Are your employees continually falling victim to email scams and putting the company at risk?  Does it always seem to be the same offenders/people?  Your IT department can only do so much when a strong line of defense boils down to human behavior and training.  But on-line employee training is typically boring and doesn’t reinforce good behaviors.  Often there is low compliance.

Despite all the tools your IT department can deploy, a business runs on people, and this is the world of HR.  HR provides the source of on-boarding and off-boarding of employees, changes in their roles and responsibilities, employee compliance, training and a critical line of defense for the company’s most valuable assets, its data.  HR is critical in protecting people’s privacy while also protecting the company.

So, what are the best practices an HR leader can use to better collaborate with IT and Executive Leadership to be more effective?   We’ve identified the following leading practices:

Email Scam Protection – IT can deploy anti-phishing software to test employee’s knowledge and compliance, but HR is truly the expert when analyzing the results and providing the recommended approach to employee training and development to foster a change in employee behavior and ensure a higher rate of retention based upon the approach.  Several anti-phishing training tools exist, but without the direct collaboration of HR there is not always the right cultural fit with the organization.  In addition, the approach needs to be intuitive, interactive and focus on modifying the behavior of the repeat offenders.  The approach must also take into consideration the generational factors of the employee population.  This will also help improve compliance and retention. Quality programs need to provide performance metrics which HR can review and better manage organizational learning and improvement.

Data Theft & Related Risks – Internal theft of data and information is more difficult to control than external theft.  Most theft/crimes occur when an employee experiences either a company related or personal negative event in their life.  A strong HR function which is viewed as a true resource for the employees is acutely aware of negative events or issues affecting an employee.  These events elevate the risk level of the employee leaving the company vulnerable and potentially causing harm, stealing of sensitive data or reckless behavior.  Examples can include substance abuse, gambling addiction, divorce/separation, seclusion, lack of socialization, etc.  It should be noted that these types of life events don’t make the person “bad”, it is just an indicator of a heighted sense of risk to the organization.  An internal risk score or indicator should be established for IT to more appropriately focus on potential malicious behavior.  This method also protects the reasons for the scoring within HR but while also protecting the company.  Often HR protects the privacy of the employee and no indication of risk to the company is made or alerted until it is too late.  This can even go beyond just IT risk. It can lead to personal injury or potentially human life in the case of potential active shooter incidents.

Employee Changes with Access/Responsibilities – Well to often employees change roles and responsibilities, move departments, or get promoted.   Each time this occurs, HR is typically the first to know.  However, often a person’s rights and permissions are not changed to match the role.  Just because a person is promoted to a higher position, doesn’t mean they always get expanded access or control.  Because of segregation of duties and control is typically managed through system applications and user access, IT administrators and your internal audit function or CFO should be involved in reviewing these changes to make sure system access and control matches the rights and responsibilities of the new assignment.  In addition, prior access/functionality may need to be disabled.

Organization Communications & Message Management – It is sometimes referred to as the “Tone at the Top”.  This is a common element in a strong internal control environment.  However, executive management behaviors or communications can signal to employees a casual control environment or a lack for security.   For example, an organization which does not implement Multi-Factor Authentication (“MFA”– this is the method of using your phone or email to receive a security code to authenticate who you are) because the executive leadership believes it is too “burdensome” on the employees is setting a “tone” of not prioritizing strong data security.  Hence this causes employees to treat data security and information with a relaxed approach to security.  Depending on the size of the organization, either HR and/or working with a corporate communications department should monitor and review all company level communications and be acutely aware of what underlying messages or implied sense of security the communication can be interpreted by the employee.  This also goes beyond formal written communications, but also verbal communications in the form of speeches, meetings or phone conversations and physical non-verbal communications such as actions.  Examples can include a senior executive having post-its of their passwords or giving others their access credentials, etc.   A company can have a casual, “relaxed” culture, but when it comes to the perception of security and data integrity, HR should be acutely aware of what executives may be signaling to the employee population and speak up.

Employee Access to On-line Applications – Often employees use their work provided devices for both personal and work-related activities.  However, when risks are elevated to a lack of productivity or potential malicious behavior, on-line scanning access tools can be deployed to see which applications employees are logging into and accessing on-line.  Yes, you can see if an employee is accessing inappropriate websites.  However, what we are referring to is employees using document sharing software like Dropbox, etc. which can pose a risk to the organization for sensitive data being leaked. Again, given the sensitive nature of employee personal privacy, HR should lead any of these types of reviews and/or inquiries.  This tool can also be effective in managing IT costs because well too often companies with a large remote workforce are reimbursing employees or paying for applications that are either redundant or not being used.  We refer to this as “SaaS Sprawl”, the use and abundance of multiple online applications that essentially perform the same function or something you’re paying for and not using at all.

No system or process is perfect.   Every breach of security or breakdown of processes stems from human behavior and actions.   Merely relying on IT for data security is not enough in today’s environment.  Collaboration with HR is critical because they are the front-line observers of human behavior and the early indicators of organizational risk.

Sagin is a professional services firm providing Management Consulting and operates 24/7 IT Managed Services domestically with either complete outsourcing or a partial/hybrid model.  We can provide you with a free benchmarking and assessment to see if outsourcing your IT is right for you.  You can contact us at: info@saginllc.com or +1.312.281.0290