According to the 2022 Official Cybercrime Report published by eSentire, the estimated global annual cost of cybercrime is predicted to hit US $8 trillion this year. Aggravating such a harmful prognostication is the reality that cybercrime damages cost will rise to US $10.5 trillion by 2025. As a result, cybersecurity is no longer a nice-to-have gadget but it is critical to the success of organizations across various industries. Whatever be the circumstances, whether you are a small business, medium company or big enterprise, everyone is vulnerable to cyberattacks at some point and cybersecurity should not be just contemplated as an information technology problem.
In this Newsletter of April 2023, we will thoughtfully dwell on the operational roles of Human Resources Department and inspect closely best organizational practices covering all professional recruitment stages: from screening candidates, onboarding an employee through offboarding a team member.
Better Hiring Strategies
New staff recruitments bring fresh ideas and unique skills for the well-being of a company. Nevertheless, proper employee screening and assessment is paramount to safeguarding your organization’s security. Before hiring, the first step is to define the proficiencies set required by the organization. After the job posting and related selection process, once the ideal candidate is chosen, it is essential to duly conduct reference checks and criminal background screening before granting that selected person access to sensitive data. There are many background screening service providers, and selecting a reputable one is undeniably crucial for the safety of your company.
You also need to think about where your employees have worked before joining your organization. For instance, if they are recent immigrants to Canada and the United States, and their work history or their life history occurred in another country, a background screening only in Canada is not necessarily going to reveal historical features of such persons. There are specialized background screening service providers that have the capacity to do background checks in many countries across the world. Prior to the beginning of the background check, most of these providers require a consent to a background screening form to be filled in and duly signed by the candidate.
Reference checks not only help confirm and endorse the employee’s background but also provide insight into their strengths and weaknesses for prospective development opportunities. Therefore, reference checks and criminal background screening are important components of the selection process. Time and again, we will find ourselves in a rush to hire new personnel and we will be often tempted to shortcut certain requirements, but we need to think about the long-term impact, and this is why it is a judicious practice to undertake all due diligence. Even though such screenings may seem like additional hurdles, most candidates will understand and respect such a selection process. If they do not do so, that is probably a good warning sign. Once you have made a hiring decision, if you do not have a standard employment contract, consult a lawyer to draft an employment agreement. With reference to cybersecurity requirements, such an employment contract should include a nondisclosure agreement to protect confidential data, an intellectual property clause to ensure that the work done by the resource person is owned by the organization, and finally a compliance clause specifying that the employee should comply with your company policies.
Interweaving Cybersecurity into Onboarding Process
Now that you have the legal terms and conditions of employment mutually agreed upon by both parties, it is consequential to ensure that your established policies and contractual obligations are not only accepted but also adhered to. After the newly-selected employee has duly read and understood your company policies, that person must duly signed all related documents. This will not only include documents like Human Resources policies but also IT and cybersecurity policies.
By so doing, if you have an employee who is later complaining about the fact that you need to install endpoint security on their device or that you need to make sure that their device is encrypted, you can refer them back to those policies. We all have a responsibility to safeguard our customer data, but in a teleworking (remote work) environment where people are often using BYOD (Bring Your Own Device), it is really of vital importance that we clearly and transparently document these requirements for our employees to know what they are allowing to get in and come out of the gates of our companies, and that it is easy for them to apply such policies and guidelines.
Implementing and Maintaining a Cybersecurity Culture
Consistent with the findings of the 2022 Data Breach Investigations Report published by Verizon, 82% of data breaches involved a human element. Cyber attackers consider and target human beings as the largest attack surface, but adding a new team member within your company does not necessarily imply you are expanding your attack surface. Thanks to efficient training, such a new team member can become your human firewall.
One element of maintaining a high level of cybersecurity is ensuring that non-security employees understand the role they play. Cybersecurity should certainly not be treated as a one and done activity, especially when it comes to educating your employees. 80% of organizations said that Cybersecurity Awareness Training has reduced their staff’s propensity to cyber-attacks such as phishing. Nowadays, many companies have mandatory Cybersecurity Awareness Programs and Cybersecurity Policies for new staff hires. Given that cybersecurity threats are constantly evolving, it is fundamental to update regularly training materials and educational resources. Instead of training employees only once and then never again for several years, regular and updated training is beneficial for the protection of your organization. Keeping cybersecurity top of mind through consistent training helps ensure it becomes an integral part of the company culture.
Corporate leaders should set an example by demonstrating positive cybersecurity practices to protect their business and its classified data. Regular business updates and everyday conversations can reinforce the primordial importance of cybersecurity and foster the faculty of cybersecurity consciousness for everyone. Implementing, maintaining, and encouraging a culture of cybersecurity awareness can help ensure the safety of the company and its confidential data.
Human Firewall
Getting your C-Suite on board, understanding why cybersecurity is important and why they should maneuver and manage a business culture from the top can be challenging for some senior executives. Because the biggest challenge for corporate leaders is to make risk-based and reward-oriented decisions all the time, it is therefore crucial to communicate to them cybersecurity risks in a way that they can clearly understand. Instead of IT staff focusing on technical details, quantifying for corporate leaders the financial impacts and probability of different types of cyber-attacks can help C-Suite prioritize risks and make informed decisions about investments in cybersecurity. Ultimately, it is about providing senior executives with the relevant information they need to make informed decisions about where to invest resources to protect the organization.
There are circumstances when you will need to take disciplinary action. Evidently, it is not pleasant for any parties involved but at certain times disciplinary action is mandatory because it helps manage unwanted behaviors. The most important proactive feature is that you are consistent with your company policies and that you actually have something documented to comply with, that outlines undesirable actions to help you handle the matters fairly and transparently. If employees feel like it is one set of behaviors and consequences for one colleague, and a different set of behaviors and consequences for another colleague, they would not know which way to follow and they would be confused or even lose trust in the upper management executives.
An unprejudiced, non-discriminatory, and impartial workplace is also a safer workplace. While disciplinary actions may sound scary and deterring, they can take many forms that vary in degrees, ranging from verbal warning to termination, and should be tailored with the severity of the offence. Conducting an investigation, formalizing the procedures and taking appropriate measures will help create an equitable workplace.
The other notable proactive feature is that you want to make sure that you have both engagement and loyalty from your all the members of your Human Resources team. Regarding cybersecurity best practices, if you have a well-documented process with good Human Resources support and adhesion, you are more likely to not create risk for your organization as well.
The Importance of Having Employees Cybersecurity Reporting Meetings
As cyber threats continue to grow in volume and sophistication, cyber incident reporting plays an ever-growing role for businesses to learn from and prevent making the same mistakes, thus providing a way for organizations to document and respond to an attack. Nonetheless, employees tend to underestimate the possibility of being cyberattacked and the magnitude of a successful cyberattack. Research shows that 30% of employees do not believe cyber criminals would target them at work, and 21% believe most breaches are minor and easy to resolve. Reporting a cybersecurity incident can be a complex issue, especially when it comes to determining and deciding when and how to report it.
As a matter of fact, there are two different groups to consider here: your rank-and-file employees, and the team responsible for handling cybersecurity incidents. On the one hand, for the rank-and-file employees, it is imperative to ensure that they are aware of cybersecurity risks and threats, and they fully understand how to report cyberattacks and cyber incidents in a consistent manner, whether through a Slack Channel, email, or a web form. On the other hand, for the team responsible for handling cybersecurity incidents, they should duly have a documented Cyber Incident Response Plan (CIRP) with reporting mechanisms in place to effectively track and measure cyber incidents. In this manner, they can deal efficiently and effectively with different types of cybersecurity incidents. Similar to health and safety reporting in a workplace, having a reliable reporting mechanism allows cyber incidents to be tracked, gauged and quantified, and for the reports to be used in quarterly cybersecurity reviews to help prevent similar cyber incidents from happening in the future.
On the one hand, as an employee, it is significant for you to report any potentially risky activity that you may encounter to the relevant people within your organization. Undoubtedly, finding the right balance can take time, but it is important to remember that if no one reports a phishing attack, for example, everyone will be left to deal with it individually, without being aware that others are experiencing the same issue. On the other hand, if someone reports the cyber incident early, it can be quickly identified and dealt with by the suitable team, potentially preventing it from causing further harm.
Staying Connected and Protected within Remote Work Environment
Human Resources Departments must pay close attention to the risks associated with remote work environment, which has become increasingly popular with the rise of work from home and remote access technologies. In terms of communication channels, remote work increases the risks to businesses. In the past, doubts revolving around an email communication could be easily validated by walking over to the person, but this is no longer possible in a remote work environment. Cyber criminals are taking advantage of this by impersonating internal employees and attempting business email fraud. This is a serious threat, as 75% of organizations worldwide reported attempted business email compromise last year, with 78% involving fake CEO emails resulting in a 64% increase from Q3 to Q4 2022. Employees need to take precautions and be aware of these risks, as well as any policies and practices in place to ensure that their personal devices are secure. It is essential to have good practices around BYOD (Bring Your Own Device) and guarantee that employees understand what they need to do to have appropriate controls implemented. With the advent of employees working in various environments, it is vital to take advantage of security design templates such as zero trust architectures and VPNs, as well as using encrypted web communications and authentication to ensure secure communication. This allows employees to work effectively and securely from anywhere without posing a danger to the security of the organization.
The increase of remote work has allowed companies to expand internationally and create a cross-border workforce. Conversely, such a reality comes with legal implications that companies need to reflect on. It is of utmost importance to work with Human Resources to understand local employment agreements and laws to ensure relevant compliance. Hiring someone in a remote country can be complicated, as companies need to adhere to local labor laws. To mitigate this, companies can jointly work with Local Employer Organizations (LEOs), which allow them to legally employ someone in a remote location through a third party without having to open a business unit in that country. Such an operational framework enables companies to operate cost effectively while maintaining compliance with local labor laws.
There is also a rise in Digital Nomad workers who are mainly remote workers who are location independent, i.e., who travel to different locations on a regular basis. In some countries, these workers fall under local labor laws. It is important for companies to assess the risk brought about by these innovative work practices. Will your company cyber insurance policy cover a leak that originated within a foreign country from where one of your Digital Nomad workers is laboring?
Keeping Data Secure with a Remote Team
More and more nowadays, one of the striking characteristics about remote work is that we are increasingly not storing our data locally on our laptops. On the one hand, we are leveraging cloud storage services which are actually more secure because employees do not have to worry as much if their personal device is lost or stolen. On the other hand, organizations should ensure that they have strong cybersecurity protocols implemented, such as strong encryption, regular backups, and access controls. Furthermore, it is indispensable for employees to be educated on best practices for using cloud storage services securely, such as using strong passwords and enabling MFA (multi-factor authentication).
Third-party risk management is paramount in ensuring the security of a company’s data and computer systems, especially in the case of a cloud security breach. It is important for organizations to thoroughly evaluate their vendors and ensure they are adhering to industry security standards like SOC2 or ISO, as well as privacy regulations such as GDPR in Europe Law 25 in Quebec and PIPEDA in Canada Such standards are particularly applicable for companies with a distributed workforce, as third-party vendors play a critical role in preserving cybersecurity across the operations of the organization.
Employee Offboarding and Data Security
It is inevitable that employees who have access to critical data will eventually decide to leave the company and there are underlying cybersecurity risks to such a contingency. The Human Resources Department and the organization must take steps to protect sensitive data, starting well before off-boarding team members by setting boundaries and managing access to data. Data access reviews should be conducted regularly, especially in large organizations, to ensure appropriate access for each employee’s responsibilities. Lateral moves can cause problems as legacy access to computer systems is maintained, and a compromised account can result in breaches to all IT systems the employees have accessed over their tenure.
Once an employee is ready to leave the company, his or her files should be retained and saved securely. Deactivating the user includes signing out, removing access, retrieving company devices, and resetting passwords on shared accounts. Most employees understand that such procedures are done for complying to security and policy measures, and that such administrative undertakings are not a lack of trust towards them. What is at stake is to not allow gaps linger, particularly for IT staff or those with administrative access to systems. Cutting off access promptly is pivotal.
Summary
Throughout recent years, in the wake of a more active regulatory environment, with the boom of remote-access technologies and recognition of the importance of cybersecurity culture, Human Resources increasingly plays a more integral role within organizational cyber risks management. By 2025, humanity’s collective data will reach 175 zettabytes. A robust partnership between IT personnel and Human Resources Departments is essential for managing critical data and valuable assets, thus providing visibility and scalability that an organization needs to effectively control cyber risks in the ever-evolving cyber threat landscape.