I am pleased to share my latest article for SHRM regarding the role of HR in cyber security.
Cyber security is a significant concern for businesses, and it is only going to get bigger.
In 2016, many companies of all sizes were affected by cyber attacks from outsiders.
But some cyber security breaches are inside jobs. Sometimes they are deliberate. Other times, the breach is due to human error. Either way, these attacks can have disastrous effects.
The National Cyber Security Alliance, a Washington, D.C.-based think tank, reports that a data breach can shutter a small business. And a survey by Russian cybersecurity company Kaspersky Lab, 2016 Corporate IT Security Risks, stated that the average amount of damage caused by one attack may cost small and medium businesses up to $99,000.
The practice of cybersecurity carries with it legal and reputational implications. So the question becomes: Who owns these responsibilities?
However, I bristle at the notion that a single function “owns” an issue because then employees in other functions may believe by negative implication that they do not need to do anything. In this case, while IT plays a central role, ownership of cybersecurity must go beyond IT and include HR, among other departments.
Let’s divide HR’s role into five categories.
HR as the Problem
Sometimes in HR we feel like we are the policy or procedure police. Well, sometimes we are the culprit, too. As you well know, HR has access to highly sensitive information, including employees’ Social Security numbers and some medical information. HR needs to evaluate whether the background check procedure for those seeking positions in the HR department is robust enough. In some organizations, criminal record and credit checks are done for some employees in finance and IT but not for employees in HR. HR needs to consider this gap.
HR may want to consider including in the employee handbook or other policies a summary, developed with IT, of do’s and don’ts relative to cyber security. This is not in lieu of but in addition to mandatory employee training. Here is but one example: Employees must report immediately the loss of any device, including a mobile phone, that contains their employer’s confidential information. Immediate reporting and rapid wiping can mitigate the risk materially.
HR and Employee Training
As noted, employee training is essential. IT can develop the training program, but HR plays a key role, too. For example, HR can listen to the proposed program and make sure it works for the intended audience. Simply telling employees not to fall for phishing schemes is meaningless unless you define phishing and give concrete examples.
HR and a Rapid Response Plan
In the event there is evidence that someone is appropriating confidential information, HR needs to be prepared to work with IT in questioning the employee and taking corrective action as appropriate. These are not IT investigations alone. IT should not be expected to have the expertise necessary to handle employee rights issues in the context of these investigations.
HR and a Business Continuity Plan
If there is a cyber attack or an internal breach, whether deliberate or as the result of carelessness, the company is going to need to move quickly in response. How will the organization work if its systems are shut down? When must employees be paid if they cannot work? Legally, what notification requirements exist if certain employee information (or that of patients or customers) has been exposed? As with any other crisis, whether it be a weather disaster, an incident of violence or a pandemic, the role of HR in the business continuity plan cannot be underestimated.