On a list of crises for a human resources professional, it ranked right at the top. And, unfortunately, it wasn’t an isolated incident. According to The Computer Security Institute of San Francisco, 75 percent of companies have suffered financial losses, such as financial fraud, theft of proprietary information and sabotage, from computer security breaches. The institute found that the biggest security threat typically comes from inside an organization. "There are plenty of people—hackers and others—looking to steal information or do something malicious," states Darren Donovan, a senior managing director at Pinkerton Investigation Services, a security and investigations firm in New York City.
Welcome to HR’s newest battleground. As more and more data goes electronic, the risks and threats to the modern organization grow. An unencrypted e-mail sent over an intranet or the Internet can allow crucial information to fall into the wrong hands. A PC without the proper password protection can easily become a fountain of illicit knowledge. And a network without the proper safeguards, including a firewall and audit capabilities, can become a high-tech sieve that lets crooks steal or destroy sensitive data. These days, there’s even cyberterrorism —orchestrated attacks on organizations for political or economic purposes.
Yet, despite the need for sophisticated hardware and software protection, data security has far more to do with policy than product. Notes Chip Mesec, director of product management at Santa Clara, California-based Network Associates, a provider of network security products: "Having the right systems in place is crucial. But unless employees understand the consequences of their actions or inactions, unless they’re educated to follow procedures and abide by rules, all the solutions in the world won’t work."
For human resources, the implications are clear: In today’s business environment, it’s essential to understand enough about the technology to ensure breaches don’t take place. It’s also crucial to know that employees are using electronic security properly and that HR policies are in place to deal with training, education and compliance. "A tremendous amount of thought and planning is required," states Kevin Wheeler, vice president of staffing and employee development at Charles Schwab and Co. in San Francisco. Yet, juggling corporate politics, procedures, staffing issues, and educational concerns to secure a workplace can seem overwhelming. Today, it requires a team-oriented approach that involves HR, security, legal and information technology (IT). As Mesec puts it, "Electronic security cuts across departments and divisions, but it always gets back to human resources issues."
Pay attention to the growing risk.
A quarter-century ago, a typical company conducted the vast majority of its business on paper. Important files and documents were kept under lock and key, and when something was sent to someone across the office or in another part of the country, a set of security precautions was almost always used. In most instances, a document was sealed and sent by courier or registered mail with a signature required at the other end. Paper shredders helped ensure that sensitive documents didn’t wind up in front of the wrong pair of eyeballs.
But today, the move from paper-based systems to electronic data management has turned security upside down. Although breaches have always been part of the corporate landscape—a dishonest or inattentive employee presents a serious concern in any environment—digital data is far easier to duplicate and disseminate "In the past, a fairly limited number of people had access to key data. With the opening of systems to the entire workforce, particularly HR records, people can access and even change information and records. There’s a greater risk of employees accessing information that’s not theirs, and once a problem occurs, people lose confidence," explains Bill Davies, director of technology at PDS, an HRMS systems vendor with headquarters in Blue Belle, Pennsylvania.
Violators now include a long list of individuals: workers who are disgruntled or have been laid off; contractors; consultants; even good employees who inadvertently destroy, alter or expose crucial data. Moreover, curiosity, gossip and the indiscriminate sharing of data can also lead to crime and a litany of other nightmares.
One thing is clear: today’s crooks are opportunistic—and elusive. A computer left unattended for a moment—and without proper password protection—can serve as an access point for a data bandit. It’s then possible to intercept data from the network using specialized software, tap into confidential files on a PC or a server, and undelete previously erased data from a hard drive, including e-mail. Unless the person storing data has encrypted the information or used a "wipe" delete function to get rid of it, the information isn’t secure.
And all this is just the beginning. Dial-up remote access—an increasingly common tool for telecommuters and traveling employees—is designed to provide entry into a network. Once there, it’s possible to gain access to unauthorized files unless firewalls and other protections are in place. Internet access poses yet another threat. And, as the Pixar case points out, an e-mail message can instantly transport company secrets to someone outside the organization. As Donovan puts it, "The risks are everywhere."
The Pentagon found out how true that statement is in February. Despite an elaborate effort to protect its vast data bank, computer hackers broke into an unclassified section of its network and conducted "the most organized and systematic attack" ever, according to Deputy Defense Secretary John Hamre. The individuals who conducted the attack examined and possibly altered confidential payroll and personnel data. The assault was one of 250,000 attempts to crack the Pentagon’s security code each year.
But, more often than not, the biggest threat exists within an organization. For example, at Omega Engineering Inc. of Bridgeport, New Jersey, an engineer who doubled as his firm’s network administrator allegedly launched a logic bomb (a hidden malicious program) that deleted every application and file on every hard drive at the company. That resulted in more than $10 million in damage. Three weeks after the network administrator was fired, the program deleted every file on the network. "Employees came to work but couldn’t boot their computers," Omega’s Director of Human Resources Al DiFrancesco later remarked in ComputerWorld magazine.
Although the man has been indicted by a grand jury and currently is awaiting trial—he faces a maximum five-year sentence and a possible $20 million fine—Omega learned its lesson the hard way. Even sophisticated back-up, recovery and audit software alone can’t prevent an incident. It’s the human side of the equation, well-designed policies and procedures, that make or break an organization.
Take a byte out of crime.
Firewalls, encryption, digital signatures, public keys, security tokens—products like these might make you feel as though you’ve been transported to the far reaches of the IT galaxy. Yet, it’s how people use the tools that largely determines whether key data remain a firm’s bread and butter or become toast. Ask yourself: Who has access to information? What files can specific employees access? What do people do with data? How do they share data? "Human resources should play a central role in determining who has access rights to certain data as well as educating employees how to use security tools correctly," says Jude O’Reilley, a research analyst at the Gartner Group, a Stamford, Connecticut, market research and consulting firm.
At brokerage firm Charles Schwab and Co., data security has become a religion. With service representatives accessing highly confidential customer account records and servers storing mission-critical data, there’s no margin for error or problems, says Wheeler. As a result, the company conducts extensive background checks on all employees, offers a security briefing during orientation, and then provides booklets, brochures and intranet links that constantly remind employees what they should and shouldn’t be doing. In addition, any employee who works with the public must take a refresher course and exam once a year to ensure that he or she understands company policies and procedures related to data security—including the use of passwords and e-mail.
But the company also goes to great lengths to ensure that human policies mesh with physical security. For example, all service centers and branch offices are equipped with PCs that lack floppy drives and modems—and employees aren’t allowed to bring in any type of foreign media. Only data that have been approved and certified are available through a secure network connection. That makes it extremely difficult to remove or corrupt data, and ensures that viruses won’t wind up in the system. Although such a design can make some tasks, such as training, more difficult because local offices can’t load an updated CD or floppy disk into the PC, "Everyone understands how important it is to make sure that there’s no risk of compromised data," says Wheeler. Schwab backs all this security with regular spot checks and sophisticated network monitoring that can detect illicit files.
Of course, Schwab’s detailed policies didn’t just happen. They were the result of meticulous planning. A senior vice president of human resources interacts with various other department representatives—including IT, legal and compliance—to put procedures and rules into place and regularly update them through a formal review process. In addition, human resources works with the security department to determine what actions and punishment should occur if an infraction takes place. "Decisions are made on a case-by-case basis, though the company generally has a very low bandwidth of tolerance," says Wheeler.
In fact, Pinkerton found that 80 percent of a company’s vulnerability to cybercrime is related to inconsistent information security practices, including the use of passwords and standardized log-off procedures. "Passwords, codes, access levels and other tools are crucial, but security is just as much about culture and corporate attitudes as anything else," says Donovan. And that begins with making clear which data are proprietary and valuable and which are cleared for public release. Many companies don’t adequately inform employees on such issues, he points out. Even worse, far too many organizations don’t bother to ask workers—as well as consultants and outside contractors (who frequently pose an even greater risk)—to sign a confidentiality agreement. The result? Ignorance about how to handle important data and questionable legal liability, if the case ever reaches a courtroom.
"One of the problems is that employees and employers tend to become lax and, over a period of time, pay less attention to policies," says Burke Stinson, a spokesperson for AT&T of Basking Ridge, New Jersey. In fact, infractions take place despite AT&T handing employees information at orientation and providing them with bulletins and notices that remind them to change passwords, switch off computers at lunch or after work, and use encryption for highly sensitive e-mail.
Consequently, AT&T’s security department conducts regular audits and spot checks to find violations and then sends out notices to employees who haven’t complied with policy. What’s more, temporary employees—particularly in the IT department—aren’t allowed into the system. Ultimately, "It’s the tone you set within an organization. If you have slipshod management and a relaxed attitude, you’re setting yourself up for problems. If you take the risk seriously and use proven methods to make sure workers comply, you greatly reduce the odds of anything catastrophic happening," he explains.
Build a better strategy through teamwork.
O’Reilley believes that a workable solution always comes down to three key issues: 1) Determining which data are private, 2) who has authorized or unauthorized access to data, and 3) potential ways people can access network-based information. Although it’s IT and security departments that typically put computer security systems in place, HR must communicate the human side of the equation—particularly when data originates and resides within the HR department, he argues.
Among other things, that means mapping out processes and work patterns—often using a team-based approach or a task force that cuts across departments. O’Reilley believes it’s necessary to create a continuum, ranking information from "public" to "business critical" and then putting work models in place that allow appropriate individuals to view appropriate data. In the case of HR data, for example, employees would be allowed to view their own records. A manager who directly oversees a group of workers might have data privileges as well. But the same manager wouldn’t be allowed to view data for other workers, other managers or executives. That becomes the centerpiece of designing security systems and policies. In fact, once rights and privileges have been mapped out within the organization, it’s possible to create secure work teams or departments unrelated to geography. It’s also possible to determine who is violating established policies.
If individuals outside the organization pose a threat, then it’s probably an issue best left to security and IT. However, when the threat is internal, human resources can play a key role in identifying potential violators within the company. In some cases, HR might be aware of previous violations and infractions that could tip off future problems. Routine background checks conducted during the pre-employment process might also provide important clues. In fact, experts say that thorough background checks should be mandatory for network administrators, who are entrusted with enormous power and can wreak havoc if they abuse it.
Dealing with employees who are leaving the organization is just as important. According to Donovan, many security breaches occur when a disgruntled employee—usually somebody who has been fired—is allowed access to his or her PC. Although managers would never dream of letting the person rifle through filing cabinets, they often don’t consider the consequences of allowing that person to log onto his or her computer. "A strict termination policy must be in place, and one that deals with passcodes. A person should immediately be locked out of the system," he says.
New technology is making it easier to nab crooks and maintain solid security. Biometrics—once the stuff of James Bond films—is beginning to filter into the workplace. Using thumbprint, retina or facial recognition, biometrical devices allow only authorized personnel access to the network, without the hassle of passwords. What’s more, a person is able to log on from any location, and, in the case of facial recognition, the computer monitor can automatically go blank when the individual walks away. In addition, far more sophisticated intranet-based firewalls are cordoning off departments, while encryption is becoming increasingly transparent. In many cases, e-mail is encrypted and decrypted automatically by software running on the PC.
Yet no amount of technology will ever eliminate all cybercrime. As Mesec puts it, "As long as there are people, there will be incidents." Ultimately, it’s up to human resources—partnering with security and IT—to help employees understand the risks and responsibilities of using computers. Indeed, a byte of prevention goes a long way.
Workforce, May 1998, Vol. 77, No. 5, pp. 53-60.