Support through your toughest HR challenges: A network of 285,000 HR professionals.
Shawn Premer shows how doing the right thing for employees leads to positive business results.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Studies reveal senior managers account for greatest information security risks
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Experts say HR should be particularly mindful about security breaches because, as two new studies reveal, senior managers and executives remain the worst information security offenders.
According to a recent report from global investigations, intelligence and risk services company Stroz Friedberg, 87 percent of senior managers regularly upload work files to a personal e-mail or cloud account, and 58 percent of them have accidentally sent sensitive information to the wrong person, compared to 25 percent of workers overall. What’s more, 51 percent of senior managers have taken job-related e-mails, files and other material with them after leaving an employer—twice as many as those in lower-ranking positions.
In addition, ComputerWeekly.com’s 2013 Information Security Breaches Survey found that while 81 percent of respondents said that their senior management place a high or very high priority on security, many businesses leaders have been unable to establish effective security defenses.
So how can HR professionals convey the importance of IT security to their most senior-level employees without ruffling feathers?
“Flattery is a proven method of getting what you want out of executives,” said Jeremy Ames, president of Gaucho Group, an HR technology consultancy based in Massachusetts, and a member of the Society for Human Resource Management’s (SHRM) Technology and HR Management Special Expertise Panel.
“The message that the HR team can deliver to executives is to remind them that they are going to be the primary targets of attacks, and, as such, they need to be even more diligent than everyone else,” said Ames.
The trick then is to include senior management in the development of the solution. “One unique approach to tackling this challenge and, at the same time, accomplishing engagement of executives, is to get them to define what the company’s intellectual property actually is,” he said.
For example, he said, companies should remember that securing their intellectual property doesn’t begin with the end product, but with the unique ideas, concepts and blueprints derived by their workforce along the way. Ames compared it to “a chef at a restaurant talking about a potential new recipe a month before it ends up on the menu.”
There are signs that business leaders are cognizant of the need to beef up information security measures. The Stroz Friedberg report revealed that 45 percent of senior management respondents said that they themselves are responsible for protecting companies against cyberattacks, yet 52 percent give corporate America’s response to cyber threats a grade of “C” or lower, an “encouraging statistic,” said Executive Chairman Ed Stroz.
“I’m more worried about people thinking that they’re stronger and better protected than they are, because that could mean that they underestimate the damage that can be done,” he cautioned. “If you walk around thinking you’re an ‘A’ or a ‘B,’ yet you’re really not, I think you’re more likely to get blind-sided than if you’re saying, ‘we’re probably a “C,” “D” or “F” and, as a result, bad things can happen.’ I’d rather have people in that mind frame, if it were accurate, than having people being delusional, thinking that they’re better prepared than they are.”
Smartphones have blurred the lines between personal and professional time. They’ve also hindered security. Damon Lovett, a senior human capital management consultant with Knowledge Source, notes, “Staff at all levels are going to use their devices for work as well as personal consumption of information. Corporate demand for deeper insight into the business (i.e., more people and data), cheaper storage and intuitive user experience makes next-generation cloud solutions and mobile applications a must.”
Unfortunately, security isn’t as much of a concern—until something bad happens.
According to ComputerWeekly.com, 12 percent of the worst security breaches were caused partially by senior management giving insufficient priority to security.
To combat this, “HR must create a strong partnership with the chief information officer to implement and enforce policies and strong infrastructure/framework to safeguard business information and control chaos,” said Lovett, a board member of the International Association for Human Resources Information Management (IHRIM).
Once the policies are in place, then the CEO and other senior leaders take the lead.
“Get them talking about the importance of information security,” Lovett said. “Make it personal to staff and explain how the safeguards put in place at the company could be used to keep personal information secure as well.”
Ames suggests HR ask executives to consider the following:
“What kinds of information can be shared via e-mail and on what devices? Is a personal Google Drive account an acceptable location to store company documents?” he said. That discussion could lead to “some practical guidelines for protecting intellectual property and things that can be communicated to the rest of the company. The information will allow the people that should be most incented to protect the intellectual property—the executives—to lead by example.”
Stroz referenced the use of hand sanitizer in the workplace being the direct result of cultural reinforcement over the past decade as an example of the importance of good hygiene in progressive health maintenance.
“You have to do the same thing with information security,” he advises, noting that periodic training that’s both logical and emotional will “move a company from a compliance mentality to embracing security as extraordinarily important to the firm.”
Leonard Webb is a freelance writer in Wyncote, Pa.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 3,200 companies