Get access to the exclusive HR Resources you need to succeed in 2018!
SHRM board member David Windley discusses how unconscious bias can derail workplace diversity efforts.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Train employees on proper data security protocols, experts say
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
He couldn't format a spreadsheet.
So he sent it to his spouse for help, ultimately causing a breach that could have exposed the personal data of 36,000 Boeing employees in four states, according to a report by The Associated Press (AP).
This is a good reminder of why HR needs to ensure employees are trained on proper data security measures.
The Boeing employee told investigators that he didn't know the spreadsheet contained sensitive data. AP reported that names, ID numbers and accounting codes were in visible columns "and birth dates and Social Security numbers [were] in hidden columns." This may be why he wasn't aware he was sharing confidential material.
Chicago-based Boeing, a multinational company that designs, manufactures and sells rockets, satellites, airplanes and rotorcraft, sent a letter to Washington State Attorney General Bob Ferguson in February notifying him of the breach. Nearly 8,000 Boeing employees in Washington had their data exposed. It wasn't immediately clear if Boeing notified attorneys general in the other three states or which states those employees worked in.
The breach occurred in November 2016, but Boeing only became aware of it in January. It then notified employees by letter and offered them free credit-monitoring services. The company reportedly said it destroyed copies of the spreadsheet and it doesn't think any of the information was misused.
[SHRM members-only HR Q&A: Much of our employee data is now electronic and is accessible via the Internet and mobile devices. What are some best practice approaches to safeguard this information?]
Employee error is to blame for most data security breaches, according to a study by U.K.-based information security company Egress Software Technologies. "Human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking," study authors wrote.
Why HR Should Mandate Security Training
According to the Association of Corporate Counsel (ACC) Foundation, fewer than half of in-house counsel (45 percent) said their organizations require employees to take training on how to prevent cybersecurity breaches.
"HR has a tremendous opportunity" to educate employees about good cybersecurity habits, said Amar Sarwal, vice president and chief legal strategist for the ACC, in an interview with SHRM Online in January 2016.
"HR can be right at the center of this," Sarwal said.
In addition, HR can train employees to turn to their IT departments for help with technology issues—instead of turning to a third party (like their spouse).
"Readable and effective policies can be used in conjunction with effective employee training to reduce data security incidents caused by human error," SHRM Online reported in June 2016.
Training employees about security policies only yearly, or only when they're new on the job, isn't enough, said Stu Sjouwerman, CEO of Clearwater, Fla.-based KnowBe4, which makes security awareness training and simulated phishing platforms.
"To be most effective, use anti-phishing tools to frequently test employees on a variety of … subjects, then follow up with remedial training for anyone who fails," he said.
Sjouwerman also recommended that employers:
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 3,200 companies