HR: why it’s a frontline defense for cyber security

A computer being guarded by cybersecurity.
(Image credit: iStock)

In today’s business landscape, nearly half of modern enterprises are comprised of non-employee identities. Whether that be contractors or temporary workers, businesses have a myriad of different identities tapping in and out of their networks. This workforce trend has proven to be a strategic advantage for enterprises, providing them the flexibility to adapt to rapidly changing market conditions while having access to specialized skills on demand.

While the business advantages of using non-employee identities such as freelancers are undeniable, this growing reliance on third-party labor has simultaneously introduced new security challenges and risks. Organizations need to take a closer look at who is part of their network or risk the wrong identities creeping into their systems – and this ‘monitoring process’ starts with HR, which must work carefully with IT to verify people are who they say they are.

Yet, despite HR being vital to the access process, three-quarters (76%) of UK organizations are yet to integrate HR into their identity security strategy, missing a key ingredient in securing their organization. With this in mind, let's explore why organizations need to include HR as a key user and stakeholder in their security programs and practices.

Steve Bradford

Senior Vice President for EMEA at SailPoint.

How should HR fit into the security landscape?

HR teams are a vital frontline asset for monitoring the identities inside an organization due to their oversight on people. Whether that’s throughout the hiring process or the exiting process, HR teams should know who is moving in and out of a company.

HR teams are often responsible for onboarding employee information into internal HR systems. By doing this, they have visibility over important employee details and can ensure new starters are given access to the documents they need to complete their job. This is a fairly easy task when monitoring internal and existing employees, however, this job becomes significantly more difficult when it comes to third-party identities like freelancers.

Most non-employee entities work for an organization for shorter periods of time, meaning their details aren’t always captured in organizational HR systems, nor are they stored on a business’s database alongside full-time employees. Integrating these employees into HR systems can be a challenge due to compliance and security issues and it can also be costly for organizations to purchase specialized HR tools that can handle freelancers' unique requirements efficiently.

On top of this, many freelancers, contractors or temporary workers are brought into a business with urgency to plug resource gaps and tap skills in high demand, meaning the integration of non-employees into the workforce is rushed at times. This results in loose processes within access management and inadequately managed access permissions that can leave insider threats unnoticed.

This is particularly dangerous in critical sectors like the healthcare industry, where contract workers are increasingly common and frequently tapped to plug resource gaps. Yet rushing providing access can leave open entry points for cyber attackers to exploit confidential information. To overcome this complex web of access management, HR must be integrated into the process and made aware to risks third parties could pose if they aren’t monitored properly. Cue: identity security.

How HR and IT can work together to strengthen security

One of the key risks associated with non-employee labor is the potential for unauthorized access to sensitive data and systems. With a larger pool of individuals requiring access to an organization's resources, the likelihood of compromised access credentials increases, creating potential entry points for cybercriminals seeking to exploit vulnerabilities in a company's security infrastructure. To better address these challenges, HR and IT need to work together to have better visibility over the identities in their system, to grant or limit access as necessary.

More than 30% of identities in an organization are not properly covered by identity solutions, with particular gaps around third-party identities. In prioritizing identity security, HR teams should have clear processes and communicate with IT, sharing the details of the non-employee identities in the business. Then, IT can implement more stringent access controls to reduce the risk of unauthorized access - granting access permissions to contract workers on a “need-to-know” basis only. In other words, only allowing access at to the necessary applications and data at the right time — nothing more, nothing less.

Furthermore, HR and IT departments should have automated processes in place to regularly monitor and review access privileges, while also conducting thorough due diligence. For example, HR teams should assess the cybersecurity practices of contract workers and third-party service providers before granting access to their systems. With additional background checks, security clearances, or certifications as part of the due diligence process, organizations can better protect themselves against breaches.

Strengthening businesses’ defense arsenal with AI/ML

In today’s growing digital environment, organizations face the uphill task of managing a significant growth of 13% more identities over the next 3–5 years, whether that’s employee, third parties or contractors. Meaning manual identity management methods alone won’t be enough.

To tackle this identity explosion, organizations will need more intelligent means of managing identities, such as leveraging an AI and machine-learning (ML) identity security solution for advanced threat detection. With AI and ML capabilities at the core of an identity security solution, organizations can analyze vast amounts of data to detect patterns indicative of potential threats. Such solutions enable the intelligent automation of access permissions to ensure that contract workers only have access to the resources they require for their current roles. This technology can also help support HR teams by reducing the manual labor required to remove access privileges promptly when no longer needed, such as when a contract ends, or a worker's role changes. This consequently enables businesses to respond more quickly and effectively to emerging risks, helping to prevent data breaches and other security incidents.

In navigating the complex web of non-employee access management, HR teams have a crucial role to play in helping IT teams identify the identities living inside an organization and therefore managing and removing their access accordingly. Moving forward, it will only be through incorporating advanced, intelligent identity management and threat detection capabilities while continuously monitoring access activities, that organizations will be future-ready.

Therefore, businesses that are well-equipped for the threats that come with an evolving workforce will truly be able to build an organization that is future-proof in all aspects - with the right employee and non-employee resources for new challenges, and sufficient security defenses to safeguard their success.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Steve Bradford is SailPoint's Senior Vice President, EMEA, where he is responsible for driving consistent growth across the company's EMEA business.