Bill Carey: HR’s role in enforcing good workplace cyber security practices

Share this story

Cybercrime is a growing concern for companies of all sizes, with hacking and data breaches now a common occurrence in the business world.

The severity of individual cyber-attacks varies greatly, but the impact on business is almost always damaging. First there is the wasted time and financial cost that results from an incident such as this, with normal business suspended until the situation can be resolved. Then there is the need for businesses to redouble their security efforts to ensure that there are no more points of vulnerability in their IT network.

But potentially even more harmful is the damage to an organisation’s credibility. If a company gains a reputation for being unable to store its customers’ information securely, the campaign to win back consumer trust becomes enormously difficult.

HR professionals have a critical role to play in building their business’ defences against an attack. The HR department tends to deal primarily with policy development and implementation, so putting in place and enforcing an effective cyber security policy can and should be an important extension of its existing function.

Understanding vulnerabilities

The first step in responding to the growing prospect of cyber-attack is having an understanding of the types of threats that your company could face. In this new era of cybercrime, key vulnerabilities for businesses lie primarily in three places: the “bring your own device” (BYOD) trend, cloud computing, and weak passwords.

In the case of BYOD, the rapidly growing trend of employees using personal devices for business purposes, there is a worrying possibility of company cyber security policies being undermined.

Many managers are keen to capitalise on the increased productivity and operational agility that BYOD can bring to their business. But it is also a key area of vulnerability for businesses, as employees are in charge of keeping software up-to-date and using effective security practices.

This makes it especially difficult for companies to maintain any substantial level of oversight. If your employees use their own smartphones and tablets to access company IT systems, it is important to make sure that they do so in a secure manner.

Cloud computing is another consideration for HR professionals when developing their company cyber security policy.

Small companies are increasingly looking to adopt cloud computing, as it can help them to scale up quickly while at the same time save on infrastructure costs. While cloud computing doesn’t come with inherent danger, as with any shift in business technology, moving to the cloud creates new vulnerabilities for companies to bear in mind.

Ultimately, the best way to address the potential complications that cloud computing can bring is simply to ensure that your cloud provider is reliable and safe, and make sure that applications are as secure as they can be.

Passwords, meanwhile, remain the most important line of defence against hackers, as well as the most vulnerable point of entry into a company’s computer system.

Weak passwords, like those containing dictionary words and all lowercase letters, can be breached in a matter of minutes. The best way to pre-empt this threat is for businesses to train their employees on how to create strong passwords, and encourage them to change passwords regularly.

A password management tool can also help to maintain a secure IT network, by creating and changing employees’ passwords automatically.

Establishing good cyber security practice right from the start

Making cyber security part of your induction or on-boarding for staff can prove extremely beneficial in combatting vulnerabilities and encouraging responsible behaviour right from the start.

Effective cyber security training should teach employees how to create strong passwords, avoid phishing or keylogger scams, and ensure that their personal devices are protected against malware and viruses if they are going to be used in a business context.

Once your staff have received the appropriate level of training, the next step is to ensure that they are held accountable.

An effective approach is to produce a written cyber security policy manual, and ask your employees to sign a document confirming that they have read it, and will abide by its guidelines for company-owned equipment, as well as personal devices that are used for work.

This step will indicate that you take cyber security seriously, as well as emphasising that you expect staff to follow company policies on cyber security both on their home and work devices. As long as staff have been adequately trained and educated in your organisation’s cyber security policy, they should have no complaints about this request.

Bringing employees with you

While individual departments within the business may come up with their own versions of security policies, HR is in the privileged position of being able to centralise the company’s approach and apply it consistently. This allows a company to improve its risk management strategy, and deal with threats more effectively.

Ultimately, though, a cyber security policy is only as good as the number of employees who truly buy into the idea, and work to put it into practice. For policies to be ef­fective, it is important that leaders of departments understand how important it is to gain employee buy-in.

Arguably HR’s most important role is to encourage executives to champion cyber security and model good behaviour for employees. This concept of leading by example will hopefully result in a positive change in employee mind sets.

Experience shows that developing an effective cyber security policy, training staff in that policy and holding them accountable can be highly effective in the fight against cybercrime.  HR professionals can add value by making sure that this happens – protecting data, devices and their company’s reputation.

Help Keep HRreview Free with a Small Donation





One Comment - Write a Comment

  1. Very good read. I always believe that HRM was more responsible for enforcing secure password policies than the system administrators, although the sys-admins should define the policies and HR implement them.

Post Comment