If you’re not accustomed to thinking of data security as an HR issue, it’s time to think again. While it’s tempting to consider data security as the sole purview of your organization’s IT department, the fact is that data security is not only about technology, it’s also about people. And it’s precisely this human element that tends to be the weakest link in cases of data breaches.
Despite significant advancements in domains such as information security research and cyber detection tools, human error continues to play a major role in situations where sensitive data is compromised. Employees routinely put organizations’ data at risk—intentionally or unintentionally—by failing to comply with data protection policies: this might involve actions such as regularly forgetting to change a password, losing a device that contains sensitive information, using unsecured channels, bringing blacklisted applications into work, or performing work tasks on public networks. And these aren’t just occasional oversights. According to the Verizon 2016 Data Breach Investigations Report, a remarkable 63% of confirmed data breaches involved the use of weak, default, or stolen passwords.
It’s particularly important for organizations to do all that they can to prevent data breaches given that the stakes are so high. A 2017 study sponsored by IBM estimates that, on average, the total organizational cost of a data breach for a US company is a staggering $7.35 million. Furthermore, there are other costs associated with data breaches that are harder to quantify, but no less devastating, such as the damage to a business’ reputation. A 2015 global survey conducted by Gemalto revealed that nearly 64% of consumers worldwide would likely discontinue doing business with an organization that had experienced a breach involving the loss of financial information.
So what is the role of HR in all this? Essentially, it’s up to HR to handle the “human element” by championing data security to employees and company personnel across the board. Through proper planning and attention, HR can work to make data security a key part of a company’s culture, encouraging employees to buy into the security process from their first day on the job. In addition, HR can work behind the scenes to help develop and implement data security policies that are effective and easy to understand and follow. As outlined in a recent article from the Society for Human Resource Management, some of the actions that HR can take to lead the way when it comes to organizational data security include the following:
Knowing Who Is Hired
The first step in keeping personally identifiable information or other sensitive data safe is staying on top of the people who will have access to it. This means thoroughly vetting all candidates for jobs that involve the routine handling of sensitive information, such as positions in payroll or finance, a task that HR is perfectly positioned to carry out.
Keeping Track of Equipment
A surprising number of data breaches arise from problems with physical equipment: that is, the loss or theft of company devices that contain confidential information. In order to avoid this, it’s essential that HR keep proper records of what equipment employees are given. During the onboarding process, a checklist should be created that details all of the equipment and devices that each employee receives. The list should be regularly reviewed and consulted when an employee leaves a company in order to ensure that all equipment is returned.
Training Employees to Recognize Issues
Some situations that can lead to data breaches—such as sophisticated phishing scams that take the form of e-mails which appear to have come from someone in the company—are not always easy for employees to recognize. HR can help to mitigate this by leading training and awareness-building exercises on topics such how to identify scams and what to do if a scam is suspected.
Encouraging Employees to Speak up
When a data breach or attempted breach occurs, employees may be tempted to ignore or try to conceal it, particularly if they feel they are at fault. However, it’s vital that employees understand how important it is to speak up. Situations can often be addressed in a timely manner if they are raised immediately. In addition, early detection can help employers to fulfill particular obligations, such as providing certain notices that are mandatory in cases where data may have been compromised.
Crafting Comprehensive BYOD Policies
If companies allow employees to use their own devices at work—an increasingly popular phenomenon known as Bring Your Own Device (BYOD)—it’s essential that comprehensive policies are in place to protect sensitive information. In order to achieve this, HR can team up with other relevant departments to craft clear and precise language around steps that can be taken if a device is lost or stolen, and what can happen if an employee leaves the company. It’s also vital to ensure that policies are in place that allow for a device to be remotely wiped in case of an emergency.