Ensuring Organizational Information Security - HR’s New Role

In the past few years HR has increasingly become a strategic partner in organizations with proven contributions to the ROI of the organization. With more technological innovations, increased global competition, and the ever-changing business landscape, the challenges that face an organization continue to evolve. The noted investor Warren Buffet has warned that cyber security is the number one threat, not just to organizations, but to humanity in general [1]. Comprehensive risk management is now a board level priority [2] and therefore a focus for every department in the organization.

In 2017, we have already seen many security breaches in the form of hacks and ransomware that have jeopardized the smooth functioning of organizations. A recent survey by Gartner concluded that a whopping 63% of CEOs cite a breach of confidential or proprietary personal information as their top concern in 2017. That concern eclipses CEOs concerns about finding and retaining talent [3]. Information security is now not just IT’s responsibility but a requirement that needs to be fulfilled by all organizational departments, including HR.

According to Harvard Business Review, traits that make us human are also the ones that open us up to major threats of cyber security (curiosity, ignorance, apathy and hubris). Therefore, technological defenses alone are not going to provide a complete defense against informational security threats. As noted by the researchers, it is important to be aware of three important factors when it comes to cyber security [2]:

1. Cyber risks will continuously evolve
2. Defense is a much harder role to play than offense
3. Organizations can become complacent when they feel they are secure

As pessimistic as it sounds, it is better for an organization to assume the worst and that an information security breach is a question of ‘when’ not ‘if’. HR can take the lead in ensuring employees are prepared and contribute to overall informational security.

1. Training: Employees at every level of the organization should be aware of the steps they need to take in the event of a security incident. Making employee handbooks and checklists available with the procedures in place for recovery and restoration is a must.
2. Organizational Awareness: Every employee needs to be aware of the hierarchical chain of command and who needs to be notified in the event of a security breach.
3. Engagement: Engaged employees are more likely to pay close attention to guidelines laid out in employee handbooks and more diligent in observing and reporting weaknesses and possible breaches.
4. Collaboration across the organization: HR can bring various teams together to map out the requirements for security training and work closely with IT to ensure proper processes are followed to monitor unauthorised password sharing, downloads of third party software, and update alerts that need to be acted upon.
5. Processes and Workflows: Insiders are a major cause of leaks of sensitive or confidential information, often when devices are lost or compromised. HR can use data analytics to track property requests for lost or stolen devices and automate workflows for reporting even minor security incidents so they can be routed to the right people to be actioned. Keeping track of employees with a high number of reported incidents should also be done to monitor for unusual activity and intervene if the need arises.

One thing that the recent cyber security threats have highlighted for organizations is their overall lack of preparedness to deal with information security threats. When it comes to security, the weakest link are employees as we have all grown accustomed to ignoring alerts, putting off updating software patches, and even misplacing our devices. Technology helps all of us be more productive and efficient so we need to balance the use of technology with a level of defense the organization requires to be secure. HR can play a key role making sure that employees play their part in security but also keeping the processes and procedures in an organization ‘human’ and sustainable.

After being strategic partners in ensuring organizational success, HR now needs to work closer with IT to add human aspects to security measures to create the perfect defense against security breaches.

References:

1. http://www.businessinsider.com/warren-buffett-cybersecurity-berkshire-hathaway-meeting-2017-5
2. https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training
3. http://recruitingdaily.com/breach-information-security-data-privacy-hr-technology/