[BreachExchange] Employee Handbooks: The Vital Link in a Cybersecurity Chain

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jun 30 14:03:02 EDT 2017


http://totalsecuritydailyadvisor.blr.com/cybersecurity/employee-
handbooks-vital-link-cybersecurity-chain/

When it comes to cybersecurity, two factors are coming together in a
worrying way. One lurks in the results of a survey, conducted by the
Association of Corporate Counsel, that shows employee error is the leading
cause of data breaches. The other was revealed in research carried out by
CompTIA, which discovered that almost half of employees don’t receive any
training around cybersecurity.

It’s little wonder, then, that new data breach announcements surface nearly
every week. For HR professionals, it’s becoming apparent that employees
lack proper knowledge of data security and that more proactive steps must
be taken to address this growing issue.

Knowing the threat posed to sensitive data today, HR has an important role
to play in reducing the risk of human error in security incidents by
teaching employees the do’s and don’ts of cybersecurity. The good news is
that breach prevention efforts don’t need to be overwhelming. The first
place to start in the journey is with the employee handbook.

The Link Between Breach Risks and Employees’ Actions

Even a small data exposure creates big problems for the company. Financial
penalties may be steep, and are often followed by reputational harm and
other long-lasting impacts. As customers drift away, revenue is likely to
sag. Business partners and collaborators may pull back on contracts or put
more onerous terms in place to protect themselves. Employees and even
candidates may lose trust in the business, draining morale and potentially
hurting the organization’s ability to attract and retain quality workers.

The volume of data breaches resulting from employees’ actions demonstrates
the vital role the workforce plays in maintaining data security. Risks of
an exposure will only increase if employees aren’t aware of the importance
of a strong security posture and where their responsibilities exist in that
effort. In addition, if workers don’t have the tools they need—in the form
of best practices and procedures—their good intentions may still fall short
when it comes to protecting company data.

HR Can Take the Lead On Data Security

Historically, much of the breach prevention discussion has focused on IT
and the technologies they deploy. The reality is that a robust data
protection strategy is much broader than that. The HR function represents a
critical starting point in creating and nurturing the company’s culture of
data security, and the team is in a position to take the lead on ensuring a
strong security posture across the entire workforce.

The employee handbook is the perfect vehicle to provide a foundation for
the rest of the company’s efforts. It immediately demonstrates to new hires
that the company takes cybersecurity very seriously. It also sets
expectations for employees joining the company, not just around the proper
processes and procedures that should be followed but also concerning each
individual’s responsibility for protecting sensitive data.

In addition, because most organizations require that employees provide a
signature acknowledging they have read and understand the practices set out
in the handbook, workers will have an explicit understanding that they will
be held accountable for following the policies set out within its pages.

Incorporating cybersecurity best practices into the employee handbook also
helps to boost workers’ engagement with the tools and technologies provided
as part of the data protection program. Not only will employees be more
likely to utilize the security mechanisms available to them, those who know
about breach risks and prevention strategies will be more aware of their
coworkers’ actions, as well.

If an individual displays poor data handling habits, their peers will have
the knowledge to identify those security gaps and either counsel the
employee to improve or alert the organization’s data security team that
risks may exist. This turns employees—determined to be a point of weakness
in past breaches—into the company’s first line of defense against an
exposure.

Training Drives the Data Security Message Home

A section in the employee handbook is the start of a solid cybersecurity
program, but it must be followed by comprehensive, ongoing training.
Because breach prevention extends far beyond IT’s realm, HR professionals
should consider data security training as just one component in the overall
awareness and education efforts the team oversees.

Alongside existing training that covers regulatory primers, communication
competencies, and a host of soft skills, cybersecurity education will help
employees carry out their responsibilities in a way that protects the
business and ensures activities are done correctly.

It’s important to remember, though, that breach prevention and response
isn’t a set-it-and-forget-it affair. HR will want to develop a training
program with recurring sessions to ensure employees maintain awareness
around data security risks and practices.

In addition, because cyber threat vectors are always evolving, ongoing
skills development is important to keep up with new scams and new targets.
This refresher training complements the policies in the handbook and gives
employees an opportunity to maintain their skills.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170630/6c062110/attachment.html>


More information about the BreachExchange mailing list