Companies have undergone significant changes in the past few years. Before, employee would come into the same workspace and be connected via the same on-premise system. Now people can work from almost anywhere, bring their own devices, use cloud-based applications and access work files on their mobile devices. The result? An increase in threats to cybersecurity.
However, just because cybersecurity threats affect, well, cyberspace, doesn’t mean a human element isn’t necessary to mitigate them.
“People often mistake security risk in a company as being primarily a technology risk — making sure you have the right systems in place, etc.,” said David Meyer, vice president of product at OneLogin, an identity management and cybersecurity company based in San Francisco. “But it’s just much, if not more, a cultural risk.”
The information technology and human resources department, together, make a smart team in fighting these risks, Meyer said, because most cybersecurity threats come from inside the company.
This is especially concerning because of the great financial effect a security breach can have on a company. For example, there has been a 64 percent increase in security breaches from 2014 to 2015, according to the U.S. Department of Homeland Security, and the average breach costs a business $3.8 million, according to a 2015 Ponemon Institute study.
The HR department has the skills necessary to mitigate two potential insider threats, Meyer said. The first threat is well-intentioned employees who make a mistake, such as using a personal email rather than a work email or accidentally sharing something classified on social media. HR can deal with these cases by making sure employees are properly trained and educating them on a regular basis.
The second threat is disaffected employees who have ill will toward the company. Because part of an HR person’s job is understanding employee behavior, HR is the best department to notice early warning signs that an employee could be being disloyal or headed in that direction, experts say.
Meanwhile, the IT department has the technical skills to put certain systems in place — another key ingredient to stopping insider threats. There are systems such as Elastic Search, CloudLock, OneLogin and others that can detect when employees access or download documents they normally don’t and alert HR.
The connection between HR professionals and security professionals needs to be the closest it’s ever been in history, said Pete Metzger, vice chairman at executive search firm DHR International. The chief human resources officer and the chief information security officer, for example, should communicate with each other about important security issues, like securing mobile devices, hiring trustworthy people (more of an HR issue) and implementing good kinds of authentication (more of a technical issue), he added.
“If it’s not an important relationship, it certainly should be,” Metzger said.
Moreover, he added, HR and IT should brief all the company leadership on important security issues, keeping everyone updated on any potential risks.
Once HR and IT team up, they can cooperate to put together an effective cybersecurity training program.
HR should educate employees point-blank on the do’s and don’ts, Metzger said. There are certain things employees should always do, such as calling IT about any suspicious emails.
From an IT perspective, Meyer recommends integrating HR with identity systems. If an employee changes roles or departments, the integrated system will automatically give the employee new access and remove old access. This keeps HR from having to manually take old employees out of systems, and it verifies that employees only have access to files or applications that they actually need.
“In the modern era where employees are using every app on every device,” he added, security “comes from a combination of good IT systems, which protect employees and give them the right guard rails and effective cultural training.”