Cybersecurity

Employee Handbooks: The Vital Link in a Cybersecurity Chain

By Eduard Goodman, chief privacy officer for IDT911

When it comes to cybersecurity, two factors are coming together in a worrying way. One lurks in the results of a survey, conducted by the Association of Corporate Counsel, that shows employee error is the leading cause of data breaches. The other was revealed in research carried out by CompTIA, which discovered that almost half of employees don’t receive any training around cybersecurity.

Employee handbook on a wooden table and glasses.

designer491 / iStock / Getty Images Plus / Getty Images

It’s little wonder, then, that new data breach announcements surface nearly every week. For HR professionals, it’s becoming apparent that employees lack proper knowledge of data security and that more proactive steps must be taken to address this growing issue.

Knowing the threat posed to sensitive data today, HR has an important role to play in reducing the risk of human error in security incidents by teaching employees the do’s and don’ts of cybersecurity. The good news is that breach prevention efforts don’t need to be overwhelming. The first place to start in the journey is with the employee handbook.

The Link Between Breach Risks and Employees’ Actions

Even a small data exposure creates big problems for the company. Financial penalties may be steep, and are often followed by reputational harm and other long-lasting impacts. As customers drift away, revenue is likely to sag. Business partners and collaborators may pull back on contracts or put more onerous terms in place to protect themselves. Employees and even candidates may lose trust in the business, draining morale and potentially hurting the organization’s ability to attract and retain quality workers.

The volume of data breaches resulting from employees’ actions demonstrates the vital role the workforce plays in maintaining data security. Risks of an exposure will only increase if employees aren’t aware of the importance of a strong security posture and where their responsibilities exist in that effort. In addition, if workers don’t have the tools they need—in the form of best practices and procedures—their good intentions may still fall short when it comes to protecting company data.

HR Can Take the Lead On Data Security

Historically, much of the breach prevention discussion has focused on IT and the technologies they deploy. The reality is that a robust data protection strategy is much broader than that. The HR function represents a critical starting point in creating and nurturing the company’s culture of data security, and the team is in a position to take the lead on ensuring a strong security posture across the entire workforce.

The employee handbook is the perfect vehicle to provide a foundation for the rest of the company’s efforts. It immediately demonstrates to new hires that the company takes cybersecurity very seriously. It also sets expectations for employees joining the company, not just around the proper processes and procedures that should be followed but also concerning each individual’s responsibility for protecting sensitive data.

In addition, because most organizations require that employees provide a signature acknowledging they have read and understand the practices set out in the handbook, workers will have an explicit understanding that they will be held accountable for following the policies set out within its pages.

Incorporating cybersecurity best practices into the employee handbook also helps to boost workers’ engagement with the tools and technologies provided as part of the data protection program. Not only will employees be more likely to utilize the security mechanisms available to them, those who know about breach risks and prevention strategies will be more aware of their coworkers’ actions, as well.

If an individual displays poor data handling habits, their peers will have the knowledge to identify those security gaps and either counsel the employee to improve or alert the organization’s data security team that risks may exist. This turns employees—determined to be a point of weakness in past breaches—into the company’s first line of defense against an exposure.

Training Drives the Data Security Message Home

A section in the employee handbook is the start of a solid cybersecurity program, but it must be followed by comprehensive, ongoing training. Because breach prevention extends far beyond IT’s realm, HR professionals should consider data security training as just one component in the overall awareness and education efforts the team oversees.

Alongside existing training that covers regulatory primers, communication competencies, and a host of soft skills, cybersecurity education will help employees carry out their responsibilities in a way that protects the business and ensures activities are done correctly.

It’s important to remember, though, that breach prevention and response isn’t a set-it-and-forget-it affair. HR will want to develop a training program with recurring sessions to ensure employees maintain awareness around data security risks and practices.

In addition, because cyber threat vectors are always evolving, ongoing skills development is important to keep up with new scams and new targets. This refresher training complements the policies in the handbook and gives employees an opportunity to maintain their skills.

Eduard Goodman is the chief privacy officer of IDT911. An internationally trained attorney and privacy expert, Goodman has more than a decade of experience in privacy law, fraud, and identity management. He is a member of the state bar of Arizona where he sits on the Technology Committee and served as the 2015-16 section chairman of the bar’s Internet, E-Commerce & Technology Law practice Section. Goodman is a Certified Information Privacy Professional (CIPP) covering designations for the U.S., Canada, and European Union.