HR should be leading the way on cybersecurity

Coherent and thorough processes will reduce the risk of data breaches in your business, says Jason Dowzell

With the GDPR now firmly in place, and potentially crippling fines for non-compliance, there has never been a more important time – particularly for those working in HR who handle sensitive data daily – to ensure they and those they work with are data security-savvy.

Good HR departments should be leading the way on data security, not only because of the financial or reputational risks that go alongside data breaches, but because research suggests that 90 per cent of data breaches in 2019 were caused by human error or by scammers manipulating employees. With coherent and thought-through HR processes that consider data security, the potential for breaches could be significantly reduced.

So, how can HR departments lead the fight against data security breaches? 

Develop an in-depth onboarding process

Onboarding processes should involve ensuring new employees are set up with the correct assets and are only granted access to the systems, apps and data that their role requires – this will greatly reduce the risk of a data breach. It’s not just about ensuring only HR has access to ‘HR data’ but making sure the data that individuals within your business see is appropriate and relevant. For instance, do managers need to see national insurance numbers or bank details? Do all HR staff members need access to all employees’ data? Does IT, by having access to your servers, actually have unintended access to sensitive information? This is often an overlooked aspect of the GDPR but, if many within your business are seeing data they do not need to see, then you may not be compliant, and your risk of a breach is high.

Returning to onboarding, ensure the process includes scope to outline policies and procedures you have in place to prevent data breaches and emphasise why this is so important – flagging the trust other employees and customers place in them, as well as the possibility of losing their job or facing legal proceedings.

Get your internal department processes in order

Take the time to reflect on the processes you have in place that are relevant to data security. Once you are certain the right people have access to the data they need access to, it is important to understand how they use that data. This is where the need for a data audit comes into play. Audit when people access information, run reports, download information and so on. This means you can identify inappropriate usage and possibly avoid a wider data breach. Impact assessments and risk assessments should also be carried out for that data. This will inform the process of dealing with a breach should it occur. If you do not currently have a formal process for dealing with a data breach in place, it’s time to get that set up.

Implement ongoing training 

Ongoing training is key to keeping employees abreast of any updates to data protection legislation, your company policies and procedures, and any threats they might encounter that might be unique to your business. It’s essential to ensure data security training is scheduled into training plans and to reinforce the importance of attendance for all staff, regardless of position in the business. You could consider the most engaging way that this training could be delivered. Engagement from all employees on the topic and understanding why it is so important will be a key way to diminish risk.

Tighten up your offboarding procedure

While many HR departments refine their onboarding process, the offboarding of an employee can be chaotic and leaves businesses vulnerable to data security breaches. Make sure you develop policies and procedures for offboarding: delete logins, change any shared passwords and recover any company devices. Securely archive an employee’s records once you’ve processed their final pay and carried out their exit interview and mark them as a ‘no longer active’ member of your workforce. Naturally, technology will be a huge help in this process, ensuring all the relevant tasks are completed before an employee leaves and their record is securely archived.

Jason Dowzell is co-founder of Natural HR