HR teams have access to more critical data than ever before, but an alarming number of employees show a distinct lack of awareness when it comes to protecting that information.
Digital transformation is affecting every area of business today, enabling more modern ways of working, with more employees than ever working flexibly or remotely, and powering an increase in IoT technology use.
Although these are exciting developments for the world of work, they come with significant cybersecurity risks.
Advances in technology have expanded the attack surface substantially, rendering organisations more vulnerable.
Cybercriminals are now aware of the rich pool of data HR teams deal with on a daily basis, meaning they have already started to become a common and high-value target for phishing attacks, according to FBI research.
As such, HR departments must ensure that they comply with security guidelines to protect business data and avoid every business‘ nightmare – a data breach.
Screening securely
Job adverts in newspapers are dying out and becoming a less popular way to promote job openings.
Organisations today increasingly rely on digital means to share recruitment news across various websites and social media channels.
Candidates often respond by completing online assessments and sending CVs via email, which contain sensitive personal information.
It’s common for HR departments to also use online portals to filter CVs and screen candidates as well.
With so much information moving from place to place, organisations need to carefully consider the security processes they have in place.
3 billion records were put at risk by ‘inadvertent insiders’, with 70% of all lost data due to misconfigured cloud storage servers, databases, network, and backup gear.
Recruitment teams must remember that even if their internal IT systems have robust cybersecurity protocols in place, the third-party online portals and tools may not.
For example, if emails are sent in plain text without encryption, it can be easier for data to be accessed by hackers, particularly when stored in insecure, cloud-based job portals.
The risks or consequences of hackers gaining access to candidates‘ data may not be immediately clear, but the reputation of an organisation that is unable to protect the data that it has been trusted with, is unlikely to be positive.
This is especially important for potential employees who may be worried about their current employers discovering they are seeking employment elsewhere.
As such, HR professionals must work closely with IT departments to ensure a comprehensive architecture is in place to block access to information systems from unauthorised users and keep precious information on candidates secure.
If a high level of security cannot be guarenteed by a third party, that provider is best avoided.
Malicious attacks versus simple mistakes
Malicious attacks from third parties aren’t the only risk that businesses need to be aware of, as accidental data breaches or leaks involving unwitting employees are also on the rise.
According to Gallup’s State of the Global Workforce report, a mere 15% of workers worldwide claim to be actively engaged in their jobs.
Disengaged staff often neglect or misunderstand cybersecurity policies and protocols.
This is supported by IBM’s 2018 X-Force Threat Intelligence report, which concluded that unwitting employee negligence accounted for two thirds of all records compromised in 2017.
With cybersecurity threatening all areas of the business today, it’s no longer enough to rely on the IT department to prevent and clean up data breaches.
In other words, 3 billion records were put at risk by ‘inadvertent insiders’, with 70% of all lost data due to misconfigured cloud storage servers, databases, network, and backup gear.
With more organisations investing in third party platforms to drive workplace efficiencies, security teams need to ensure these do not inadvertantly create risks.
From the introduction of an unprotected IoT device to the business network, to clicking on a cunningly disguised phishing link, hackers are constantly trying to find new ways to trick innocent employees through social engineering attacks into giving them access to corporate networks.
To avoid such significant risks and potentially damaging consequences, businesses need to get better at leading by example and supporting awareness-raising programmes that offer the appropriate employee security training to all departments on a regular basis, including HR teams.
Whose responsibility is it anyway?
With cybersecurity threatening all areas of the business today, it’s no longer enough to rely on the IT department to prevent and clean up data breaches.
HR managers should play a leading role when it comes to promoting the correct security practices by working closely with IT and other departments.
Collaborating with these teams will help to identify potential vulnerabilities and ensure the training in place is up to date, and able to tackle the latest risks.
Organisations must also engage all employees on the role they play in data security protocols.
Data security today affects every employee, but for a department handling such sensitive and personal information, HR teams especially need to understand its value, sensitivity and vulnerability to third party attacks.
Complacent employees can be extremely detrimental to the cybersecurity of an organisation, so the HR function can help identify employees who reluctantly participate in training and are resistant to learning, as well as those who are up-to-date with security knowledge.
HR teams have a vital part to play in ensuring all employees are engaged, that they have bought into the importance of securing the business’s IT infrastructures and that they understand the consequences of not complying with security protocols.
Regular updates, mandatory compliance sessions, and best practice courses can help build a better security culture and remove the stigma of security training.
Trust is good, control is better
In addition to training, other HR processes related to IT security should also be considered.
HR teams need to ask themselves, how likely are new candidates to share information with competitors or old colleagues?
Do employees monitor who is sending them emails before opening them?
Do they alert IT teams when they receive messages from unusual email addresses?
Do employees know to only click on links from trusted sources?
HR departments can also make IT security a part of the interview process, questioning candidates about any previous training or experiences of breaches in past roles and what that taught them.
Data security today affects every employee, but for a department handling such sensitive and personal information, HR teams especially need to understand its value, sensitivity and vulnerability to third party attacks.
The HR function must be proactive in creating and implementing policies, processes and training to educate and prevent security issues, making sure the data they are responsible for, is protected and safe from threats – both external and internal.
Interested in this topic? Read How to manage the skills gap in a cybersecurity minefield.
