There is no bigger thing that companies need to get right today than data security.
Data security, privacy and compliance has always been, and will continue to be, a critical factor for HR, but it is increasingly difficult to get it right given the changing pace of business.
Companies are increasingly hiring contractors and people are working remotely. Employees are using multiple mobile devices and on average 20 software applications at work. Personal and company devices are used interchangeably meaning that employees’ and proprietary business data are mixing.
Coupled with security challenges, there are countless in-country laws and company policies that must be adhered to relating to data security. The General Data Protection Regulation (GDPR), coming into force in May 2018 is just one of the examples of compliance rules that will significantly impact organizations. The penalties for non-compliance can be severe (up to 4% of your annual global turnover or €20 million, whichever is greater) and it’s critical that HR and People teams do everything they can to ensure their people data is secure.
Apart from the rules, its also the moral obligation of companies and their HR and People teams to protect the integrity of people’s personal data as well as sensitive business information. People need to trust their employers. If trust does not exist, then companies will ultimately struggle to recruit, engage and motivate staff.
However, the issue of security goes beyond systems. More often than not, security breaches are a result of human error or worse, malicious insider behaviour. A recent report found that 63% of confirmed data breaches happen because of the use of weak, default or stolen passwords. Other common mistakes are sending sensitive information to the wrong person, not disposing of company information correctly, misconfiguration of IT systems, and lost and stolen laptops and mobile devices.
So how do you train your employees to be more careful? Well that’s the job of HR and People teams, with the full support of the senior management. Training should start at the top. If you’ve trained your entire workforce to be careful with data but fail to train the CEO who inadvertently works off an unsecure device, then your training is worthless.
Perform a risk assessment for your people data
Make sure to complete a risk assessment. Knowing exactly where your weaknesses are, and which assets are most valuable to you. This is an essential step towards enhancing cyber security. That way you can provide tailored cyber training to people depending on their roles and access to information. Also limit how much access individuals have to data depending on the nature of their job.
Provide data security training for both your HR team, and your workforce
Provide training to educate employees about their roles in keeping data safe. They need to know what the security protocols are, how to develop and use strong passwords and what to do if they suspect trouble or have misplaced a device that they also use for work.
Begin by incorporating data security training into your on-boarding and staffing processes. Keep yourselves and your employees informed and up-to-date about changes in technology and the latest cyber scams. With all of the personal information they handle every day, it’s imperative that human resources employees and team members are on top of data security.
It’s one thing to provide training on the perils of data security breaches, or lapses in company data safety; it’s quite another to ensure that employees will actively be accountable for any malpractice or reckless behavior they notice. Make sure they have the instructions they need for “next steps.” Develop a reporting system, perhaps an internal communication stream where employees can share information, or report any concerns or suspicious behavior.
Many people bypass security measures in order to save time and many miss training because they are too busy. It is the job of HR and People teams to persuade individuals of the severity of the issue. Communicating with staff personally will go a long way to getting them on board with data security.
During the on-boarding process HR and People teams should clarify any disciplinary actions for employees that fail to comply with company policies around cyber security. These penalties should include termination of employment, and restrictions on claiming compensation and benefits following a breach of their security obligations to the company. Where appropriate, provide for claw-backs of compensation and benefits previously paid.
Just as on-boarding is a critical process for ensuring cyber security compliance; employers need to develop policies and procedures for off-boarding that aim to minimize the risk of data leakage.
HR and People teams hold the key to employee’s personal data, financial data, client data and the company’s intellectual property. However, 60% of Chief Human Resource Officers, Chief Financial Officers and Chief Marketing Officers feel the least engaged in cyber security threat management activities, even though they are the stewards of the most valuable data in the company.
HR leaders are faced with unique security challenges. While they are responsible for keeping confidential information about candidates, employees and clients, a big part of their job is circulating policies and inter-office communications to everyone. In addition, human resources departments are responsible for sharing employee’s information with external providers and agencies that include medical institutions, banks and the government. Managing who can see what is a daunting task and protecting against any possible threats requires a strategy flexible enough to destroy files automatically, if necessary, while also enabling secure sharing.
Security risks are intensifying as the nature of business changes to embrace flexible working and new technologies. Companies cannot risk being reactive only. They have to be proactive about data security.
HR and People teams must work with IT, Marketing and senior stakeholders to identify and set-up a HR and People system to minimize the risks. People are fallible, and mistakes will happen. But setting up policies and practices to reduce their frequency and their gravity is imperative.
Find out more about using data and analytics to increase workforce visibility. Download our infographic on People Science today.