April is Stress Awareness Month. Let SHRM make your work life easier: Join Now
Shawn Premer shows how doing the right thing for employees leads to positive business results.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Closing the Security Gap
Data protection initiatives should include employee training
Some human resource executives believe that the responsibility for information security rests solely on the shoulders of the information technology department. However, they could not be more wrong.
Employees can play a big part in keeping sensitive information inside the organization and out of the wrong hands. But without the proper education and training, a well-meaning worker can negate the success of your security products. This can put your business at risk and damage the company’s relationships with its partners and customers.
HR professionals should work with the information technology (IT) department to identify weaknesses in security policy, help design an effective training program and implement employee programs that safeguard sensitive data.
An Internet firewall is an essential component of enterprise IT security. A set of programs on a company’s network server protects files, proprietary applications, e-mail communications, etc., from the outside world. Hardware and software firewalls are designed to filter and block unwanted packets of data from entering or leaving the network, thereby protecting corporate data from hackers and other malicious Internet threats.
However, Internet firewalls are often circumvented not by experienced hackers, but by careless employees. Individuals who have not been properly taught how to thwart Internet threats can be responsible for serious security breaches. It is therefore essential that organizations build a human firewall.
The HR department should work with the IT department to design and implement a comprehensive training program that will engage employees and empower them to boost data security and, subsequently, company success.
The need for a human firewall is clear. Most large corporations and government agencies detected computer security breaches during the past year that resulted in financial losses. In an effort to better protect themselves from such losses, many companies have implemented robust, integrated security systems. However, many organizations still fail to manage the security threat posed by their own employees.
To create an effective human firewall, consider these three key components:
The first step in creating a strong human firewall is to perform a comprehensive audit of existing practices and awareness. While this survey may vary for each level of employees, the most important information to gather revolves around these questions:
First, evaluate your end-user environment to determine whether any special circumstances, such as a remote workforce or use of wireless devices, will require extra security. Find out how new employees are trained and if they understand how to operate their computer equipment. Determine if there are any existing security policies and, if so, whether employees understand them. In short, get a handle on exactly which end-user systems are in place, who is operating them and how well trained the operators are.
HR should work with the IT department to develop a questionnaire for employees that includes variations on the following three questions. Keep in mind that having a security policy does not mean that employees follow it, understand it or are even aware of it.
With this data in hand, develop a comprehensive awareness program that will focus on any needs uncovered. This program should include development of appropriate policies regarding computer use that can be easily understood and enforced at all levels of the organization. Work with management to determine an appropriate venue from which to convey the policies and administer training to the employees. Make provisions for recurring training of both new and established workers.
This training should not only outline the company’s security policies, but, also, it should educate employees about simple things they can do to protect company data, such as handling e-mail attachments and creating and storing passwords. Workers who telecommute or travel frequently should understand how to secure their laptop or PDA.
Consider covering topics such as phone fraud, web browsing, e-mail spam, instant messaging and anti-virus updates. Each of these activities can expose a company to unnecessary risk if employees are not properly trained. HR should work with the IT department to uncover key challenges in each area, as well as to develop easy-to-understand security procedures for employees.
Remember that successful awareness programs are much like marketing campaigns: little bits of information distributed often. To accomplish this, use multiple methods of communication. In addition to regular formal training sessions, distribute posters, flyers and e-mail reminders to keep the training fresh. This not only helps the employees remember what they’ve heard, but it also demonstrates that the company’s security policies are long-term commitments.
Everyone in the organization should receive the training, not just new employees or other select groups.
As with all business practices, once the training is complete, follow up with surveys to determine the campaign’s effectiveness. Finally, adapt procedures as security practices evolve. When new technology comes online, be there with security policies at the outset to avoid confusion among staff.
In addition to generic end-user training, develop specialized security training for specific groups in the organization. These groups may include the physical and information security staff, remote workers, or other employees with specific IT responsibilities. The IT department can assist HR in identifying these groups. Again, you can start out with a survey to determine the level of awareness and any existing policies—both formal and informal.
To perform this audit, adapt the three key questions to each specialized group:
Once specialized groups have been identified and surveyed, implement a training program that meets each group’s needs.
Again, measure the success of the program and follow up with additional training and reminders. Make sure that the IT department updates HR on a regular basis about new technology and security initiatives. As new technology is added, introduce it to employees with security best practices and make sure each member of the group understands how to use it. Ensure that the IT team is keeping current on best practices and product patches or updates and that this information is trickling down, as necessary, to HR and all employees.
Few security programs are successful without complete management support. Not only are managers end-users (with access to sensitive information), but they are also leaders who can be invaluable to the success of any security initiative.
Hard facts that link information security with the company’s bottom line will help management understand the importance of security policies and effective training programs, so be prepared to present a business case to management for improving the organization’s security. This will help managers become devoted advocates who insist on maintaining and enforcing security policies.
Audit management awareness of security issues by asking these key questions:
Managers should be given extra training as well as extra responsibility for security. This helps them become advocates of security programs instead of merely end-users. They serve as examples for the rest of the company; if they do not take security practices seriously, no one will. Managers should be required to maintain policies and to provide recurring training within their respective departments. This not only spreads out the workload, but it also creates a pool of devoted managers to ensure the long-term viability of an information security program.
Information security is a rapidly evolving field that must adapt to new threats quickly. While hardware and software firewalls should be maintained frequently, regular attention to the “human firewall” is just as important, if not more so. Recurring evaluation and maintenance of employee awareness, specialized training and management awareness are all required components of a successful security program.
An information security program that properly accounts for the strengths and weaknesses of employees is essential to securing a company’s data. Information security is best achieved when cutting-edge technology is combined with a highly trained and motivated workforce that understands the basic practices that will keep an organization’s data secure. Empowering employees to serve as a human firewall may be the best way to protect internal resources that have a major impact on the success of the company, its partners and its customers.
Kathleen Coe is director, Americas Education Services, for Symantec Corp. of Cupertino, Calif.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Choose from dozens of free webcasts on the most timely HR topics.
SHRM’s HR Vendor Directory contains over 3,200 companies