The threat of data breaches, and the rising costs of dealing with the aftermath of security incidents, are pushing security strategies to the top of the corporate agenda and boardroom discussions.
The impact of a breach can be far reaching: from reduction of share values, to lost client contracts and the operational impact of downtime. The average cost of a data breach has risen 29% since 2013, to about $4 million per incident* and the results on the bottom line can be devastating. As a case in point, TalkTalk reported a more than 50% decline in pre-tax profit after suffering an attack last year.
Whilst cyber security may once have been thought of as the exclusive domain of the IT department, it’s time to enable a more collaborative, cross-departmental approach. The HR department plays a critical role in supporting and reinforcing security strategies. Opening communication channels between HR and IT can make a significant difference to the way in which organisations can identify and manage risks. An organisation’s security posture has to be set at the top level, then implemented through HR and IT working together.
A collaborative approach
Whilst IT is responsible for protecting, controlling and managing sensitive data within an organisation’s network, the ‘human factor’ often represents the weakest link in IT security. Cybercriminals will typically take the easiest route when trying to access a system, which is why hackers continue to target employees with social engineering attacks. It is usually much easier to trick a user, than it is to bypass security systems. Organisations need to train employees to be their first line of defence.
HR has a responsibility to properly educate and train employees in security best practice. Luckily, HR can support IT Security strategies in practical ways, which include:
Training and education
HR, in coordination with IT and security teams, should provide regular training for all staff on security risks, how to identify things like phishing emails, and what employees’ responsibilities are in protecting data. The most effective training programmes will be relevant to their department and job roles and will clearly define their responsibilities when it comes to handling sensitive information.
Educating employees on how data can proliferate through an organisation via the careless management of documents, USB storage devices, 3rdparty file shares, etc. is an important example of helpful training that underlines the employee’s role in protecting against data loss. Without this kind of training, sensitive information can leave the organisation simply by accident. For example, it’s all too easy for sensitive data to leave an organisation when it’s embedded in a long email thread, or hidden rows in an Excel spreadsheet or even notes in a PowerPoint presentation.
Training should also include how employees should report and follow up on a cyber incident, the lines of communication processes and protocols to follow.
It’s also important to note that education such as this is a continuous process; training is a first step, but not an end in itself. Ensure that there are tools and processes to keep the message at the top of employee’s minds, whether it’s through emails or newsletters, regular refresher courses or even notices in shared office areas.
Taking control of access rights
The massive growth of data and proliferation of different devices within the workplace poses considerable challenges when it comes to placing controls around, and preventing the spread of, sensitive data. In most organisations data moves freely and is constantly updated, changed and moved.
IT departments are responsible for understanding and managing how this sensitive data travels within an organisation by proactively monitoring and, if necessary, removing sensitive data from unauthorised locations or users. However, HR also plays a critical role in establishing processes to strengthen IT security practices.
Working with IT, HR should establish processes to manage access rights to sensitive data – ensuring that appropriate controls are in place – and preventing employees from accessing data that they don’t need. HR can also support IT in identifying gaps in terms of departments or individuals, like contractors or temporary staff, with permissions that have not been withdrawn or privileges that may need to be re-defined. They can implement processes and technology for managing access rights and to ensure that these are regularly audited to close any security gaps.
Full co-operation between HR and IT is essential in projects of strategic importance such as IAM (Identity Access Management) deployments. This is a common pitfall, but without internal co-operation there can be misunderstandings, or at worst, projects can unravel entirely.
Finally, the exit processes will always be a critical time with regards to security. HR and IT need to collaborate to ensure proper protocols are followed for everything from returning devices, to closing off access to services, and removing sensitive corporate data that may have been inadvertently left on a device. This is particularly important as the lines between corporate and work devices are blurring in the BYOD era.
Involving HR leaders in defining the policies governing the protection of data is of growing importance. From education and training, to involvement in BYOD strategies, a joined-up approach is essential in an era when cyber incidents come with a heavy cost.
*2016 Ponemon Cost of Data Breach Study