It was one of the largest data breaches in U.S. history—and it happened just last year. The April 2015 data breach of the U.S. Office of Personnel Management, which exposed the personal information of millions of government employees, had major implications for HR departments worldwide. The breach compelled employers everywhere to question the safety of their data and the strength of their own network security system.
Breaches of this nature are continuing to rise. According to the Identity Theft Resource Center, there was an increase in cybersecurity attacks during the first four months of 2016, compared to 2015.
As the keeper of some very valuable information, HR is in a vulnerable position. In the SHRM Online article Federal Government Hacked: Lessons for HR, Nigel Johnson of Zix Corporation says that “By their very nature, HR departments are a treasure trove of data … and because this data needs to be transferred both internally and externally, HR is a sitting duck for data breaches.”
Training and Awareness
The best network security systems are useless if employees are not trained on how to help prevent attacks. In the SHRM Online article Experts Say Employee Error Accounts for Most Security Breaches, authors Michael R. Overly, Eileen R. Ridley and Chanley T. Howell say that “While such technological measures as anti-virus software, access controls, firewalls and intrusion detection systems are clearly important, their effectiveness pales in comparison to the benefits gained by providing security awareness training to employees.”
The USA Today article A Hacker’s Best Friend Is a Nice Employee shared some shocking information on just how easy it can be for cybercriminals to con employees into sharing their company’s most sensitive network information. Chris Silvers, who runs CG Silvers, an independent security consulting firm in Atlanta, told the paper that one of the easiest ways for hackers to obtain information is through “the lowly desk telephone” and that “you can get everything you need—information about their security, their operating system, what kind of computers they use. Just with a call.” The more aware your employees are of the tactics that cybercriminals will use to infiltrate your organization, the better your chances of thwarting future breeches.
The article Putting Human Resources at the Heart of Cyber Security describes how cybercriminals now use social media to identify employees who might be more susceptible to a ploy—or who might even be willing to help. “They mark people with a predisposition to break security controls such as those with strong views, who do not react well to authority. They look for a trigger event which will break the employee's psychological contract with their employer—such as a demotion, change in role, redundancy or dismissal. Employees who take action against their employer are most likely to do so within 30 days of such an event. Managing an employee's exit with a view to security is also one of the most critical of all the contributions the HR team can make.”
They say the best defense is a strong offense. In the world of HR cybersecurity, a strong offense looks like a well-trained workforce and a vigilant HR department.
How are you protecting your employees’ personal information and your organization’s most sensitive data?
Please join @shrmnextchat at 3 p.m. on August 31 for #Nextchat with SHRM technology editor Aliah D. Wright (@1shrmscribe). We’ll chat about the steps HR professionals can take to help protect their organization’s data from a cybersecurity attack.
Q1. As an HR professional, what aspects of cybersecurity and data breaches concern you the most?
Q2. Why are employees now the weakest link of an organization’s cybersecurity?
Q3. Does your organization currently offer cybersecurity training to employees and what does it cover?
Q4. How have you changed your employee handbook or policies to better protect your organization from cyberthreats?
Q5. Does monitoring employees’ communications for cyberthreats cross a privacy boundary? Where should you draw the line?
Q6. How do you alert employees to worms, viruses, malware, ransomware or phishing scams? What methods of communication do you use?
Q7. If you’ve experienced any kind of cyberattack at your organization, what are some lessons learned?
Q8. What tips or advice do you have for HR pros for protecting their organizations against cyberattacks?