test
IT and HR Must Work Together to Improve Security
Posted 01.23.17
1240
author_image
Jonathan A. Segal
Partner
Share

I am pleased to share my latest article for SHRM regarding the role of HR in cyber security.

Cyber security is a significant concern for businesses, and it is only going to get bigger.

In 2016, many companies of all sizes were affected by cyber attacks from outsiders.

But some cyber security breaches are inside jobs. Sometimes they are deliberate. Other times, the breach is due to human error. Either way, these attacks can have disastrous effects.

The National Cyber Security Alliance, a Washington, D.C.-based think tank, reports that a data breach can shutter a small business. And a survey by Russian cybersecurity company Kaspersky Lab, 2016 Corporate IT Security Risks, stated that the average amount of damage caused by one attack may cost small and medium businesses up to $99,000.

The practice of cybersecurity carries with it legal and reputational implications. So the question becomes: Who owns these responsibilities?

However, I bristle at the notion that a single function “owns” an issue because then employees in other functions may believe by negative implication that they do not need to do anything. In this case, while IT plays a central role, ownership of cybersecurity must go beyond IT and include HR, among other departments.

Let’s divide HR’s role into five categories.

HR as the Problem 

Sometimes in HR we feel like we are the policy or procedure police. Well, sometimes we are the culprit, too. As you well know, HR has access to highly sensitive information, including employees’ Social Security numbers and some medical information. HR needs to evaluate whether the background check procedure for those seeking positions in the HR department is robust enough. In some organizations, criminal record and credit checks are done for some employees in finance and IT but not for employees in HR. HR needs to consider this gap.

HR Policies

HR may want to consider including in the employee handbook or other policies a summary, developed with IT, of do’s and don’ts relative to cyber security. This is not in lieu of but in addition to mandatory employee training. 
Here is but one example: Employees must report immediately the loss of any device, including a mobile phone, that contains their employer’s confidential information. Immediate reporting and rapid wiping can mitigate the risk materially. 

HR and Employee Training

As noted, employee training is essential. IT can develop the training program, but HR plays a key role, too. For example, HR can listen to the proposed program and make sure it works for the intended audience. Simply telling employees not to fall for phishing schemes is meaningless unless you define phishing and give concrete examples.

HR and a Rapid Response Plan 

In the event there is evidence that someone is appropriating confidential information, HR needs to be prepared to work with IT in questioning the employee and taking corrective action as appropriate. These are not IT investigations alone. IT should not be expected to have the expertise necessary to handle employee rights issues in the context of these investigations.

HR and a Business Continuity Plan 

If there is a cyber attack or an internal breach, whether deliberate or as the result of carelessness, the company is going to need to move quickly in response. How will the organization work if its systems are shut down? When must employees be paid if they cannot work? Legally, what notification requirements exist if certain employee information (or that of patients or customers) has been exposed? As with any other crisis, whether it be a weather disaster, an incident of violence or a pandemic, the role of HR in the business continuity plan cannot be underestimated.

 

Facebook0Twitter0Google+0Pinterest0
About Jonathan A. Segal
1240
author_image
Jonathan A. Segal is a partner at Duane Morris LLP in the Employment Group. He is also the managing principal of the Duane Morris Institute. The Duane Morris Institute provides training for human resource professionals, in-house counsel, and other leaders at client sites and by way of webinar on myriad employment, leadership labor, benefits and immigration topics. Jonathan has served intermittently as a consultant to the Federal Judicial Center in Washington, D.C. for more than 20 years, providing training on employment issues to federal judges around the country. Jonathan also has provided training on harassment on behalf of the EEOC as well as providing training on diversity to members of the United States intelligence agencies. Jonathan is also frequently a featured speaker at national, state and local human resource, business and legal conferences, including conferences sponsored by the Society for Human Resource Management and the Pennsylvania State Chamber of Business and Industry. Jonathan’s practice focuses on maximizing compliance and minimizing legal risk. Jonathan’s particular areas of emphasis include: equal employment opportunity in general and gender equality in particular: social media; wage and hour; performance management; talent acquisition; harassment prevention and correction; and non-competes and other ways to protect your business. You can find him on Twitter @Jonathan_HR_Law .