Could We Have Seen This Coming? – The Importance of HR to Cybersecurity

Today’s blog is written by my partner, Louise Ann Fernandez, Chairperson of JMBM’s Labor & Employment Group. Louise Ann helps companies put hiring and employment policies in place — and develops training programs — that help to protect the business against cyber threats.  — Michael A. Gold

Could We Have Seen This Coming?
The Importance of HR to Cybersecurity

Louise Ann Fernandez, Chair, JMBM’s Labor & Employment Law Group

After a cybersecurity breach, second guessing can often turn into a blood sport. The business often blames Human Resources and the HR department is quick to say that they were not given enough information or blames IT. This kind of tension is far too common and nonproductive. Communication and creativity on all sides are essential to identifying and  preventing cybersecurity threats. This article discusses some  simple proactive steps that you can take now to help you recognize potential issues before it’s too late.

IT Hiring

Your IT department is both your first line of defense and greatest vulnerability. Do you really know who is working there? We will cover hiring in general and its role in preventing cybersecurity attacks in another blog, but often problems come because of bad hiring choices in the IT department.  Because there is a shortage of qualified IT personnel and immediate needs must be met, warning signs are often overlooked. Both HR and IT must be trained to carefully analyze the credentials of all IT applicants. You need to look for gaps in employment history, too much job hopping and things that seem inconsistent such as career changes or abnormal job progression. Most importantly, you must do careful reference checks. Do not rely on the headhunter to provide references or do reference checks. They have a conflict and will not be as careful as you would like. References can easily be faked. For example, don’t accept just cell phone numbers. They could be giving you their brother’s number. Ask employees to provide work numbers for all references and call the human resources department of each prior employer to get dates of employment. Although there are more and more restrictions on background and criminal checks, they can still be done if you follow the rules. Make sure you do them. Also, do a careful social media check to see what their online presence looks like. Key warning signs are signs of second jobs that conflict with your business, angry  posts, alternate identities such as “stage names,”  peculiar political affiliations and overactive Twitter or Instagram accounts. Make sure you know all of their email addresses.

Policies

Make sure that your policies are up to date and provide full access to all accounts and devices. Don’t give employees carte blanche to use multiple devices. This only increases the risk. If you require employees to use a cell phone, you may want to consider providing the phone and make sure it is only used for business. The expense will pale in comparison to the cost and fallout from a major breach. Also, it needs to be made clear that you have the right to monitor and screen all content. You also need to make sure that all of your remote use policies are up to date and consistent with your other policies. If you haven’t updated your policy within the last year, you need to do so.

Put Up Roadblocks

Make sure that you have proper screening devices in place to monitor employee activity. There are systems that can be installed which can determine when employees access or download documents that they normally don’t and alert the company. You should also do spot checking to see if employees are emailing documents to their personal email addresses. This is a key warning sign. No matter how many safeguards you have in place, they do no good unless someone is actually responsible for monitoring them and alerting HR. Often steps can be as simple as making sure that employee access is appropriate for the employee’s job, and is monitored and updated if employees move into different roles.

Training

All employees need effective cybersecurity training. First they need to understand the do’s and don’ts. Second, they need to know what to look for. Third, all employees and especially supervisors  need to  understand their obligation to report any unusual activity or behavior and feel comfortable doing so. Supervisors need to be especially vigilant about changes in employee behavior and personal problems or issues.  Troubled employees are at far greater risk of making mistakes or engaging in malicious or damaging activity.

Communication

IT, HR and your legal department or outside counsel need to be partners in combating cybersecurity threats. This can happen only if they communicate and work closely together. They need to be jointly responsible for creating and instituting training programs and briefing leadership on security issues and potential risks on a regular basis.  This can’t be a one-time initiative — it needs to be a regular and routine part of your cybersecurity program.

—

Louise Ann Fernandez, whose practice has spanned more than 25 years, is chairperson of JMBM’s Labor & Employment Law Group. She advises employers in all aspects of labor and employment relations, and represents them in litigation.  She helps companies put hiring and employment policies in place – and develops training programs – that help to protect the business against cyber threats and is experienced in representing corporations, boards of directors and executives in internal investigations. Contact Louise Ann at LFernandez@jmbm.com or 310.201.3522.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.