Three Big Cyber Security Priorities for HR in 2021
It is often said that people are weakest link in cyber security. As such, cyber security should really be a collaborative effort between IT and HR.
The IT provider or department’s job is to deliver the right technology, tools, and ongoing cyber security management. However, without employee buy-in and the full co-operation of the workforce, any cyber security strategy is doomed to failure. HR should work with IT to define the right internal policies, training programs, cultural programming, and enforcement mechanisms to help organizations build a culture of security.
There are three main areas where the HR department can make the biggest impact in 2021:
1. Acceptable Use Policy
An acceptable use policy (AUP) is a written document which details the do’s and don’ts for the proper use of technology in the workplace. While it is pretty easy to find a simple template online for an AUP, this is an area where it pays big dividends to customize the language to the needs of your organization.
At a basic level, an AUP should define the proper use of company-owned computers, mobile devices, software, systems, and infrastructure by employees. There are lots of obvious elements of a good policy. First, the overall spirit of an AUP should clarify that company technology should only be used for company business and nothing more. The policy should prohibit obviously inappropriate content and behaviors, such as accessing pornography or gambling sites or engaging in any kind of online illegal activity using company technology.
There are other areas which are more subtle, and grey areas can be dangerous. Therefore, your organization should put a stake in the ground by defining the proper use of many different categories of web content, such as social media sites like Facebook and Twitter, streaming media sites such as YouTube, and personal email services, such as Gmail.
Importantly, the AUP should stress that employees have zero expectation of privacy when using company systems and technology. Email systems and web browsing should be monitored and proactively managed by organizations. It is far better to define strict policies and block access to inappropriate content by default, than it is to merely trust.
Companies can also take a more restrictive approach and embrace policies that only allow access to sites, software, tools, and systems that are necessary for an employee to perform their job. It is safest to start with narrow parameters and only open up access to additional content, software and systems, when an employee actually needs access for their day to day work.
Another area to consider is the proper access and use of customer or employee personally identifiable information (PII). In many roles, employees have access to large volumes of private and sensitive information. Proper rules and regulations should be in place to govern the access, use, transmission or disclosure of PII. The worst case scenario is employee theft of this information. More commonly however, employee carelessness with PII can lead to big security breaches or mass disclosure of sensitive information. An AUP should cover all these scenarios.
Lastly, the HR team should work with legal counsel to ensure that the company’s AUP conforms to all relevant local, state, and federal laws, along with any specific industry regulations such as HIPAA, GLBA, or PCI-DSS.
2. Password Policies, Defined and Enforced
Password breaches are one of the most common ways organizations become compromised. While most people pay lip service to good password habits, the reality is far different. In study after study, researchers have discovered that even well trained employees habitually cut corners and slip into bad habits, such as using weak passwords or re-using passwords across multiple accounts and systems.
In concert with IT, HR needs to take the lead in defining password policies, documenting the policies thoroughly in the AUP, training employees effectively, and enforcing their use. There should also be real consequences for employees who cut corners or violate company password policies.
Password policies should incorporate best practices, such as the use of long passphrases and regular password reset cycles, while prohibiting the reuse of password across systems, accounts, and services. Even better, HR and IT should collaborate towards making strong cyber security simple and easy for the workforce. Companies can dramatically improve employee habits, by implementing tools such as password managers, multi-factor authentication, and single sign-on tools.
At an enforcement level, there are other simple and important steps. Passwords should be prohibited from being written down in notebooks or in other obvious locations, such as on Post-it Notes on monitors, desks or under keyboards. Password best practices should be a central part of an organization’s cyber security awareness training program. Savvy HR leaders can also raise the bar on employee education by leveraging high quality, third-party cyber security awareness programs.
3. Accountability, Enforcement, and Discipline
HR is essential in helping to create a culture of security. HR naturally needs the support of senior leadership to succeed. Sadly, in many organizations, sound cyber security best practices can be undermined when exceptions are made for senior leadership or executives. When there are different sets of rules for leadership vs. rank and file employees, it is a recipe for disaster. Top management needs to lead by example and be the standard-bearers for many of the best practices explored in this post.
Next, beyond training, HR should work to create a culture where employees are celebrated for embracing cyber security best practices. Whenever possible, there should be a culture of continuous improvement and learning. New threats are emerging all the time. Organizations and their people need to push the envelope on ongoing training and education. Moreover, when employees spot potential risks – be it a phishing email or an un-badged visitor in the office – they should be encouraged to ask questions, talk their manager, or report the incident. Too often, people are afraid to report things and these situations can become massive missed opportunities to stop a cyber incident in its tracks.
Lastly, HR should have a process to warn, admonish, document or discipline employees who fail to follow company policies and procedures. There are often many teachable moments, when employees make small or careless mistakes. As long as those issues are addressed, corrected, and documented, people usually keep moving in the right direction. In other cases though, scofflaws or negligent staff should be severely disciplined and in some cases terminated if they fail to follow the rules.
Protek welcomes inquiries from HR teams looking to take their approach to cyber security to new levels in 2021.