IT and HR can form a strategic alliance to strengthen enterprise security, writes Steve Bradford, Senior Vice President EMEA at the cyber firm SailPoint .
In business, organisations of all sizes are made up of a whirlwind of identities including those we often call non-employee identities. Whether that be contractors, temporary workers or freelancers, nearly half of modern enterprises are now comprised of non-employee identities.
Having a range of different identities within a workforce can bring huge benefits – not only helping to fill labour shortages quickly, but also enabling business to access specialised skills and expertise where needed. However, an increased reliance on third-party labour also brings new security challenges and risks.
Businesses must keep a close eye on who is moving in and out of their internal systems or risk the wrong identities creeping in unnoticed. And who better to partner with security teams on the oversight of this process than HR teams, who have extensive knowledge on workers, temporary and permanent.
HR is crucial to the access process, yet three-quarters (76pc) of UK organisations are yet to integrate HR into their identity security strategy, according to our research. There is huge opportunity for HR to work more closely with IT and security teams to help safeguard the security frontier. Let’s look at how organisations can make this happen.
HR at the forefront
HR teams play a vital frontline role in monitoring the identities inside an organisation due to their oversight on people. Whether that’s throughout the hiring process or the exiting process, HR teams should know who is joining, moving and leaving the company.
HR teams are often responsible for onboarding employee information into internal HR systems. By doing this, they have visibility over important employee details and can ensure new identities are given access to the applications and data needed to complete their job. This can be a fairly straightforward task when monitoring full-time internal employees, but this job becomes significantly more complex when it comes to third-party identities like freelancers.
Most non-employee entities work for an organisation for shorter periods of time, and their details aren’t always captured in organisational HR systems, nor are they stored on a business’s database alongside full-time employees. Integrating these employees into HR systems can be a challenge due to compliance and security issues and it can also be costly for organisations to purchase specialised HR tools that can handle freelancers’ unique requirements efficiently.
On top of this, many freelancers, contractors or temporary workers are brought into a business with urgency to plug resource gaps and tap skills in high demand, and as a result the integration of non-employees into the workforce is rushed at times. This often results in over-provisioning and inadequately managed access permissions that can leave insider threats unnoticed. In a recent study, we found that half (51pc) of company executives shared inappropriate access with non-employees, and 16 per cent reported they didn’t know. More than half (54pc) revealed that this resulted in severe security issues such as loss of control of resources, data loss, compromised intellectual property, direct security breaches, and more.
Rushing to provide access can leave entry points open for cyber attackers to exploit confidential information. To overcome this complex web of access management, HR must be integrated into the process and made aware to risks third parties could pose if they aren’t monitored properly. Cue: identity security.
Combining to protect the perimeter
One of the key risks associated with non-employee labour is the potential for unauthorised access to sensitive data and systems. With a larger pool of individuals requiring access to an organisation’s resources, the likelihood of compromised access credentials increases, creating potential entry points for cybercriminals seeking to exploit vulnerabilities in a company’s security infrastructure. To better address these challenges, HR and IT need to work together to have better visibility over the identities in their system, to grant or limit access as necessary.
Our research found that more than 30pc of identities in an organisation are not properly covered by identity solutions, with particular gaps around third-party identities. In prioritising identity security, HR teams should have clear processes and communicate with IT, sharing the details of the non-employee identities in the business. Then, IT can implement more stringent access controls to reduce the risk of unauthorised access – granting access permissions to contract workers on a “need-to-know” basis only. In other words, only allowing access at to the necessary applications and data at exactly the right time — nothing more, nothing less.
Furthermore, HR and IT departments should have automated processes in place to regularly audit and review access privileges, while also conducting thorough due diligence. For example, HR teams should assess the cybersecurity practices of contract workers and third-party service providers before granting access to their systems. With additional background checks, security clearances, or certifications as part of the due diligence process, organisations can better protect themselves against breaches.
Defence barriers
In today’s growing digital environment, organisations face the uphill task of managing a significant growth of 13 per cent more identities over the next three to five years, whether that’s employee, third parties or contractors. This means manual identity management methods alone won’t be enough.
To tackle this identity explosion, organisations will need more automated and intelligent means of managing identities, such as leveraging an AI and machine learning (ML) identity security solution for advanced threat detection. With AI and ML capabilities at the core of an identity security solution, organisations can analyse vast amounts of data to detect patterns indicative of potential threats. Such solutions enable the intelligent automation of access permissions to ensure that contract workers only have access to the resources they require for their current roles. This technology can also help support HR teams by reducing the manual labour required to remove access privileges promptly when no longer needed, such as when a contract ends, or a worker’s role changes. This consequently enables businesses to respond more quickly and effectively to emerging risks, helping to prevent data breaches and other security incidents.
When it comes to protecting the ever-changing flow of identities, HR plays a vital frontline role – working closely with IT teams to navigate, grant, and remove identity access accordingly.
As we enter a new year, AI-enabled identity security will be key to aiding this cross collaboration between teams, and ensuring that businesses are well-equipped for threats that come from an evolving workforce. Doing so will enable businesses to focus on the business benefits of this, while safeguarding their success in 2024 and beyond.
