HR has a huge role to play in the security of your networks
Yes, Human Resources.
For all the effort your organisation expends to implement robust IT policies and infrastructure, the biggest threat to an organisation’s safety comes from its people.
Whether through malice, ignorance or human error; the people in your businesses are the most likely factor in enabling threats.
Where there are people, there is HR and your HR team can be your most valuable asset in avoiding breaches.
Why Do Staff Cause Problems?
It's possible that a rogue employee could target your organisation by deliberately compromising systems or accessing information. This is one aspect of “Social Engineering” which we’ll discuss on another blog, but most employee breaches happen for less dramatic reasons:
- Employee works on files at the weekend on their home PC. They upload their work via USB stick onto their laptop or desktop, not realising that they’ve transferred malware between the two devices, or that the USB stick itself has been compromised
- Employee lets their bored child use the laptop or smartphone to play games in the car. Children download apps and games far more readily than any adult, and are more comfortable doing so. Many of the games which children download are, in fact, malware by design and infect your company device with unwanted code
- Employee is searching for help with a particular problem (e.g. a free "clone" version of an expensive tool such as Photoshop for a presentation). In doing so, they inadvertently download infected code to their machine, or download malware along with the program they wish to use
- Employee is viewing videos on YouTube or similar. This is probably unwanted behaviour in any circumstances but the possibility of malware being downloaded at the same time is always present.
- Employee clicks through a link on their Facebook account and inadvertently opens up a link they didn’t expect, such as a spoof offer for a freebie.
- Employee uploads files to a personal Dropbox or similar. This could be a useful tool, but could also constitute data theft
Content management, network monitoring, strong firewalling, can all help to stop an infection after the fact, but changing behaviour in the first place is a far smarter plan.
Changing Behaviour and Work Culture
Are your team motivated to consider security?
Do they understand what a threat might look like and what actions to take if they are confronted with the problem?
How much responsibility does an individual in your organisation feel towards the security of your data? I'm sure they wouldn't leave the doors open at night or wantonly leave an office slip or trip hazard to cause an injury.
Better education is key in all cases and can be made part of employee induction, ongoing training and objective-setting.
Once this is in place, strong employee policies and codes of conduct are imperative in mitigating the threat posed by outside agents.
- What sites are employees allowed to access?
- What is the organisation fair usage policy?
- Are there specific times when “personal sites”, such as Facebook, can be accessed (e.g. lunchbreak)
- What is the policy on staff usage of personal USB sticks and other forms of data storage?
- Is there a robust data policy?
So how can HR help?
We could be all Big Brother about it, throw up restrictions and firewalls everywhere but is it really the best solution?
HR are incredibly good an influencing behaviour, often using both carrot and stick to derive the desired behavioural outcomes.
To enable this, security must be an integral part of every employee’s onboarding process. And HR should have responsibility for ensuring the ongoing education and exerting behavioural influence over staff in a regular and planned way.
Ensuring the policies in place regarding usage, security, accountability and responsibility are adhered to, without it being a highly restrictive environment.
Employee control is like a wedding prenup – everyone agrees that everyone should have one; they just don’t think it will be necessary in their case!
If you'd like an off the record chat about updating your HR policies, how your workforce could be motivated to consider IT Security, or anything else security related, you can book into my diary here.
Best wishes,
Liz
