As part of our “security takes a village” theme, we are exploring how stakeholders other than dedicated cybersecurity or IT teams can take part in the protection of your organization. Today our own HR Manager Alyssa Miller looks at cybersecurity challenges facing HR, ways that HR stakeholders can help protect the entire organization, and the implications to the small to medium-sized business for involving HR at the highest level.
I’m the Human Resources Manager for ActZero Networks, so I have a unique perspective on this topic – a healthy mix of cybersecurity awareness and the general responsibilities, challenges, and goals within my department. Typically, people in HR are quite sensitive to privacy, since we deal with personal information and have conversations in strict confidence. So, what can we do to help secure our department and our company as a whole? Ultimately, leading by example, collaborating with others, and being an ally for those more traditional security stakeholders can help. I will show my peers how we help just by doing our jobs well, and our IT and Leadership readers the opportunities to contribute!
No Stranger to Sensitive Information
HR has access to some of the most personal/sensitive data within an organization! You have personally identifiable information (from email addresses to Social Insurance Numbers), not to mention employment contracts, payroll/banking information; all attractive to hackers, or disgruntled insiders. Other information is particularly sensitive to employees – like personal details around their health, disciplinary actions taken against them, complaints against/made by them, results of their police checks. Plus, you have a lot of it; you capture information about all past, present, and future employees!
This makes HR a target for people trying to access or manipulate information, but also the perfect choice to help secure it! For example, I recently received an email from what appeared to be from my boss asking me to change his bank account details for payroll. Luckily, I knew enough about social engineering-based attacks to question its validity right away. Staying informed to be able to recognize an attack early on can help, but there are other things HR is doing already. For readers in Leadership, Ops, or IT, look at these as opportunities to align the ways you are mitigating cyber-risk in the rest of the organization.
What You’re Doing Already
The HR team does a lot of things that can contribute to the security of your company, and with good reason: information security impacts your processes before, during, and after a person works for you. Beyond the steps you’ve taken to achieve a security-conscious work culture, there are things you can do at each of those stages.
Hiring: You don’t need to be hiring for a security role to impact security. The people you hire influence the security of their teams across your company. Remember, a security-conscious work culture can help mitigate the risk of a breach. Evaluating applicants’ security-consciousness is difficult – fortunately, you already have a framework to assess those tough-to-measure requirements; asking situation-based questions. The downside to situation-based questions is that it can be hard to tell if someone is being genuine. If you don’t know how to assess how security-conscious an applicant is, try engaging your IT team to get their input on what they do to be security conscious and create some interview questions based on their feedback.
How often you ask those questions, and to whom, is up to you. Consider starting this for roles that will interact with sensitive data. Security folks are always saying that people are the weakest link. Giving preference to security-conscious candidates will be easier than hiring dedicated cybersecurity personnel, which is especially tough right now.
Policy Creation, Communication, and Enforcement: This isn’t something that needs to happen on your own - Leadership and IT (and OD and Compliance teams if you have them) should collaborate on policy creation. Remember you’ve also got friends in marketing who can help communicate the policies. And, while you can’t be the enforcer every minute of the day, you can equip your people managers to know how to enforce the policies and recognize when they aren’t being adhered to.
Onboarding: Once an employee is hired, onboarding is a great chance to communicate and emphasize such policies. By showing new hires that your company takes security practices seriously, you can help keep users compliant. It’s also a good opportunity for staff to ask questions about what is acceptable (and what’s not). Remind them you are there to listen, freeing staff to report issues, suggest improvements, or call out attacks/suspicious emails. Quick reminders at staff meetings or company-wide memos can help keep these policies top of mind. Or, use your rewards and recognition program to encourage security-conscious behaviour every day.
(Refresher) Trainings: Adding the responsibilities of Organizational Development (OD, typically responsible for training, certifying and growing your people) will be tough to accommodate for the many-hatted HR Generalist. Engage your IT team to help with a training program that you can implement; make it mandatory for the whole organization to participate. You are better suited to creating and delivering training that people will remember and adhere-to than your IT team is, and they will thank you for your help.
Exit Processes: When people leave, the risk of sensitive information leaving with them is high. Put processes in place so that when a person leaves or is asked to leave you are protected. Your friends in IT can help you remove access to systems and devices, but you should ensure that there’s a policy driving it, that the processes exist, and that it’s clear when they start, and how quickly they should be finished. Facilities, IT, and Leadership should help with a policy – even just knowing when somebody is leaving can be a challenge if there isn’t a clear process for people managers to communicate it. Make sure it accounts for those cloud-based systems that aren’t managed by IT too. A checklist that outlines the exit process and the team members responsible for each item on the list is a great way to ensure nothing is forgotten.
As you can see, practices that impact culture, and promote education, awareness, and leading by example are great ways to help keep your organization secure, because they have downstream impact across the business. HR has opportunities before, during and after a person is hired to help do so. So, while HR may not be actively stopping threats (like ActZero Threat Hunters do), we are a great ally to have and collaborate with other parts of the security village! Leaders, make sure you are including HR in the conversation. And, if you want to take your security to the next level, reach out to ActZero to talk to one of our experts, or schedule a Demo of our service today!