Cybersecurity is usually considered to be an IT responsibility. In most organizations, questions or concerns about intellectual property, data storage and data theft are funneled to the IT department.
This assumption is dangerous, however, because every department in every company conducts at least some tasks online and is, therefore, susceptible to a cyber-attack.
Cybersecurity Risks for HR
Anything accessed, sent or stored digitally can be compromised, even data owned by HR.
HR professionals post job openings online, liaise with candidates via email and collect sensitive information. Whether they work for an international staffing agency or a local grocery store, a lot of an HR professional’s work is now online and therefore at risk.
For example, suppose you own an HR firm that collects digital resumes. Your online system is responsible for making this pool of applicants available to the clients.
If your cybersecurity measures are inadequate and a hacker enters the resume database, they can add, edit or delete references to influence the look or impression of any person’s resume.
References are one of the core measures of gauging the credibility of an applicant. And, since references must be factual and honest as demanded by the law, compromising them is a legal issue.
Consider another scenario. Because the data of potential applicants is stored online, there must be robust measures to ensure the system can mitigate an attack or recover from malfunction.
If a hacker were to breach a database of current or previous applicants, personal information such as their email or address could be extracted and used illegally.
Cyberbullying is a core concern for employees working in nearly any environment. As explained here, cyberbullying is divided into the following categories:
- Threatening emails
- Offensive emails
- Gossiping via chat forums
- Gossiping via social media networks
The last category, bullying on social media, is common and can happen without databases being compromised. In fact, a search on social media networks can lead a cyberbully to an employee.
HR can address cyberbullying and maintain a safe environment for employees in three ways:
The IT infrastructure must support your company’s anti-bullying policy. If a breach is detected, HR must report that to the IT department quickly, regardless of any constraints (and vice versa).
Implementing a Policy
While employees must be provided a with a firm policy regarding appropriate social media use, an advisory email must be forwarded to all employees after an attack. Highlight and prioritize policy text related to the incident, if possible.
Encouraging Open and Transparent Communication
For many reasons, HR may restrict how teams communicate with each other. However, in order to keep a secure environment, where information and warnings can be widely shared the cybersecurity team must be allowed to openly communicate with everyone in the organization.
Securing Your Systems
Hackers are always coming up with creative new ways to access private systems and databases, meaning you can never be 100 per cent certain your information is secure.
The more protection you have in place, the less likely you will be targeted and therefore the less likely you will be a victim.
Perform Penetration Tests
Penetration tests (often called pen tests) are a series of simulated attacks made by authorized “ethical hackers” to evaluate the security of your system. Pen tests use techniques preferred by hackers around the world.
While you must have a penetration test when you build the system, it is also advised to hire a certified team that periodically test and update your system.
The use of honeypots is essential in determining real threats. A honeypot attracts hackers by offering a system that contains information of interest to them.
As soon as a hacker accesses the system they are tagged and either located (to take further action) or monitored (to evaluate current countermeasures). By monitoring an attack, IT can take steps to prevent similar incidents in the future.
Honeypots are crucial for HR because they let the team know which hacker or what type of mechanism is being used to undermine its operations. Moreover, they help HR define clear policies to be followed during and after an attack.