When a cyber security crisis ensues, the management often tends to turn its attention to the information technology department, but research by IBM shows that HR does play a key role in securing an organisation’s cyber-space.
This is mainly because, first of all, a fair amount of cyber security breach are inside jobs, according to IBM 2015 Cyber security Intelligence Index.
The report found 31.5% of data breaches are attributable to malicious insiders and 23.5% are due to insider errors or non-adherence to processes and policies.
This shows that a lot of the woes in cyber-security can be avoided through proper on-boarding and training – essentially, through proper HR policies.
However, the IBM’s Securing the C-Suite report found that only 57% of chief human resource officers globally have rolled out cyber-security training for employees.
Training and education is critical in mitigating cyber security incidents, and it should happen during new employee on-boarding.
The on-boarding must include: in-depth explanations of any policies governing employee’s access to confidential information, any monitoring or other policies that could implicate an employee’s privacy, and a screening process to ensure no new hire have brought any confidential information from another company.
During the on-boarding proces,s it is also important for human resources to clarify any disciplinary actions for employees that fail to comply with company policies around cyber security, and how they are enforced, up to and included termination, according to the report.
Just as onboarding is a critical process for ensuring cybersecurity compliance, employers need to develop policies and procedures for off-boarding that aim to minimise the risk of data leakage.
When an employee resigns, the employer may decide to remove or limit access to confidential information. If an employee is fired, the employer may decide to reduce employee’s access before or simultaneous with notifying the employee of the dismissal while complying with employment agreements and laws.
HR should be aware of the importance of protecting sensitive employee personal information, as sensitive employee personal information is highly coveted by hackers.
The proliferation of personal mobile devices with access to corporate systems is increasing in prevalence and creating new vulnerabilities.
HR can help establish clear security policies and disciplinary actions for employees. They can help managers to identify disgruntled employees and assess the level of risk associated with the employee’s access to confidential information and critical infrastructure.
HR can also assist stakeholders to establish clear job roles and career paths, then help with the search and screening process, including candidate screening for security risks to defend against inadvertently hiring what might become an “insider” threat.
Additionally, HR should help to evaluate roles for their sensitivity and apply additional scrutiny as needed when hiring into those positions.
Living in a technology age, cyber security is expected to be a major threat for corporate for years to come, making it an issue that HR should seriously look into.