You may think that cyber security is something for your IT department to manage. If you work in Human Resources, you need to think again. Because cyber security is very much your responsibility.
No, I am not saying you need to go around seeing if your organisation has installed the latest firewall or if all your Internet of Things ports have been secured.
What you do need to do though, is to check whether your colleagues across the organisation are cyber safe.
That’s because only around one third of data breaches are caused by malicious outsiders. The rest are caused by insiders, your colleagues: acting foolishly, carelessly, and yes sometimes maliciously.
What can go wrong? A lot of things. Personal information about customers is leaked because a laptop gets left in a taxi. An email leads to an unintentional contract variation. A social media posts leads to a libel suits. An unwary worker shares their log-in details, leading to data theft.
So what should you be doing?
Start with strategy
A good place to start is strategy. Most organisations have some understanding of cyber risk. But often they focus on protecting corporate networks from external risks such as hackers. What is your organisation’s cyber security strategy? Does it include sufficient analysis of internal “human” risks? If it doesn’t then you need to work with the Information Security team to identify and manage these human risks.
Develop practical policies
Developing appropriate policies to help manage cyber security and spell out the “rules” is important. You are likely to need policies in several areas: web and computer use, data privacy, social media use at work, a “Bring your own device” policy to manage personal phones and tablets, and even policies about the software and cloud services that people are allowed to use.
Writing these policies should not be a “tick box” exercise. They need to make sense: they should be easy to understand by everyone in the organisation; and they need to benefit your organisation. They shouldn’t simply be designed to make the IT department’s life easier. Sure, pouring digital super-glue into all the USB ports would stop people uploading corporate data to insecure USB sticks, but it might not improve business efficiency. HR executives, with a feel for wider business needs, as well as an understanding of what will motivate or demotivate employees, are an essential part of any cyber policy development process.
Training: tell people how they should behave
The next step is training. Training is essential because without it most people won’t know how to act in a cyber safe manner.
You might as well accept that almost no one is going to read your policies. So you will have to tell everybody about them, face to face. And it won’t be enough to read out a list of rules and corresponding sanctions for disobedience. Apart from putting everyone’s backs up, people will generally ignore rules if they don’t know why they are in place. You will need to explain what the rules mean, why keeping to them is important, and quite possibly when they can be ignored (and when they can’t).
You will need to train the way people think too. This isn’t just about describing dangers: it’s about how people interact safely with colleagues, with suppliers and customers, and with people outside the organisation. It’s not about following rigid processes: it’s about understanding how to avoid risk in the first place. For instance you can’t tell people the precise information to avoid sharing on social media. But you can help them understand what types of information they shouldn’t share and how competitors can draw conclusions from seemingly innocent pieces of data.
Build continued awareness
Don’t think a one-off (or even annual) training session will cut it though. You need to keep awareness of cyber safe behaviour at the front of people’s minds. This means developing assets designed to deliver continued awareness of cyber risks – posters (that change design and location regularly), screen savers, sign in messages, even mouse mats and mugs.
Develop a cyber secure culture
An even more important issue for HR to address is culture. An organisation that doesn’t take cyber security seriously is unlikely to be changed by training and awareness. HR may need to address underlying cultural assumptions.
Start by auditing the security culture. Do this from the perspective of employees: what cyber risks do they know of; what do they think of existing security processes; to what extent do they feel security is their responsibility? And do it from the perspective of the organisation: how are employees expected to behave; what sort of resources are provided for security; is dangerous behaviour stopped, tolerated – or not even noticed.
Once you know what needs to change, you can start thinking about how to do that. Build persuasion tools, such as leader boards of cyber-safe behaviour; incentivise safe behaviour with praise or other rewards – and make sure it is not disincentivised accidentally; ensure that leaders walk the cyber security walk; develop an intolerance to unsafe behaviour. (“Why are you putting my job at risk by doing that?”)
But don’t develop a blame culture. That way you will just drive unsafe behaviour underground.
Encourage people to be less trusting
Sadly, one element of culture you will need to work on is trust. People are often very trusting and this can be a problem for cyber security. They need to be taught to question: emails don’t always come from the people they appear to, friendly people on the phone aren’t always who they say they are, confident people striding round the office without a visitor’s badge don’t necessarily have the right to be there. Defending against people who take advantage of trust doesn’t need complex software: it needs awareness, sometimes combined with robust processes.
Make sure cyber security is usable
HR teams also need to work on the usability of any security processes.
By their nature most IT people are very logical. In addition they understand the purpose of systems they are developing. And of course they are focussed on their responsibility to protect IT systems.
In HR you are also focussed on cyber security. But you may have a wider view of the organisation. Almost certainly you understand what motivates people. You understand how people perform their tasks. And you probably provide a receptive ear to frustrated colleagues. In fact you are probably going to be one of the first people to hear about cyber security initiatives that are counter productive – because they cause blocks in efficiency. And you may even hear how people would like to alter them.
All this means that you are in pole position to identify usability problems, to construct the analysis that proves (to sceptical colleagues in IT) problems exist and to make the case for change.
Monitor “off network” activities
Not everything that should concern your organisation will be happening within your corporate network. You colleagues, almost inevitably, will be using social media. And many will be commenting on colleagues, clients, your organisation and your industry. In addition they may be using cloud computing services such as Drop Box and Google Docs to store, edit and share corporate information. This type of activity needs to be managed, to preserve information security and to protect reputation.
When recruiting, watch out for people who may not be cyber secure. Anyone who comes from a competitor boasting they can bring a list of clients on a disk may well be less than trustworthy. You might also need to think twice about people whose social media posts are irresponsible – perhaps complaining about their current employers or giving information away about new initiatives.
Keep an eye on risky people
Some people will be higher risks than others. Sometimes this will be a result of personality. For instance sales people are likely to me more open, and possibly more trusting, than finance people. But that’s not where the real risk lies. The people you will need to monitor most closely are those who feel disengaged from your organisation. These may include temporary staff, new recruits during a probation period, people on low pay or in boring jobs, people who have handed their notice in, and people who are having difficulties at work, perhaps experiencing disciplinary procedures.
Yes, cyber security really is an issue for HR
Human Resources managers may not be particularly focussed on technology. But they have a responsibility to learn about cyber security because the role that HR can play in preserving security is an enormous one. In other words, if your HR and IT departments are not working closely together on cyber security you are opening your organisation up to some major and unnecessary risks.