In today's world of digital transformation, mobile business, interconnectivity, and remote workforces, there's one word that must be top of mind for any organization: Security. Especially when employees and proprietary business data begin to mix.
I'm not just talking about malicious hackers or ransomware attacks, either. Here's the thing, and it's something that we tend to forget as we go about our busy workdays. Employees are prone to human error. They're human beings, not machines, after all. Also, with the mainstreaming of BYOD (bring your own device) policies, the window for error widens every day. The average company already uses more than 20 Software as a Service applications, including Asana, Dropbox, Skype, Basecamp, and a slew of other cloud-based apps.
All of those apps require passwords, and guess what? A recent Verizon 2016 Data Breach Investigations Report has found that 63 percent of confirmed data breaches happen because of the use of "weak, default or stolen passwords." That's a scary statistic, no matter how large or small your business is.
The report also cited other "employee driven" security mistakes, including sending sensitive information to the wrong person, not disposing of company information correctly, misconfiguration of IT systems, and lost and stolen laptops and mobile devices.
Data Security: What HR Professionals Need to Know
Data security requires ongoing vigilance. Taking active steps to help your teams keep sensitive information safe and secure is vital. Let's take a look at a few of the most important ones.
The first and most important thing HR departments can do when it comes to cyber security is to be proactive rather than reactive. Technology (and the potential for breaches) has entered every facet of business today. It's not enough to rely on your IT departments to make sure staff are educated about data loss and how to prevent it. You must provide training to educate your employees about their roles in keeping data safe. They need to know what the security protocols are, how to develop and use strong passwords and what to do if they suspect trouble or have misplaced a device that they also use for business.
Here's the thing, people tend to take the easy way out. "Many workers see a trade-off between efficiency and data security, and when forced, they're choosing efficiency over security," according to a post by leading LegalTech and Business of Law blog, LawInsider. In fact, in a recent survey, 15 percent of Millennials, 13 percent of Gen Xers, and 13 percent of Boomers said they were "very likely" to find ways around restrictive security controls, reported LawInsider. Your employees may not understand how important it is to follow security measures or how dangerous it is to use the same password for multiple sites. They may not even know what constitutes a strong password or how to create one.
The threats are real. And as LawInsider states, HR "...plays a critical role in helping manage and train this fast-changing workforce--especially when it comes to data security." So, we must do what we do best as human resources professionals, and that's to manage.
So where do you start? Begin by incorporating data security (and other "digital security") training into your onboarding and staffing processes. Keep yourselves and your employees educated and up-to-date about changes in technology and the latest cyber scams. With all of the personal information they handle every day, it's imperative that human resources employees and team members are on top of data security.
Quick Tips for Data Security
Aside from the training and educating that we as HR professionals must bring to the table, there are other ways companies can get ahead of the game when it comes to data security.
Perform a risk assessment. Make sure to complete a risk assessment. Knowing exactly where your weaknesses are, and which assets are most valuable to you, is an essential step towards enhancing cyber security. Why? Because you can then modify your training programs to ensure the right lessons get to the right people. Don't assume everyone in your company needs the same "cyber-education."
Break down silos. Work closely with your IT and marketing departments (as well as others) to ensure you know exactly where security gaps may lie. Some folks balk at training, shrug it off, or feel they're too busy to take part. Being able to communicate with people you know, personally, will go a long way to getting teams on board, and making your education efforts successful.
Emphasize and encourage accountability. It's one thing to work proactively to train staffers on the perils of data security breaches, or lapses in company data safety; it's quite another to ensure they can actively be accountable for any they notice. Make sure they have the tools/instructions they need for "next steps." Develop a reporting system, perhaps an internal communication stream where employees can share information, or warn others about the latest phishing scam. Another trait most of us humans share? We love rewards! Create a contest where you award a small prize or some other type of benefit (Friday afternoon off, anyone?) for the top "Security Sleuth" of the month.
Again, as I mentioned above, the goal here for all of us is to be proactive rather than reactive when it comes to data security. People are fallible, and mistakes will happen. But setting up policies and practices to reduce their frequency (and their gravity) will help your company today, and in the future, as the threat of data breaches and other security issues continue to grow.
What do you think? Have you had a security breach in your organization? Do you have any tips you could add? I would love to hear your thoughts.