THE NEEDED AND IMPORTANT ROLE OF HUMAN RESOURCES AND HR TECHNOLOGY IN INSTILLING WORKFORCE CYBER AWARENESS —- IT’S NOT JUST AN “IT” ISSUE!

I partnered with a colleague of mine, Bob Schiff to create a new entity within my existing consultancy – Miller+Schiff. We will offer initial education and then follow up requirements and policy development to educate HR professionals/employees about Cyber threats, and what Human Resources execs and staff can develop (with IT) to help reduce the threat level of future attacks that might be initiated/facilitated by workforce behaviors and poor HR data security. Let me blog a bit (within Marc S Miller Associates), about what inspired Bob and I to create this new initiative. Clearly cybersecurity is on the world’s stage, especially here in America. Made more visible to the general public through the concerns over the hacking of the democratic national committee and Russia’s alleged influence over our presidential election, the threat of cyber attacks has gotten great publicity. Even before our election, the hacking of records maintained by TARGET, BEST BUY and YAHOO with almost 1.5 billion records stolen (to name just a few) have created great concerns and interest. However, a bit less publicity has been given to and about the threats and executed attacks within any corporation (of any size) stemming from their own employees – or from former employees. It has been often stated that the greatest point of vulnerability to an organizations data files is as a result of the behavior and lack of mindfulness of the employees themselves. A recent VERIZON data breach investigations report (2015) stated “an organization’s greatest vulnerability remains it’s own workforce”. According to the council on cyber security (within the Department of Homeland Security) HR must play a critical role. Their report (2015) states that “HR has always had an important role in managing RISKs – from natural disasters to layoff, lawsuits, and workplace violence – and cyber risk is no different – HR has an important role to play.” Employees and others working for or within any organization, including consultants and contractors can now work from almost anywhere, bring their own devices (BYOD), use cloud-based applications and access work files on their mobile devices. The result? A profound increase in threats to cybersecurity. A major way of mitigating these threats rests with the mindset of the employee population. Among other reasons, this is one situation where HR is best positioned to take a needed role. The HR department has the organizational role and skills necessary, and with effective HR Systems, can mitigate at least some of the known causes of any “insider” cyber attack. One known cause of an “insider” attack is the result of a well-intentioned employees who makes a mistake, such as using a personal email rather than a work email or accidentally shares something classified on social media. HR can deal with these cases by making sure employees are properly trained and educating them on a regular basis. Effective HR Technology already has security based on roles and at the employee level the rights to see, report on, and disseminate data. Another known cause is strongly linked to disaffected employees who have ill will toward the company. Because HR is typically tasked with implementing programs dealing with the workforce’s health and well being, in effect, tasked with understanding employee behavior, HR is the best Department to notice early warning signs that an employee could be being disloyal or headed in that direction, experts say. Oftentimes the “insider” is a disgruntled current or former employee. HR is in the best position to possibly predict or anticipate such behavior through the use of their current HRMS. Breaking into a network takes minutes. However, finding and safely extracting what they want may take criminals months or even years of research and planning. To shorten this process, cyber criminals are getting help from insiders (whether knowing or manipulated) in more than half of all advanced attacks. Attackers use social media to identify a useful target and to create a relationship with them. They target people with a pre-disposition to break security controls such as those with strong views, who do not react well to authority. They look for a trigger event which will break the employee’s psychological contract with their employer – such as a demotion, change in role, redundancy or dismissal. Employees who take action against their employer are most likely to do so within 30 days of such an event. This gives the HR team a chance to intervene, including taking steps to increase monitoring and deter them. Managing an employee’s exit from a company is facilitated by an an effective HRMS which can provide workflow, email triggers and alerts to all appropriate departments. Passwords and email accounts must be disabled in...