This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Cybersecurity is a significant concern for businesses, and it is only going to get bigger.
In 2016, many companies of all sizes were affected by cyberattacks from outsiders.
But some cybersecurity breaches are inside jobs. Sometimes they are deliberate. Other times, the breach is due to human error. Either way, these attacks can have disastrous effects.
The National Cyber Security Alliance, a Washington, D.C.-based think tank, reports that a data breach can shutter a small business. And a survey by Russian cybersecurity company Kaspersky Lab, 2016 Corporate IT Security Risks, stated that the average amount of damage caused by one attack may cost small and medium businesses up to $99,000.
The practice of cybersecurity carries with it legal and reputational implications. So the question becomes: Who owns these responsibilities?
However, I bristle at the notion that a single function "owns" an issue because then employees in other functions may believe by negative implication that they do not need to do anything. In this case, while IT plays a central role, ownership of cybersecurity must go beyond IT and include HR, among other departments.
Let's divide HR's role into five categories.
HR as the Problem.
Sometimes in HR we feel like we are the policy or procedure police. Well, sometimes we are the culprit, too. As you well know, HR has access to highly sensitive information, including employees' Social Security numbers and some medical information. HR needs to evaluate whether the background check procedure for those seeking positions in the HR department is robust enough. In some organizations, criminal record and credit checks are done for some employees in finance and IT but not for employees in HR. HR needs to consider this gap.
HR may want to consider including in the employee handbook or other policies a summary, developed with IT, of do's and don'ts relative to cybersecurity. This is not in lieu of but in addition to mandatory employee training. Here is but one example: Employees must report immediately the loss of any device, including a mobile phone, that contains their employer's confidential information. Immediate reporting and rapid wiping can mitigate the risk materially.
HR and Employee Training.
As noted, employee training is essential. IT can develop the training program, but HR plays a key role, too. For example, HR can listen to the proposed program and make sure it works for the intended audience. Simply telling employees not to fall for phishing schemes is meaningless unless you define phishing and give concrete examples.
HR and a Rapid Response Plan.
In the event there is evidence that someone is appropriating confidential information, HR needs to be prepared to work with IT in questioning the employee and taking corrective action as appropriate. These are not IT investigations alone. IT should not be expected to have the expertise necessary to handle employee rights issues in the context of these investigations.
HR and a Business Continuity Plan.
If there is a cyberattack or an internal breach, whether deliberate or as the result of carelessness, the company is going to need to move quickly in response. How will the organization work if its systems are shut down? When must employees be paid if they cannot work? Legally, what notification requirements exist if certain employee information (or that of patients or customers) has been exposed? As with any other crisis, whether it be a weather disaster, an incident of violence or a pandemic, the role of HR in the business continuity plan cannot be underestimated.
This article should not be construed as legal advice or as pertaining to specific factual situations.
Jonathan A. Segal is a partner at Duane Morris in Philadelphia and New York City. Follow him on Twitter @Jonathan_HR_Law.
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
HR Education in a City Near You
SHRM’s HR Vendor Directory contains over 10,000 companies