[BreachExchange] Ensure that your employment contracts are fit for purpose for cyber-security

[Audrey McNeil]

http://www.scmagazineuk.com/ensure-that-your-employment-contracts-are-fit-for-purpose-for-cyber-security/article/487903/

As we all know, cyber-security is rarely out of the news and this won't
change given estimates that by 2019, an additional 4.5 million
cyber-security experts will be needed worldwide.

Our own research amongst SMEs found that 76 percent of companies are
concerned about cyber-security, with 17 percent having experienced a
cyber-attack.

Our biggest observation when we discuss ‘cyber-security' is often not
‘computer security' but ‘people security'. Whilst companies can have the
very best tech in place and invest heavily in new systems, the fact is that
around a third of data security issues are people-based.

Data is scarce but, in 2014, a cyber-claims study found that over a third
(34 percent) of claims for data loss was down to people security, with 11
percent of the dataset being rogue employees; 10 percent for lost or stolen
laptop devices; and 13 percent for staff mistakes. Add to this a further
five percent for improper data collection, and almost four out of 10 (39
percent) of the claims are because of the user.

Many organisations protect themselves from the usual business-critical
blunders by having any potential issues covered off in the employee's
employment contract and the company's policies and procedures. However,
this is often not the case with data loss, as it is often not given the
same priority as other ‘serious' employment issues, such as inappropriate
sexual or racial behaviour or financial misconduct. Organisations do need
to make sure they have robust policies covering cyber/data security, data
protection and IT and communications - policies which are communicated to
employees who are made fully familiar with the rules and processes they are
required to follow. Failure to ensure that data security is protected can
put individuals at risk, cause them harm and distress, and result in a loss
of reputation and prosperity to organisations. The UK Information
Commissioner has the right to levy fines of up to £500,000 for a serious
breach of the data protection principles. The corporate fallout and
financial implications can often be much more severe and broader in nature
when cyber- or data- issues are involved. As the data controller the
organisation is responsible for making sure the confidentiality of the data
they process is preserved.

>From a legal and HR perspective a business must also ensure that it has a
social media policy in place which receives equal prominence within an
organisation to other HR policies. Companies should put the social media
policy in place, to provide employees with enforceable guidelines on:

The company's level of tolerance for personal use of social networking
services;
Details of what constitutes business damaging social media which is not
illegal;
How the company will handle situations where employees post inappropriate
and potentially business damaging, but not unlawful, posts such as illicit
photos, profanity or other potentially derogatory content;
How the company will monitor compliance with the policy; and
The sanctions imposed for any breach of the policy and the procedure
through which those sanctions will be enforced.

The social media policy is in addition to having HR policies covering
cyber/data security and a data protection policy that will cover the myriad
of issues that a company might face, such as data-handling, storage,
transportation etc.

The key is that employees must understand that they are required to comply
with these policies and that a breach of any of the policies is an HR issue
that could ultimately lead to dismissal. This is critical for any business,
as although the legal framework is still being developed, it is clear that
businesses can face public and private claims for breach of cyber-security.
The security provisions in the Data Protection Act 1998 have been
interpreted by the Information Commissioner's Office (ICO) to include
cyber-space and to contain a duty for cyber-security to protect personal
data from cyber-crime. Complying with the seventh data protection principle
requires an organisation to have appropriate technological and
organisational measures in place to prevent personal data being lost,
damaged or stolen. The ICO has heavily fined companies that have been
hacked, and a failure to protect confidential information due to a lack of
adequate cyber-security can also be a breach of the common law duty of
care, therefore amounting to negligence.

Despite the fact that the legal framework is currently unclear, the
standard that the law will apply is the consensus of opinion in the
professions and industry about what constitutes good practice.  For
example, laptop computers holding sensitive personal data should be
encrypted. Mobile telephones containing confidential data should also be
passcode protected.

ISO 27001: 2013, which sets a standard for security management systems, is
regularly cited by the ICO in enforcement decisions and regulatory
guidance, and deals with such matters as Human Resource security.

The responsibility for monitoring and reviewing the operation of all
cyber-security policies and making recommendations for change to minimise
risks should lie jointly with HR and the head of the IT department, or
someone in a similar position. In addition, according to the Data
Protection Act, any data controller must take reasonable steps to ensure
the reliability of any employees who have access to personal data. Policies
should be reviewed regularly to ensure that they meet legal requirements
and reflect best practice in this ever changing and evolving area.

However, IT and human resources management need to be trained thoroughly on
the appropriate and effective monitoring of employees, and enforcement of
the various company policies, restrictions, guidelines and contract
provisions relating to social media and cyber- and data- security.  This
should be done in compliance with employees' privacy rights. This is
important as employees who breach any of the policies may be subject to
disciplinary action up to and including termination of employment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160427/ddc0114b/attachment.html>