NEW Professional Member Special>>> Save $20 and receive a SHRM tote bag
More companies are recognizing the importance of giving employees the time and space they need to navigate personal loss.
Save $20 on a New Professional Membership and receive a FREE Tote bag when you join SHRM today!
Virtual SHRM-CP/SHRM-SCP Certification Prep Seminars kick off September 12 and fill up fast!
Expand your influence and learn how to become an effective leader. Join us in Phoenix, AZ | OCTOBER 2 - 4, 2017
Cybersecurity is a significant concern for businesses, and it is only going to get bigger.
In 2016, many companies of all sizes were affected by cyberattacks from outsiders.
But some cybersecurity breaches are inside jobs. Sometimes they are deliberate. Other times, the breach is due to human error. Either way, these attacks can have disastrous effects.
The National Cyber Security Alliance, a Washington, D.C.-based think tank, reports that a data breach can shutter a small business. And a survey by Russian cybersecurity company Kaspersky Lab, 2016 Corporate IT Security Risks, stated that the average amount of damage caused by one attack may cost small and medium businesses up to $99,000.
The practice of cybersecurity carries with it legal and reputational implications. So the question becomes: Who owns these responsibilities?
However, I bristle at the notion that a single function "owns" an issue because then employees in other functions may believe by negative implication that they do not need to do anything. In this case, while IT plays a central role, ownership of cybersecurity must go beyond IT and include HR, among other departments.
Let's divide HR's role into five categories.
HR as the Problem.
Sometimes in HR we feel like we are the policy or procedure police. Well, sometimes we are the culprit, too. As you well know, HR has access to highly sensitive information, including employees' Social Security numbers and some medical information. HR needs to evaluate whether the background check procedure for those seeking positions in the HR department is robust enough. In some organizations, criminal record and credit checks are done for some employees in finance and IT but not for employees in HR. HR needs to consider this gap.
HR may want to consider including in the employee handbook or other policies a summary, developed with IT, of do's and don'ts relative to cybersecurity. This is not in lieu of but in addition to mandatory employee training. Here is but one example: Employees must report immediately the loss of any device, including a mobile phone, that contains their employer's confidential information. Immediate reporting and rapid wiping can mitigate the risk materially. [SHRM members-only HR Q&A: Can an employer remotely wipe/brick an employee's personal cell phone?]
HR and Employee Training.
As noted, employee training is essential. IT can develop the training program, but HR plays a key role, too. For example, HR can listen to the proposed program and make sure it works for the intended audience. Simply telling employees not to fall for phishing schemes is meaningless unless you define phishing and give concrete examples.
HR and a Rapid Response Plan.
In the event there is evidence that someone is appropriating confidential information, HR needs to be prepared to work with IT in questioning the employee and taking corrective action as appropriate. These are not IT investigations alone. IT should not be expected to have the expertise necessary to handle employee rights issues in the context of these investigations.
HR and a Business Continuity Plan.
If there is a cyberattack or an internal breach, whether deliberate or as the result of carelessness, the company is going to need to move quickly in response. How will the organization work if its systems are shut down? When must employees be paid if they cannot work? Legally, what notification requirements exist if certain employee information (or that of patients or customers) has been exposed? As with any other crisis, whether it be a weather disaster, an incident of violence or a pandemic, the role of HR in the business continuity plan cannot be underestimated.
This article should not be construed as legal advice or as pertaining to specific factual situations.
Jonathan A. Segal is a partner at Duane Morris in Philadelphia and New York City. Follow him on Twitter @Jonathan_HR_Law.
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 3,200 companies