Nearly 25% of organizations have incurred expenses to address a breach during the pandemic.
Since 2003, our nation has observed National Cybersecurity Awareness Month each October. Well, most of our nation, that is. For HR professionals, October represents the start of the busy annual enrollment season, leaving little time or energy for anything else.
That’s why, here at Businessolver, we emphasize the importance of good cybersecurity practices each September. With that in mind, we’ll be publishing several blogs related to cybersecurity this month.
And in 2020, there’s no better time to become the cybersecurity champion your organization needs. With so many employees working from home, the risk of a security breach is higher than ever. In fact, that’s exactly what a recent report found. According to Enduring from Home: COVID-19’s Impact on Business Security, 24% of surveyed IT professionals said they had paid unexpected expenses specifically to address a cybersecurity breach or malware attack following shelter-in-place orders.
It’s not surprising. Even before the pandemic, headlines about a company being hacked were common place. Social Security numbers are stolen. Credit card accounts are hacked. Customer and employee information is compromised. The headlines reporting security attacks are so commonplace, you almost begin to wonder what you’ll do when, not if, it happens to your organization.
Fortunately, HR professionals are in a unique position to prevent cyberattacks and security breaches. By working with your IT department and senior leaders, HR professionals like you can help keep your organization safe from some of the most dangerous criminals out there. All it takes is a commitment to building a culture where cybersecurity is a natural part of everything you do.
Building a Cybersecure Workforce
As an HR professional, you know that one of your organization’s greatest assets is your people. That’s why your role is so important when it comes to protecting your organization against cyber threats. As a recruiter, educator, and culture creator, you are uniquely qualified to help your IT team develop a “human firewall” to keep the bad guys at bay. Like a technical firewall that blocks unauthorized access to your data from external hackers through email filtering, gateways, antivirus software, and other tools, your human firewall introduces a layer of security for which humans are uniquely qualified. It’s all about being watchful and taking appropriate action to prevent and respond to threats.
Just as your employees are among your organization’s greatest assets, certain individuals also represent your greatest threats. Without a well-trained human firewall in place—one in which every “brick” is equally strong—your entire organization can be compromised by the simple click of a mouse. All it takes is one employee clicking, downloading, or sending the wrong thing to the wrong person, and you’ve become a security breach headline.
Most of the time, the actions that lead to employee-based breaches are unintentional. Like all “accidents,” however, they can be prevented by following some basic strategies. Here are three of the most important.
Train Early and Often
Off-the-shelf cybersecurity training modules are a great place to start. Look for one that addresses the unique security threats your company faces. A trucking company will have different needs than a hospital. After you have identified the most appropriate curriculum, find a way to introduce it during new employee orientation.
Most importantly, reinforce the teaching points or expand upon them periodically. Cyber-attacks have no season. This will help you develop a sustainable cybersecure culture that is on-call 365 days a year.
As you execute on your training plan, make sure to get feedback from leaders to determine whether staff have internalized the practices you’ve advocated. Ask them, for example, how often the issue of security is raised when employees are speaking with one another. If your teaching points appear regularly and in the context of protecting the company, keep doing what you’re doing. If not, consider increasing the frequency of your educational efforts or look for more impactful teaching methods. Remember, culture is not created overnight.
Training employees and providing them with realistic opportunities to practice their skills can build habits that last a lifetime. But, those strategies take time. The bad guys move at a much faster pace, making a strong case for non-negotiable cybersecurity policies.
Some tasks can be hard-wired into certain applications. Individual employees should, for example, get periodic prompts to change their password or be prevented from accessing certain applications until they complete a multifactor authentication process (e.g., physically entering a code delivered through a secondary medium such as text messaging).
At the programmatic level, however, policies are sometimes misinterpreted or reprioritized. A manager may forget to demand periodic audits from their vendor or update their technology for storing data. As an HR professional, part of your job is to ensure that all policies are followed, whether they impact 100% or 1% of your employees. Remember, a cybersecure workforce is only as strong as its weakest link.
Screen Your Employees
Background checks are now considered a standard part of the pre-employment process. Some companies, such as Businessolver, conduct background checks on every employee annually. Regardless of how often you screen your employees, find a vendor that suits your unique business needs. Find out their level of flexibility and whether they have a menu of services that allow you to select the right level of screening for each job description.
Also consider how connected the vendor is in terms of their established integrations with critical information sources, including those outside the U.S. Data privacy should also be on your checklist as well as the vendor’s ability to integrate with your existing HR systems.
For 12 more tips like these, download our guide, How to Avoid Becoming a Security Breach Headline.