Get access to the exclusive HR Resources you need to succeed in 2018.
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 14 cities across the U.S. this fall.
Gain the skills you need to rise to the next level in your career. Jon us at SHRM's Leadership Development Forum, October 2-3 in Boston.
A Q&A with cyber-risk management expert Jay Shelton
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Business functions increasingly rely on HR information systems and the Internet, heightening cyber-risks that can severely disrupt a company’s business, impact its reputation, and compromise sensitive customer data and intellectual property.
And according to the Ponemon Institute’s
2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million.
Risk management expert Jay Shelton, senior vice president of risk management services at insurance brokerage Assurance, headquartered in Schaumburg, Ill., spoke with
SHRM Online about cybersecurity best practices, the importance of conducting a risk assessment and the elements of an effective incident response.
SHRM Online: What are some key cybersecurity best practices?
Shelton: Data privacy and security practices vary from industry to industry and from state to state, but certain best practices apply to all organizations. Assign one person to be responsible for data security with enough authority to get things done. Conduct a risk assessment to identify areas of vulnerability and improve your network security. Implement policies and procedures that limit access to sensitive data and record storage.
Consistent enforcement is the key to compliance. Review and improve your vendor contracts to make sure your service providers who have access to your confidential and personal information are required to protect your information, specifically if you’re using cloud-based storage. Implement a continuous employee awareness, education and training program on your data security policies and procedures. Prepare for a data breach by having an incident response plan reviewed and tested frequently to ensure the plan can be executed effectively and in a timely manner. Have cyber and privacy liability insurance coverage with appropriate limits of liability, so in the event of a data breach, you have a financial backstop to cover the losses that may occur as a result.
SHRM Online: What goes into an effective incident response plan?
Shelton: A comprehensive incident response plan should outline the steps to take if a data breach is suspected or occurs. A living document, which should be continuously updated as the business changes, must outline who and how the company will respond to a breach. The plan should be clear, succinct and organized, while containing the appropriate details for response. Every plan needs the roles and responsibilities of the incident response team outlined. This should include both internal and external team members, as well as their detailed contact information, along with their notification level. The various trigger notifications—of a response team, insurance carrier, law enforcement, outside forensic investigation, crisis and media management—need to be understood. Detailed response procedures should also address timing, affected individuals and government notification. They should address issuing a press release, internal communications, what’s posted on the website, and accompanying remedies such as credit monitoring and identity theft resolution. Mitigation and remediation measures should cover investigation outcomes to correct vulnerabilities, harden the system from further breaches, and review and improve the incident response.
SHRM Online: How can companies determine susceptibility to cyber-risk?
Shelton: Companies should start by understanding the type of information being collected and where it’s stored. The audit or risk assessment should focus on three key areas: administrative safeguards, physical safeguards and technical safeguards.
Administrative safeguards include assessing policies and procedures regarding limiting access to confidential, personal information for customers, employees or others so that the only employees who have access to this information are those who need it to perform their job duties. Also ensure vendors have appropriate safeguards in place to protect the data you send them.
Some key administrative policies should be a “clean-desk policy” that requires employees to properly secure records containing confidential, personal information and then conduct periodic audits to ensure the policy is followed, as well as a record retention policy that would help ensure your organization does not keep records for longer than necessary. Also, an acceptable-use policy should be in place outlining how your employees should use information.
Physical safeguards could include storing paper records containing confidential, personal information in locked file cabinets; shredding records that contain confidential, personal information; and storing servers, laptops, flash drives or other sensitive equipment in secure, locked areas.
Technical safeguards can include encrypting laptops, flash drives and data stored on servers. You should update system software regularly, particularly when a specific virus or malware breach is discovered and when installing and updating firewalls, antivirus software and anti-spyware software to ensure the most up-to-date protection is being used.
SHRM Online: What’s the threshold of risk for notifying the company’s leadership?
Shelton: Companies experience multiple network breaches daily without incident due to good network security practices. So should leadership be notified every time a network breach occurs? There’s not a standardized threshold in which company leadership should be notified of a cyberincident. It really depends on the size and scope of the breach whether there is an obligation to notify government agencies, affected individuals or the public. Since every company is different in their risk exposure, breach notification protocols should be established and outlined in the company’s incident response plan.
Roy Maurer is an online editor/manager for SHRM.
Follow him @SHRMRoy
SHRM Online Safety & Security page
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Choose from dozens of free webcasts on the most timely HR topics.
SHRM’s HR Vendor Directory contains over 10,000 companies