Connecticut's IT Blog for Growing Businesses | NSI

Why CT Business Owners Need to Talk to HR About Cybersecurity

Written by Tom McDonald | Jun 28, 2017 12:00:00 PM

Company data security is not just the responsibility of the IT department. No matter what the size of your CT business, Human Resources needs to stay on top of securing employee and corporate data. Data security isn’t just a technical issue, it’s a people issue, and unsuspecting employees account for most corporate data breaches. In fact, 66 percent of data security professionals point to employees as the weakest link in corporate data security.

It’s HR’s job to educate, monitor, and help manage employee behavior to protect the company’s personnel data and intellectual property.

Unfortunately, employees usually aren’t as worried about data security as they should be. Workers often believe security impedes efficiency, and many employees actively look for security workarounds. A survey by LawInsider shows that 15 percent of Millennial employees and 13 percent each of Gen Xers and Baby Boomers are “very likely” to look for ways to defeat security. There also are a large number of employees who don’t know how to implement security protocols. For example, what is a “strong password” and why wouldn’t you use the same password for all your secure applications?

It’s HR’s responsibility to help train employees and protect employment records. Consider the case of the cyber service company Defense Point Security, which had all of its employees’ W-2 information exposed when an employee fell victim to a phishing attack. Or consider the case of LAZ Parking in Hartford; the company had 14,000 employee records stolen in a phishing scam where cybercriminals pose as company executives and send a phony email request.

The laws regarding data breaches also are becoming stricter, and costlier. Connecticut has a new data security law that requires all Connecticut businesses to provide notification of data breaches without delay. The law also stipulates that the company must offer remediation in the form of identity protection services to each party affected for at least 12 months.

Here are some of the basic steps that any HR department needs to consider to protect company data and protect employees:

1. Understand HR’s Role in Data Security

HR needs to work with IT to ensure that company data is protected. This means encrypting employee files and securing personnel records. It’s also up to HR to help manage employee access to company data outside the office. Some employees may or may not need remote access based on their roles, and it may be prudent to provide restricted remote data access. The IT department will implement the controls, but the HR department needs to assess and manage the risk.

2. Assess the Company for Internal Security Threats

Examine the company’s security protocols and determine where there are potential weaknesses. For example, are departments sharing passwords to access company data? Is there a protocol for regularly changing passwords? Is sensitive information properly protected, and are you using appropriate user permissions for access? Make a list and work with IT and senior staff to identify potential flaws.

3. Establish Policies and Procedures

Following your assessment, it will be easier to create security policies and procedures. Considerations should include access to the building, remote data access, bring-your-own-device policies, password protection, access to social media, use of personal email, use of corporate equipment such as laptops, and more. Policies and procedures should be updated periodically to reflect new or changing threats.

4. Train Employees

Employees need to be educated about the nature of cyberthreats in general, and the security protocols for the company in particular. That doesn’t mean the HR department has to do the actual training. It might be wise to enlist a third-party whose voice has more authority. Again, work with the IT department to be sure you cover what is appropriate and necessary.

5. Monitor Employee Behavior

Part of HR’s job is enforcing the company's Code of Conduct, including security procedures. For example, if an employee is consistently disciplined for using Facebook on company time, then it needs to be addressed because social media could be a source for a data breach. The same is true about removing secure data from the building via file transfer or on removable data drives, or using company laptops inappropriately. A clear set of disciplinary guidelines for infractions should be included as part of the policies and procedures.

6. Create a Data Breach Plan

Every company is vulnerable to some form of cyberattack, so you have to assume that there will be a data breach at some point. Have an action plan in place for recovery from a data breach. The plan should include a procedure to isolate and plug the leak and access to a secure, clean backup copy of all sensitive company data. It also needs to include user notification to comply with state law.

Corporate data security is a complex issue and only one of HR’s many areas of concern. Don’t tackle security issues on your own. Work with the IT professionals in-house and consider hiring a managed service provider with expertise in data security. Third-party service providers like NSI can assist with a security audit and recommendations on where and how to address security weaknesses. We also can provide services such as secure data backup, disaster recovery, and even remote systems monitoring. Often remote monitoring can turn up employee-related security issues long before you will see them yourself.

HR has a valuable resource in protecting the company’s intellectual assets. Be sure your HR team has well defined security responsibilities, and don’t be afraid to enlist help to make your company data secure. If you take data security seriously, you can minimize the damage when a data breach occurs.