When you think about your cybersecurity strategy, it is easy to leave out the human element, even though in many cases it is the most critical component that you must get right in order to truly secure your organization.
This is particularly important as more than one-quarter (31.5 percent) of data breaches are attributable to malicious insiders and 23.5 percent are due to insider errors or non-adherence to processes and policies, leading to inadvertent data breaches or disclosures, according to the recent IBM 2015 Cybersecurity Intelligence Index.
Let’s explore 5 ways human resources are critical to the protection of company data, and how the companies with the strongest cybersecurity mitigation plans involve HR from the beginning.
- Cybersecurity Onboarding and Training
A recent IBM report found that 57 percent of Chief Human Resource Officers have rolled out cybersecurity training for employees.
Training and education is critical in mitigating cybersecurity incidents, and it should happen during new employee on-boarding.
From the first days of joining an organization, employees should learn the company’s expectation around protection of confidential information and critical infrastructure, preferably in a one-on-one conversation with a member of management, according to a report by Inside Counsel.
The on-boarding must include: in-depth explanations of any policies governing employee’s access to confidential information, any monitoring or other policies that could implicate an employee’s privacy, and a screening process to ensure no new hire has brought any confidential information from another company.
- Policy Enforcement
During the on-boarding process it is also important for human resources to clarify any disciplinary actions for employees that fail to comply with company policies around cybersecurity, and how they are enforced, up to and included termination, according to IBM’s Securing the C-Suite report.
Part of enforcing policies is monitoring, and employers should follow a “trust but verify” approach whereby they actively monitor both the systems and employees that exhibit certain insider threat characteristics, within the legal parameters of the country in which they operate, Inside Counsel said.
Managers should be able to identify disgruntled employees and assess the level of risk associated with the employee’s access to confidential information and critical infrastructure, according to the report.
- Incentivising Compliance
In many cases, data security incidents caused by insiders are perpetrated for financial or personal gain.
“It is imperative that compensation policies and benefit arrangements reinforce and incentivize compliance with cybersecurity procedures and, where possible, provide sanctions for breach,” according to Inside Counsel. “At a minimum, the relevant documents should restrict insiders, to the extent permissible, from claiming compensation and benefits following a breach of their cybersecurity and confidentiality obligations to the company, and, where appropriate, provide for clawbacks of compensation and benefits previously paid.”
- Protecting Sensitive Employee Data
This may seem like a no-brainer but it is important: HR must own the governance of protecting employee’s sensitive information, and the business process of using and maintaining that data, IBM said in its new report on security in the C-suite.
Part of this is becoming more involved in cybersecurity threat management activities as 60 percent of the Chief Human Resource Officer (CHRO), CFOs and CMOs feel the least engaged in these activities, yet are the stewards of data most targeted by cybercriminals.
- Off-boarding Employees
Just as onboarding is a critical process for ensuring cybersecurity compliance, employers need to develop policies and procedures for off-boarding that aim to minimize the risk of data leakage.
When an employee resigns, the employer may decide to remove or limit access to confidential information. If an employee is fired, the employer may decide to reduce employee’s access before or simultaneous with notifying the employee of the dismissal. Of course, it is important to comply with employment agreements and laws.
Inside Counsel also recommends conducting exit interviews with departing employees, which may help employers in “deterring wrongdoing and identifying problem employees.”