When it comes to cybersecurity, for many businesses the IT team are left to make sure that they have the technical solutions in place to safeguard systems which in turn protect data, maintain business continuity and trusted reputation with customers as well.
But human mistake or manipulation can undo much of that hard work in just one click; 90%* of all cyber-incidents are caused by human error. In the past year, it’s worth noting that cyber criminals have taken advantage of the disruption to normal patterns of working to significantly increase targeted attacks on home workers. Despite this, businesses have been slow to create a cybersecurity culture that empowers employees to become protectors, rather than victims.
This is where HR professionals are ideally placed to work alongside IT to drive better cybersecurity across the organisation. You’ve probably already got a number of security policies in place, but now is the time to review these (particularly if you have a large number of people now working from home) and look at the other ways that you can make your employees your best defence rather than your weakest link:
1. Team work makes the dream work
In this day and age, cyber security should be part of everyone’s job – part of your culture at work. HR, and other departments, must work closely with the IT team to create a holistic and regularly reviewed organisational approach to cybersecurity.
So what does this mean practically? Ideally, you’ll have in place a framework that joins up the technology, policy and procedural elements together that clearly outlines expectations around roles and responsibilities of each department.
2. Learn the basics
Whilst the technical side of the cybersecurity is absolutely IT’s remit, HR professionals should have a good grasp of the basics and how they apply to your organisation. It doesn’t just support the work you do around policies and procedures for good security, as a department that is highly targeted by cyber criminals because of your access to personal and confidential information it will help you protect your data better.
This doesn’t have to be an onerous task. A good place to get the key principles is reading through the Government’s Cyber Essentials guide, with the most relevant element around user access management and permissions.
3. Policies and procedures
You’ve probably got a number of policies already in place but when was the last time you reviewed them? Cybersecurity threats change all the time and technology is constantly adapting to mitigate risk, and so should policies.
Your businesses’ policies and procedures will be specific to your situation; you may simply want to meet your legal obligations, but you might be aiming for a recognised standard such as ISO/IEC 27001:2013 or Cyber Essentials.
- User access control policy
Details the appropriate access rights to be granted as part of the on-boarding process, how this is reviewed during the employee’s time in the organisation including if they change roles, and the process for immediate access right revocation on leaving or termination.
It’s not unknown for a disgruntled employee to cause a cybersecurity incident whilst they still have access to your systems and data so an agreed process between IT and HR is essential.
- Password controls
If you’ve not already got something in place that dictates the character length, inclusion of numbers and special characters this is a quick win.
- Remote working policy
Remote working requires a clear policy on security measures to protect the information accessed, processed or stored outside the office. Have you considered risks of unintentional data breaches from people in shared residences? What about people taking calls in public places?
It should also cover whether using personal devices to access information is allowed, and if it is how security is managed. This should be discussed with IT colleagues to decide on the best approach. A device management tool can vastly improve the amount of control your business has over where and how business information is accessed.
- Social media
Cyber criminals are experts at utilising social media to glean bits of information about individuals that they are targeting to make their communications much more believable and easy to fall victim to. There’s also the risk that employees accidently share confidential information so you should make it clear in your policy the risks and the consequences.
4. Involve me and I learn - Staff training
HR professionals understand the importance of training particularly when it comes to safety and security; well-trained employees will safeguard your company by reducing security incidents, improving uptime and efficiency across your organisation.
All staff should have some type of cybersecurity training which includes security and data protection rules, and current policies. Also, HR should work with IT to identify the specific level of cyber threats different roles and levels of seniority face, and make sure that their training addresses these. Note that business directors have specific responsibilities and liabilities when it comes to cyber security, with regulators holding directors accountable for breaches.
With the increasing risk to the business from attacks targeted at employees in general, including very well-researched attacks targeted at individuals in organisations with authorisation to confidential information or bank accounts, it’s vital that employees can identify common types of attack, particularly those that have risen during pandemic (phishing, ransomware) and know what the actions they need to take.
Just like other training, learning cybersecurity skills is less effective if courses are lengthy, technical and uninspiring. Security awareness training should be continuous, with a clear program structure, and smaller step-by-step lessons that stimulate the necessary behaviour and motivate your employees to detect and report real attacks. The famous quote of Benjamin Franklin always sums it up well, ‘Tell me and I forget. Teach me and I remember. Involve me and I learn.’
Giving your employees the freedom to perform will have widespread benefits for your business – well-trained employees safeguard your company by reducing security incidents, improving uptime and efficiency across your organization.
5. Put monitoring in process
Breach detection generally falls into IT’s remit but it’s important for HR to be informed when employees fail to carry out agreed procedures so they can be dealt with appropriately. Your systems cannot be watertight unless human error or malpractice is tackled with HR’s input.
This might seem like a lot to tackle, but remember that you don’t need to do it all at once. Taking a step by step approach will improve your security as you go.
One of the bigger potential challenges is ensuring cybersecurity training is fit for purpose, regularly updated and undertaken by staff, without placing additional burden on your existing resource. The answer could be Kaspersky automated cybersecurity awareness training.
*Kaspersky analysis of ICO data breach data