GUEST OPINION: These days, cyber attacks seem to be making the headlines on an almost daily basis. For many businesses, they hear about the latest massive company data breach or state-sponsored hack and think "Whew, glad that wasn't us." But what they don't hear as much about is the threats coming from inside their organizations. In fact, insider threats, whether intentional or unintentional, pose huge risks that can't be ignored.
HiBob, one of the market-leading HRIS software companies, houses tens of thousands of extremely sensitive customer records. They have access to employee records, payroll information, personal contact details...everything you can imagine around employee data. Of course, this makes insider threats a pretty big deal for them. If someone makes a mistake or has malicious intent, it could be disastrous - both from a regulatory standpoint and in terms of customer trust and industry reputation.
So let's talk about what an insider threat actually is, why they matter so much, and the ways HiBob combats them to keep customer data ultra-secure…
Employees are Critical Assets...and Risks
HiBob’s workforce enables them to deliver cutting-edge products and serve customers from around the world. Without them, they wouldn’t be able to perform even a tiny percentage of what they do. Yet, at the same time, people also introduce vulnerabilities that hackers look to exploit. Through phishing, misconfigured access rights, or even simple errors, employees can expose data even at the most rigorously security-focused companies.
Look at the 2019 Capital One breach. A former AWS engineer used her insider knowledge to bypass firewalls and access 100 million customer records. This is still one of the largest data breaches of all time.
However, insider threats are often not intentional either. We all make mistakes, after all. An engineer could accidentally upload API keys to GitHub. Or a salesperson clicks the wrong link which installs malware. Regardless of motive, employees and contractors represent big cyber risk if security practices aren't ingrained into operations.
How HiBob Train Employees to be Human Firewalls
In order to prevent a HiBob data breach, the HR provider makes its employees the first and last line of defense against vulnerabilities. This starts with training, training and more training.
Secure Code Training
Annually, HiBob engineers undergo intensive secure coding training on risks like SQL injection or cross-site scripting. Knowing modern threats helps them review code with a cybersecurity lens before releasing anything. This training aims to dive into the OWASP Top 10 security risks so that each engineer can develop and maintain code with modern best practices in mind.
Onboarding Security Training
Upon hiring, all employees attend security awareness training covering phishing, social engineering, data policies, and so on. It's not the most exciting orientation activity, but this establishes security as a priority from day one. Engineers receive additional technical sessions too, so they understand exactly how to secure infrastructure, apps, and code.
Annual Security Refreshers
Training doesn't stop after orientation. Every employee completes annual refresher courses to stay razor focused on security. It's like going to the gym - you have to keep working those cybersecurity muscles so threats don't catch you slipping. Alongside continual training, security teams distribute tips through monthly emails and presentations to surround employees with security awareness.
You may ask, doesn't all this training get in the way and disrupt real work? Of course, there's a balance to be had. But for a company like HiBob where data security is mission critical, security should never take a backseat, especially given the amount of sensitive customer information running through their servers. A little extra training seems a small price to pay for keeping that data locked down tight.
Layered Controls For Defense in Depth
In addition to employee training, HiBob implements strict organizational controls aligned with industry standards:
Reference Checks and Confidentiality Agreements
For starters, every single candidate that receives a job offer must pass extensive background and reference checks. Even the marketing and admin roles undergo scrutiny, not just engineers touching sensitive systems. This legally ensures compliance through confidentiality agreements binding employees to handle data properly.
Logical Access Controls
Within the HiBob production environment, access follows a tightly controlled approval process. Cybersecurity teams audit and manage access constantly. Anyone that interacts with customer data must authenticate using multiple factors.
And it's not just blanket production access. Inside applications and systems, HiBob uses role-based access controls to restrict data to only what's needed for someone's role. For example, a software developer can't peek at payroll records - their access is strictly limited to relevant systems.
Through these layered technical and policy controls, the HR software provider minimizes reliance on any one employee "doing the right thing" security-wise. It's about instituting barriers that make breaches extremely difficult in the first place for both intentional and accidental scenarios.
Final Word
For most companies, it’s vital to remember that cybersecurity starts from within, long before any hacker starts poking at your firewall. Employees will always represent risk, but there are ways to minimize that through robust insider threat controls along with consistent employee training and awareness programmes. After all, vigilant internal security means more energy focused on serving customers instead of chasing down breaches.