pre-hire package. It could also be done in person.
Responsive
Responsive lessons provide just-in-time training as soon as a user makes a mistake. These lessons are non-accusatory and personable, which allows users to learn from their mistakes and build a positive relationship with the security team.
- Sent to match the appropriate triggering action.
- Instructor has a library of videos that correlate with the risk setting detection capabilities of Incydr.
- Security teams should determine if there are any specific procedures for new employees who are sent an Instructor video as a response. If an event is detected, Security may determine it a requirement to perform an inquiry to confirm any residual risk or follow up required.
Ecosystem Integrations
Incydr and Instructor were both designed to fit within an organization's larger ecosystem. In addition to Incydr's built-in detection and response capabilities, integrating with an HRIS, SIEM, and/or SOAR can speed up workflows, collect information in a central location, and perform additional response tasks.
There are many ways to integrate Incydr.
Reach out to your CSM or our sales team for more information.
Summary
New Employee Equals Opportunity
Every new employee represents an opportunity to add positive security practices that will amplify overtime. Ideally, each informed and well trained new employee serves as a beacon that resonates best practices and proactively recognizes potential areas of data risk. And when an employee does exit an organization, companies can be feel prepared because they continuously managed expectations around data loss prevention, and practiced layers in defense between people, process, and technology at every inflection point along an employee lifecycle.
Knowledge Check
Let's see what we've learned about New Employee and IRM Programs!
Question One: In addition to the new employee's manager, what other core stakeholders are involved in protecting the organization's data during the new hire process? (Choose all that apply)
- Security.
- Human Resources (HR) / People.
- Finance.
- Information Technology (IT).
- Sales.
- Legal.
The answer is 1, 2, & 6.
Question Two: What is an example policy that lets employees know what they can and cannot do with company resources? (Choose one)
- Bring Your Own Device (BYOD) Policy.
- Acceptable Use Policy.
- Data Deletion Attestation.
- Data Disclosure Policy.
The answer is 2.
Question Three: Match the appropriate Instructor video category with its description.
- Responsive.
- Proactive.
- Situational.
- These lessons provide just-in-time training as soon as a user makes a mistake.
- These lessons empower a more risk-aware workforce based on the employee lifecycle.
- These lessons promote safe security and data handling from the start.
The answer is:
- Responsive - These lessons provide just-in-time training as soon as a user makes a mistake.
- Proactive - These lessons promote safe security and data handling from the start.
- Situational - These lessons empower a more risk-aware workforce based on the employee lifecycle.
Additional Resources
People
Human Resources
Ready to take a deeper dive into HR's responsibilities during the employee departure process? Check out the HR extension course under Departing Employees.
Process
Response Playbooks
Creating response playbooks can ensure everyone knows their responsibility and what the process is during and investigation.
Getting Started with Incydr
General Resources
Questions or Comments?
Reach out to your Customer Success Manager (CSM).
Comments
Please sign in to leave a comment.