HR has a huge role to play in the security of your networks

 

Yes, Human Resources.

For all the effort your organisation expends to implement robust IT policies and infrastructure, the biggest threat to an organisation’s safety comes from its people.

Whether through malice, ignorance or human error; the people in your businesses are the most likely factor in enabling threats.

Where there are people, there is HR and your HR team can be your most valuable asset in avoiding breaches.

 

 

Why Do Staff Cause Problems?

It's possible that a rogue employee could target your organisation by deliberately compromising systems or accessing information. This is one aspect of “Social Engineering” which we’ll discuss on another blog, but most employee breaches happen for less dramatic reasons:

  • Employee works on files at the weekend on their home PC. They upload their work via USB stick onto their laptop or desktop, not realising that they’ve transferred malware between the two devices, or that the USB stick itself has been compromised
  • Employee lets their bored child use the laptop or smartphone to play games in the car. Children download apps and games far more readily than any adult, and are more comfortable doing so. Many of the games which children download are, in fact, malware by design and infect your company device with unwanted code
  • Employee is searching for help with a particular problem (e.g. a free "clone" version of an expensive tool such as Photoshop for a presentation). In doing so, they inadvertently download infected code to their machine, or download malware along with the program they wish to use
  • Employee is viewing videos on YouTube or similar. This is probably unwanted behaviour in any circumstances but the possibility of malware being downloaded at the same time is always present.
  • Employee clicks through a link on their Facebook account and inadvertently opens up a link they didn’t expect, such as a spoof offer for a freebie.
  • Employee uploads files to a personal Dropbox or similar. This could be a useful tool, but could also constitute data theft

Content management, network monitoring, strong firewalling, can all help to stop an infection after the fact, but changing behaviour in the first place is a far smarter plan. 

Changing Behaviour and Work Culture

Are your team motivated to consider security?

Do they understand what a threat might look like and what actions to take if they are confronted with the problem?

How much responsibility does an individual in your organisation feel towards the security of your data? I'm sure they wouldn't leave the doors open at night or wantonly leave an office slip or trip hazard to cause an injury.

Better education is key in all cases and can be made part of employee induction, ongoing training and objective-setting. 

Once this is in place, strong employee policies and codes of conduct are imperative in mitigating the threat posed by outside agents.

  • What sites are employees allowed to access?
  • What is the organisation fair usage policy?
  • Are there specific times when “personal sites”, such as Facebook, can be accessed (e.g. lunchbreak)
  • What is the policy on staff usage of personal USB sticks and other forms of data storage?
  • Is there a robust data policy?

 

So how can HR help?

We could be all Big Brother about it, throw up restrictions and firewalls everywhere but is it really the best solution?

HR are incredibly good an influencing behaviour, often using both carrot and stick to derive the desired behavioural outcomes.

To enable this, security must be an integral part of every employee’s onboarding process. And HR should have responsibility for ensuring the ongoing education and exerting behavioural influence over staff in a regular and planned way.

Ensuring the policies in place regarding usage, security, accountability and responsibility are adhered to, without it being a highly restrictive environment.

Employee control is like a wedding prenup – everyone agrees that everyone should have one; they just don’t think it will be necessary in their case!

If you'd like an off the record chat about updating your HR policies, how your workforce could be motivated to consider IT Security, or anything else security related, you can book into my diary here.

Best wishes,

Liz

10 Security Maxims Debunked

11 Jul 2018

    IT Security is a huge and daunting topic, it takes an expert to stay on top of everything!  So much information, so much conflicting advice, it's difficult to know where to start, but not all advice is good advice.  There are some common messages that we really don't like. Here's our top ten ways that our industry is getting it...

Optimisation - Making the Most of Existing Tools

20 Jun 2018

  One of the most annoying things I see on a daily basis is companies with great security products – huge capital expenditure, spent wisely on market-leading products which are great assets, but which are totally under-utilised and going to waste because the infrastructure, fundamentally hasn't been set up correctly. ​ Even worse, we sometimes...

Lessons from a UK Bank Data Breach

20 Jun 2018

I've been watching the news surrounding one of the UK's major retail banks aghast. I could ask "how could they let this happen" but it's obvious why it happened, and very sad. We have a major UK institution in crisis through ineffective security and archaic data architecture.  First of all there was a data breach following a system upgrade....

Troubleshooting - The Most Expedient Improvement

20 Jun 2018

  If you have a problem, if no one else can help, and if you can find them, maybe you can hire the A-Troubleshooting Team. When you have a solution which isn’t working correctly, or you just don’t think it’s performing well enough, it’s common for organisations to think that a rip and replace strategy is better than spending the time to resolve...

HR: The Front Line in Network Security

20 Jun 2018

  HR has a huge role to play in the security of your networks   Yes, Human Resources. For all the effort your organisation expends to implement robust IT policies and infrastructure, the biggest threat to an organisation’s safety comes from its people. Whether through malice, ignorance or human error; the people in your businesses are the...

;