IT And HR Must Work Together To Improve Security

I am pleased to share my latest article for SHRM regarding the role of HR in cyber security.

Cyber security is a significant concern for businesses, and it is only going to get bigger.

In 2016, many companies of all sizes were affected by cyber attacks from outsiders.

But some cyber security breaches are inside jobs. Sometimes they are deliberate. Other times, the breach is due to human error. Either way, these attacks can have disastrous effects.

The National Cyber Security Alliance, a Washington, D.C.-based think tank, reports that a data breach can shutter a small business. And a survey by Russian cybersecurity company Kaspersky Lab, 2016 Corporate IT Security Risks, stated that the average amount of damage caused by one attack may cost small and medium businesses up to $99,000.

The practice of cybersecurity carries with it legal and reputational implications. So the question becomes: Who owns these responsibilities?

However, I bristle at the notion that a single function "owns" an issue because then employees in other functions may believe by negative implication that they do not need to do anything. In this case, while IT plays a central role, ownership of cybersecurity must go beyond IT and include HR, among other departments.

Let's divide HR's role into five categories.

HR as the Problem

Sometimes in HR we feel like we are the policy or procedure police. Well, sometimes we are the culprit, too. As you well know, HR has access to highly sensitive information, including employees' Social Security numbers and some medical information. HR needs to evaluate whether the background check procedure for those seeking positions in the HR department is robust enough. In some organizations, criminal record and credit checks are done for some employees in finance and IT but not for employees in HR. HR needs to consider this gap.

HR Policies

HR may want to consider including in the employee handbook or other policies a summary, developed with IT, of do's and don'ts relative to cyber security. This is not in lieu of but in addition to mandatory employee training. Here is but one example: Employees must report immediately the loss of any device, including a mobile phone, that contains...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT