Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

How can A company balance trusting employees with protecting itself?

user-image
Question added by Fida Abo Alrob , Sr. Copywriter , Imena Digital
Date Posted: 2014/12/24
Emad Mohammed said abdalla
by Emad Mohammed said abdalla , ERP & IT Software, operation general manager . , AL DOHA Company

The HR department should devise strategies and guidelines to ensure that workplace confidentiality is maintained. Here are some effective steps which can be taken to protect information.

  • The human resource professionals should take necessary steps to prevent the misuse of information that is personal. This is applicable to the HR department as well. Personal files of employees and the management should be safely stored to avoid misuse, loss or unauthorized access.
  • Once the policies are devised, the next thing to do is to communicate the same to all the employees, supervisors and managers. Training them about the confidentiality issues by giving them printouts of the policy or holding meetings and seminars in the office which teach the importance of confidentiality to the employees, should be done on a regular basis.
  • It is very important that the employees know which actions of theirs will be considered as a breach of confidentiality and what will be the consequences of the same, to deter them from doing so.
  • With most of the information these days stored electronically, to ensure its safety, sophisticated electronic methods such as firewalls, password protection, encryption, etc. should be adopted. This will keep the access, usage and transmission of the protected data, safe.
  • Disposing off sensitive information in the right manner, if it's not required anymore is equally important. The employer or the human resource personnel should do it in such a way that there are no potential leaks.

The privacy policies and guidelines should be updated regularly according to the new laws devised by the government. The same should be communicated to the employees to ensure their compliance. By maintaining the confidentiality standards in the workplace, an organization not only protects itself from legal hassles but improves the employee productivity as well by providing them with a secure and safe work environment.

VENKITARAMAN KRISHNA MOORTHY VRINDAVAN
by VENKITARAMAN KRISHNA MOORTHY VRINDAVAN , Project Execution Manager & Accounts Manager , ALI INTERNATIONAL TRADING EST.

Entrust the key areas the responsibility of which with the Qualified and experienced hands with proven track record, Well controlled  efficient administrative support for the system in use, have clear cut work-book for the policies and procedures with necessary amendments from time to time, adequate internal check system, separation of monitory functions with separate departments with cash and banking operations in the hands of qualified financial heads/supervisory system. Departmentalization for other departments will also prove good. 

Agree with the expert answer already provided.

Faisal Felimban
by Faisal Felimban , إداري الأمن السلامة في مصنع البلمرة , شركة الجبيل للبتروكيماويات

The company must provide a clear Procedures, Guidelines and Integrity Management and Operation Systems

Saiful Islam Hiron
by Saiful Islam Hiron , Site HR Manager , Handicap International

Ensure:

1. Employee accountability.

2. Commitment.

3. Comfortable and trusty environment.

4. Team work culture.

5. Appreciate good work.

Vinod Jetley
by Vinod Jetley , Assistant General Manager , State Bank of India

Are Insiders Really a Threat?

The threat of attack from insiders is real and substantial. The2006 E-Crime Watch Survey conducted by the United States Secret Service (USSS), the SEI CERT Program, and CSO Magazine, found that in cases where respondents could identify the perpetrator of an electronic crime,32% were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of almost $700 million. Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of80 employees.

Over the past several years, CERT has been conducting a variety of research projects on insider threat. One of the conclusions reached is that insider attacks have occurred across all organizational sectors, often causing significant damage to the affected organizations. These acts have ranged from low-tech attacks, such as fraud or theft of proprietary information, to technically sophisticated crimes that sabotage the organization’s data, systems, or network. Damages are not only financial; widespread public reporting of the event can also severely damage the organization’s reputation.

Insiders have a significant advantage over others who might want to harm an organization. Insiders can bypass physical and technical security measures designed to prevent unauthorized access. Mechanisms such as firewalls, intrusion-detection systems, and electronic building-access systems are implemented primarily to defend against external threats. However, not only are insiders aware of the policies, procedures, and technology used in their organizations, but they are often also aware of their vulnerabilities, such as loosely enforced policies and procedures or exploitable technical flaws in networks or systems.

Partnering with the USSS, CERT has been conducting the Insider Threat Study, gathering extensive insider threat data from more than150 case files of crimes involving most of the nation’s critical infrastructure sectors. To date, researchers have published two reports documenting the results of the study: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector and Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. This study shows that use of widely accepted best practices for information security could have prevented many insider attacks or detected them earlier. Rather than requiring new practices or technologies for prevention of insider threats, the research instead identifies existing best practices critical to the mitigation of the risks from malicious insiders.

Who Is The Suspicious Insider?

Disgruntled technical staff members, both before and after termination, must be recognized as potential threats for insider IT sabotage. Data pertaining to fraud and information theft suggest that organizations must exercise some degree of caution with all employees. Current employees in practically any position have used legitimate system access to commit these types of crimes. (Of special note is that almost half of the employees who stole information while still employed had already accepted other job offers.) Unfortunately, there is no profile of an insider who poses a threat to an organization; the threat can be recognized based only on a combination of patterns of behavior and online activity.

Can Insiders Be Stopped?

Insiders can be stopped, but stopping them is complex. Insider attacks can be prevented only through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of an organization, including its business policies and procedures, organizational culture, and technical environment. Managers must look beyond information technology to the organization’s overall business processes and the interplay between those processes and the technologies used.

Too often organizations allow the quality of their practices to erode as no malicious activity is detected over time. One of the vulnerabilities posed by insiders is their knowledge of exactly this: the quality of their organization’s defenses. Based on our research to date, the practices outlined below are the most important for mitigating insider threats.

Practices for Preventing Insider Attacks

The following13 practices for preventing insider attacks will provide an organization with defensive measures that could prevent or facilitate early detection of many of the insider attacks other organizations have experienced. This is an overview of the best practices covered in the "Common Sense Guide to Prevention and Detection of Insider Threats,1st Edition; see the complete document for more details.

Practice1: Institute periodic enterprise-wide risk assessments.

It is difficult for an organization to determine the proper balance between trusting its employees, providing them access to achieve the organization’s mission, and protecting itself from those same employees. Access combined with knowledge of the organization’s vulnerabilities in both technology and business processes gives insiders the ability to carry out malicious activity against their employers. An organization must protect itself from both insiders and outsiders using risk-management principles. The organization must take an enterprise-wide view of information security, first determining its critical assets, then defining a risk-management strategy for protecting those assets from both insiders and outsiders.

Practice2: Institute periodic security awareness training for all employees.

A culture of security awareness must be instilled in the organization so that all employees understand the need for policies, procedures, and technical controls. The first line of defense from insider threats is the employees themselves. All employees in an organization must understand that security policies and procedures exist, that there is a good reason that they exist, that they must be enforced, and that there can be serious consequences for infractions. Each employee must be aware of the organization’s security policies and the process for reporting policy violations.

Practice3: Enforce separation of duties and least privilege.

If all employees are adequately trained in security awareness, and responsibility for critical functions is divided among employees, the possibility that one individual could commit fraud or sabotage without the cooperation of another individual within the organization is limited. Effective separation of duties requires the implementation of least privilege, that is, authorizing people only for the resources they need to do their jobs. 

 

Practice4: Implement strict password and account-management policies and practices.

No matter how vigilant employees are in trying to prevent insider attacks, if the organization’s computer accounts can be compromised, insiders have an opportunity to circumvent both manual and automated mechanisms in place to prevent insider attacks.

Practice5: Log, monitor, and audit employee online actions.

If account and password policies and procedures are enforced, an organization can associate online actions with the employee who performed them. Logging, periodic monitoring, and auditing provide an organization the opportunity to discover and investigate suspicious insider actions before more serious consequences ensue.

Practice6: Use extra caution with system administrators and privileged users.

Typically, logging and monitoring is performed by a combination of system administrators and privileged users. Therefore, additional vigilance must be applied to those users.

Practice7: Actively defend against malicious code.

System administrators or privileged users can deploy logic bombs or install other malicious code on the system or network. These types of attacks are stealthy and therefore difficult to detect in advance, but practices can be implemented for early detection.

Practice8: Use layered defense against remote attacks.

If employees are trained and vigilant, accounts are protected from compromise, and employees know that their actions are being logged and monitored, disgruntled insiders will hesitate to attack systems or networks at work. Insiders tend to feel more confident and less inhibited when they have little fear of scrutiny by coworkers; therefore, remote-access policies and procedures must be designed and implemented very carefully.

Practice9: Monitor and respond to suspicious or disruptive behavior.

In addition to monitoring online actions, organizations should closely monitor other suspicious or disruptive behavior by employees in the workplace. Policies and procedures should be in place for employees to report such behavior when they observe it in coworkers, with required follow-up by management.

Practice10: Deactivate computer access following termination.

When an employee terminates employment, whether the circumstances were favorable or not, it is important that the organization have in place a rigorous termination procedure that disables all of the employee’s access points to the organization’s physical locations, networks, systems, applications, and data.

Practice11: Collect and save data for use in investigations.

Should an insider attack, it is important that the organization have evidence to identify the insider and follow up appropriately.

Practice12: Implement secure backup and recovery processes.

Despite all of the precautions implemented by an organization, it is still possible that an insider will attack. Therefore, it is important that organizations prepare for that possibility by implementing secure backup and recovery processes that are tested periodically.

Practice13: Clearly document insider threat controls.

As an organization acts to mitigate insider threat, clear documentation will help to ensure fewer gaps for attack, better understanding by employees, and fewer misconceptions that the organization is acting in a discriminatory manner.

Kathy Mustafa
by Kathy Mustafa , Personal Assistant to CEO- Managing Sales and Marketing Departments , Saudi Kinda Real Estate

That's what contracts and employment agreements are for. Upon employment you are handed a company manual with company rules, policies, guidelines, etc., in which you must sign and gets filed into your employment docket. 

More Questions Like This