Join America Back to Work, a weekly podcast, video, and blog series that covers timely and relevant topics affecting the labor market and workforce with industry experts. The series includes recruiting, hiring, retention, employee satisfaction, customer service, background screenings, and more.
Cyber Attack Prevention: 5 Tips for HR Professionals
Cybersecurity isn’t an abstract problem floating around out there somewhere on the internet. It’s a people problem, which means it’s an HR problem.
Human resources departments collect and house some of the most highly sensitive data on company networks.
While other departments focus on customer data, product info, and other sensitive intellectual property, human resources manages critical employee data.
This data includes workers’ personal information, salary details, and more, which–if leaked–can cause major legal, financial, and reputational damage to the larger organization and employees themselves (i.e. identity theft).
In this day and age, as attacks on employee data and HR departments continue to increase, it’s essential that HR departments become the gold standard in risk management and cybersecurity at their organizations.
It’s time for Human Resources and IT security departments to join forces to create and clarify cybersecurity policies, best practices, and response programs so that HR can implement and uphold risk management policies to their fullest extent within their own department.
Not only will this kind of partnership better protect the employee and company data housed by HR, but it will also set a positive example for risk management that influences other departments to follow suit.
The Cybersecurity Conduit
But leading by example isn’t enough.
Earlier in this series, we covered how internal threats–the business threats imposed by employees knowingly and unknowingly–are the primary cybersecurity threats for businesses everywhere. In fact, 60% of cybersecurity attacks are carried out by insiders.
That’s why it’s key for organizations to take a proactive approach to risk management–to create a culture of cybersecurity that detects threats during the hiring process and continually updates employees on information security policies and best practices throughout their tenure.
According to Robert Chavez, SHRM’s senior IT security specialist, “effective information security must be emphasized as a standard business practice, well-integrated throughout the organization and reinforced in an ongoing security program that is kept relevant, engaging and fresh.”
And, what better department to take that on than HR–a department that has an organically-formed, direct line of communication with employees starting as early as recruitment? A department dedicated to the well-being of your employees and your company.
For HR, it’s not only about partnering up with IT to demonstrate best practices for risk management within the departments –it’s about becoming an effective liaison between the cybersecurity experts (IT) and the rest of the organization.
HR should function as the conduit between the IT security department and staff–clarifying policy, providing resources to employees, and working behind the scenes to recognize and anticipate the potential information security issues that arise in every company.
Read on to find out how HR can do just that and, ultimately, reduce the risk of cyberattacks.
Reduce the Risk of Cyber Attacks
Human resources should take a proactive approach to create a culture of cybersecurity at any organization through continuous education, information sharing, and enforcement of cybersecurity policies. Here’s how.
1. Increase Data IQ
HR professionals must improve their information security skills and continually expand their knowledge of risk management. That means regularly collaborating with and learning from IT specialists to better understand the technology implications of their own work, so they can better protect the company’s larger IT estate.
HR leaders should make continuous learning around cybersecurity a requirement for all the HR professionals on their team.
2. Document Everything
It’s on IT experts to establish protocols and procedures around cybersecurity, but it’s on HR to share that information in a way that’s digestible for the rest of the organization.
Human Resources should document all information security best practices, policies, and procedures and make them easily accessible to all employees. That way, there’s one source of truth that employees can refer back to when they’re not sure what to do–and there are clearly defined rules when an employee needs to be held accountable.
3. Focus on Onboarding
Onboarding is the perfect time to teach strong password practices, WiFi security precautions, safe email habits, and more. During this time, HR professionals are already gathering personal data and sharing other sensitive information around payroll, benefits, and performance, making it a natural place to cover information security best practices.
Onboarding is also a great time for HR professionals to put their own cybersecurity skills into action. It’s a time for the department to share its suite of clear documentation around information security policies and a time to set up–and communicate–access restrictions: who has the authority to assign passwords? Who can see financial information? Who can see employee data?
4. Encourage Employees to Share Concerns
Ensure that employees feel comfortable reporting security suspicions, including potentially suspicious behavior conducted by direct reports, coworkers, and managers. Consider creating a place for anonymous tips and train managers to check in with direct reports on a regular basis to discuss cybersecurity concerns.
Plus, be sure to set the tone from day one that employees will be celebrated for reporting suspicious activity on their own accounts–not punished (assuming they had nothing to do with it).
5. Offboard Effectively
Employees come and go on a regular basis. When an employee leaves, regardless of the terms of separation, it’s on HR to ensure they don’t walk out with credentials that allow them to continue to access valuable data.
HR departments should work closely with IT to determine what needs to be collected and restricted on an employee’s final day. This list can include: deactivation of accounts, removing access to all company networks, changing of passwords on shared accounts, collection of company-issued devices, and more. Then, it’s on HR to determine the best way to carry out an offboarding process that includes these changes.
********************************
Discover more tips for risk management and hone your cybersecurity skills tomorrow as America Back to Work: Expert Interview Series returns.
Learn from Dr. Shaun McAlmont, President & CEO of NINJIO (an industry-leading cybersecurity awareness training platform), and discover how to spot and stop threats before they impact your business.