Alvin Mills

Alvin Mills
VP of Information, Technology & Security

The role of HR in cybersecurity

Make cybersecurity training a part of the onboarding process and include an annual review of key policies.

You never get a second chance to make a first impression is a phrase you can use in so many different situations, but none are as important as a new employee’s first communication or meeting with their potential new place of work. Creating a cybersecurity culture is everyone’s responsibility, but someone from HR is usually the first to promote it. Additionally, HR professionals handle a lot of sensitive business data such as employees’ personal information, salary details and even protected health care information. HR professionals are some of the most targeted in an organization because of the data they maintain.

You cannot protect it if you do not know where it is. 

Take an inventory of your data. Meet with your IT or security team to get an understanding of where your most sensitive data is located. Is it on Sharepoint or a network share? Is it on your computer? Who else has access to it? If you outsource HR functions to a third party, how do they protect employee records?

Understanding the laws, regulations and technology

I’m not saying HR professionals must be technical, but they need to understand how technology can protect employees and the company. 

Ask yourself the following questions:

  • Do you understand how to encrypt the data and the purpose of encryption? 
  • What are the laws and regulations around sensitive data, specifically employee records? 
  • How long should you keep the data? If there is not a legal requirement to keep it, consider deleting it, including the paper copy. If you do need to keep it and it is on paper, consider creating a digital copy and shredding the paper version. 

When I was at the bank, we had a corporate shred day and HR usually led the way with the most paper to shred. HR also encouraged employees to bring in their personal data to the shred day. 

“Taking this approach requires HR professionals to go beyond knowing employment laws or understanding the cybersecurity focus of most IT professionals. Viewing data privacy and compliance through the lens of relevant laws and regulations will help inform HR professionals on where HR data should be kept and how best to store and protect it,” said John Rhoades, Managing Director at Insperity. 

Cybersecurity education for employees

I can always tell a strong cybersecurity organization by looking at their training programs. For information security to be effective, there needs to be a continuous training process. Every organization needs to train its employees in cybersecurity regularly. This ensures that employees recognize cybersecurity as a standard business practice and stick to the company’s best practices. 

I don’t understand why employees get immune to the same old awareness training coming from the security person. But for some reason, if it comes from HR they are more apt to read it or respond to it. Make cybersecurity training a part of the onboarding process and include an annual review of key policies, such as acceptable use policy or the information security policy. 

Change the culture

Back to where we started. HR plays a major role in defining and/or changing the cybersecurity culture. Despite the escalated rate and severity of cyberattacks, leaders at most companies have not changed their approach to cybersecurity in the past few years to adapt to the increasingly challenging environment. (westmonroe, 2019)

A strong cybersecurity culture across the organization is achieved by action on many fronts: people, process, technology and third-parties. Many groups, including HR, need to be engaged. Culture is people and process. 

How often have you heard that humans are the weakest link? If you’ve done well with your security awareness programs, maybe it’s time for a different approach, perhaps investing more in cybersecurity education. 

HR is — or should be — the lead communicator in an organization. It’s their specialty, so why not have them develop a cybersecurity education program. This should go beyond “don’t click on that link” or “don’t open that attachment.” HR professionals don’t have to be technical, they just need to understand how the technology works. They need to understand how the threat actors prey on our human weaknesses. This can only be achieved through consistent cybersecurity education and communication.  

[email protected]
www.texasbankers.com/tbisao 

Biz2X ad