Securing Human Designs and Preventing IP Theft

Transcription

1 Help Combat Property Theft The bring your own device movement is sweeping through corporations, increasing productivity and collaboration. But figuring out how to secure devices remains a top concern for HR departments. Ladan Nikravan 16 talent management magazine

2 In 2007, Certegy Check Services, a subsidiary of Fidelity National Information Services, revealed that one of its employees had been pocketing customer records and selling them to a data broker. Records included credit card, bank account and other personal information, and according to Network World, a weekly IT publication, Certegy estimated the breach affected 8.5 million customers. The thief got jail time, a multimillion-dollar fine, and Certegy paid out nearly $1 million in donations and court costs. Certegy isn t alone. Data loss attacks affected more than 1 billion people in the last five years and more than 60 percent of those incidents were the result of hacking, according to the 2013 Data Loss Barometer report from KPMG, which analyzed incidents since 2007 across industries, types of data loss and global regions. According to the report, data loss threats have risen substantially with the use of mobile devices for business purposes, and personally identifiable information continues to be the top data loss type. Industries such as health care and On the Web Technology changes are reordering the way people work. Prepare your organization for this shift so employees can operate with passion, purpose and strength: talentmgt.com/ articles/view/1410. professional services, which maintain the largest databases of personal information, saw 18.5 million people affected by PC theft, which accounted for one-third of all data loss incidents in those sectors for the first half of Some people may take data because they think they ll have a competitive advantage over other applicants if they apply to work for a competitor that does the same type of work. They say, Hire me, I can bring over all of these clients and customers, said David Strand, a partner at Fisher & Phillips, a law firm representing employers nationally in employment, labor and Figure 1: Measuring the Development of a Security Awareness Program Metric When It Is Name What Is Measured How It Is Measured Measured Details Training completion Who has or has not completed annual security awareness training. Reports from LMS or sign-in sheets for onsite workshops. Annually Primary training is when people are taught all awareness material for the first time or in a single sitting, usually online computer-based training or onsite workshops. Communication methods Policy sign-off Source: SANS Securing the Human Types of reinforcement training, who it is being communicated to and how often. Ensuring employees have completed training, acknowledge they understand the training and will adhere to the policies. Types of materials distributed to communicate program. Signature or sign-off. Part of annual review. For a security awareness program to have an impact, it must be communicated to people on a regular basis. This metric measures other communications methods that repeat and reinforce lesson objectives from annual training. Examples of such metrics can include: hits to internal security blog or website. newsletters, posters or screensavers. Tip of the day questions. Number of attendees for lunch and learns. Number of attendees for podcasts and webcasts. Mousepads and sticky pads. Number of s sent. From a compliance perspective you may be required to document that employees not only received training, but acknowledge they understand and will follow the training. talent management magazine 17

3 Figure 2: Measuring the Impact of a Security Awareness Program Metric When It Is Name What Is Measured How It Is Measured Measured Details Phishing awareness Number of people who fall victim to a phishing attack. Phishing assessment These attacks replicate the same ones cyber attackers are using. The goal is to measure who falls victim to such attacks. This number should decrease over time as behaviors change. Phishing awareness Infected computers Awareness survey Behavior survey Employee feedback Testing Secure desktop Passwords Social engineering Sensitive data Data wiping Number of people who detect and report a phishing attack. Number of infected computers. understand and are following security policies, processes and standards. Top lessons employees have learned and top behaviors changed because of this. Do employees like the training, and are they engaged? If they do not like the training, your program will not have an impact. understand security expectations, specifically the behaviors they should change and how. are securing their desk environment before leaving, as per organizational policy. Number of employees using strong passwords. can identify, stop and report a social engineering attack. Number of employees posting sensitive organizational information on social networking sites. are properly following data destruction processes. Phishing assessment Help desk or centralized AV management software. Online survey Online survey Online feedback forms Online testing Nightly walk-through Password brute forcing. Phone call assessments Online searches for key terms Check digital devices that are disposed of for proper wiping. or weekly or quarterly Random Uses the above methodology, but instead of tracking who falls victim, it tracks who identifies the attacks and reports them. This number should increase over time. Most infected computers are a result of human behavior (infected attachments, malicious links, etc.). As employees are trained, this number should go down over time. Employees take a survey on questions that determine understanding and following of policy. Questions can include if people share passwords, know how to contact security, and if they have been hacked. This survey is not interested in people's understanding of policies. Instead, we want to collect what the key points are that people are taking away from the training and what the most common behaviors are that we are changing. The ultimate goal is to create training not only that people want to take, but training they want to share with others. If you have employees asking if their family can take the training, you have created a truly engaging program. Questions that specifically test knowledge of security awareness training. Specifically if they know what behaviors they need to change and how. Security team does walk-through of organizational facilities checking each desktop or separate work environment. Looking to ensure that individuals are following organizational desktop policy. Security gains authorized access to system password database (such on AD or Unix server) and attempts to brute force or crack password hashes. Security team calls random employees attacking as an attacker would and attempting to social engineer the victim. Example could be pretending to be Microsoft support and having victim download infected antivirus. Do extensive searches on sites such as Facebook or LinkedIn to ensure employees are not posting sensitive organizational information. Any digital devices that are disposed of (donated, thrown out, resold) may contain sensitive data. Check to ensure proper wiping procedures. Physical security understand, follow, and enforce your policies for restricted or protected access to facilities. Test how many employees are wearing their badges or stopping those who are not. or weekly For many organizations physical security is a major control in reducing risk, especially when dealing with secured facilities. This metric will test and measure people s understanding and enforcement of this control. Source: SANS Securing the Human employee benefits matters. Some people unwittingly think, I created this stuff when I was working here, it s rightfully mine. Andrew Sherman, a senior partner at global law firm Jones Day, said some intellectual property thieves use a psychological justification. They think, I didn t get a bonus this year, I m unhappy with where I am in the company, this is my revenge, he said. Others are into the sport of hacking. They ll tap into databases and remove data just to prove that they can. It gives them a rush. Depending on the type of data loss, an incident can be a major risk to a company s revenue and reputation. That is why having a written policy in place is important. 18 talent management magazine

4 A well-communicated policy dictating the use of company systems, devices and the transfer of information make governing data more manageable. The policy should note, Regardless of if you re using our or your own technology, we can install security software on that device and will monitor that device, said Lance Spitzner, training director for SANS Securing the Human, an IT/information security awareness training consultancy. But mentioning this once isn t enough; it has to be communicated, trained and measured. Spitzner s team offers metric tools designed to give HR and security leaders the ability to track and measure the impact of their security awareness programs and policies (Figures 1 and 2). These metrics measure the human element, specifically people s behaviors and awareness toward intellectual property theft. He said these metrics help conduct a root cause analysis for incidents, and in his experience, most HR leaders discover the vast majority of infected systems and leaks are not a technical issue, but a human issue. Employees slip up, and it affects them as well as the company. Continually explain the benefits of the policy to employees, said Jerry Irvine, chief information officer for IT outsourcer Prescient Solutions and a member of the National Cyber Security Task Force. By having specific tools in place, adhering to policies, especially regarding their personal devices, they are keeping their personally identifiable information from being stolen. Hacking today, or the target of malicious activity, is no longer just corporate data. Identity theft makes money. Employees should not have more information than necessary, and those who are ing too much data from their professional to a personal should be monitored. Figure 3: Data Loss Trends by Sector Number of incidents as a percentage of total for 2012 Law Other business sectors 21.8% 2.5% Insurance 1.2% Financial services 3.2% Not for profit 3.7% Professional services 5.2% Health care 7.9% Media 8.3% Retail 8.3% Technology 8.6% Education 12.6% Data services 0.4% Irvine said companies should invest in data loss prevention applications, mobile device management and mobile information management products, which are preventative and data-centric as opposed to traditional, reactive security measures. These technologies enforce security policies, block employees from installing malicious apps and encrypt data. By controlling and protecting the data and configuration settings for all mobile devices in the network, HR leaders can reduce support costs and business risks. Irvine said the major pitfall is these tools cannot completely segment personal information from professional information. As a result, everything remains commingled. There are dual persona capabilities within mobile devices that are being introduced right now which allow Source: KPMG, 2013 Government 16.4% you to have your personal life in one portion of the device and your business life in another portion, but those technologies are too young, said Scott Eason, global vice president of sales for retail and financial services THEFT continued on page 53 talent management magazine 19

5 Reader Reaction Our LinkedIn followers told us what they think HR s role is in intellectual property security. Anand Chandarana: like a lot of other components of HR, it depends on where knowledge management resides within an organization. How are knowledge management, l&d and HR structured and connected? Are the three functions intertwined, and are they centralized or decentralized? HR should be actively defining, monitoring and incentivizing the organization s strategies relating to intellectual property security. Thomas Mungavan: Regardless of the security risk, HR is often using others intellectual property for training and other activities. Some organizations are very casual about protecting the copyrights of others and expose themselves and their companies. If there is a leak due to security and HR has a track record of unenforced copyright policies, the company exposure can be very high. The larger the company, the bigger the target for lawsuits. Gerry Peyton: First, contractual compliance is critical. If in doubt, review employment contracts and ensure all bases are covered, during and after employment. Second, internal knowledge management and governance. No one should be indispensable, and knowledge should be logged and captured as effectively as possible. This requires robust operational procedures. Third, the organization needs to work even harder at keeping employees engaged. This requires a high-maintenance HR approach to ensure pay and benefits are constantly reviewed and updated, and employee development and career management are high profile. What do you think? Join the discussion at tinyurl.com/ b86385u or join our Talent Management LinkedIn group. how hr CAn PROteCt DAtA AnD MOnItOR employees ACtIOnS HR leaders must understand what they are trying to achieve with an intellectual property monitoring practice and how to establish a business case for doing so. Each industry has a unique set of needs for protection. upfront transparency with solid communication and training is necessary to establish trust and keep an engaged workforce committed to upholding a policy. The policy should well define the areas of the business considered to be intellectual property, what systems may be monitored to protect intellectual property, and finally what are the intended consequences of violating this policy. Given the rapid shifts in business and technology, your policies will need re-evaluation again in a few months, and maximum a year after implementation. Kim Cassady, director of HR at Cornerstone OnDemand, a talent management software services firm. THEFT continued from page 19 for Verizon Enterprise Solutions Financial Services, a security and IT company. Even when things are compartmentalized, employees need to know that legally, using a device, work or personal, for business reasons, the company has rights to the data that resides on that device. According to Verizon s 2012 Data Breach Investigations Report, most of the thefts are carried out by determined adversaries who target intellectual property as a shortcut to attain a strategic, financial, technological or related advantage. While technology that helps eliminate breaches is a start, Eason said HR leaders need to consider this an engagement issue as much as an IT issue. Forty-six percent of theft comes from internal threats or agents, he said. Eighty-seven percent of theft comes from external agents. That adds up to more than 100 percent, which means that an employee is collaborating with an external actor to do harm to a company, which is a clear sign of disengagement. To prevent this, Eason said it s important to monitor engagement surveys closely and ensure employees only have access to the data they need to perform their job functions and lose all access after leaving the company. As employees move throughout the firm to different functions, HR leaders must ensure they deactivate data sets that are no longer needed. Employees should not have more information than necessary, and those who are ing too much data from their professional to a personal account should be monitored. With big data trends, analytics and data mining, your information is the premier asset of your company, Jones Day s Sherman said. This is dynamic information that may have multiple revenue streams attached to it. The more training, communicating and engaging you do, the better it is for your business. talent management magazine 53