In our last blog post, we discussed current cybersecurity threats and HR’s important role in enhancing digital security. In this post, we explain some of the key elements of HR’s role.
Training and awareness
Often, the words “training” and “awareness” are used interchangeably, but in the cybersecurity world, they have different meanings. “Training” is instruction on what to do or not do. “Awareness” is a basic shift in a person’s subconscious mindset that leads to automatic behavior. The difference is key.
Let’s look at an example. Picture your favorite beverage. Chances are, you’ve seen an advertisement for it somewhere. The advertisement could have been a 500-word essay on the benefits and joys of gulping down the drink. But that’s not what the advertisers chose to show you. Instead, they used a picture of an ice-cold bottle, perhaps with adults having the time of their lives. Why? Because the advertisers weren’t trying to convince you of the benefits of the drink on an intellectual level. They were attempting to create an almost unconscious response the next time you visit the grocery store. The advertisers weren’t trying to educate you; they were trying to change your automatic, almost unthinking behavior. As you may have guessed, the 500-word essay is “training,” while the picture is “awareness.”
That is not to say training is unimportant. Not at all. It is a necessary part of HR’s digital security role, and it makes compliance people happy. However, many of the dangers we discussed in part one of this series are created because employees perform habitual, almost unthinking actions without being fully engaged, not because employees are uneducated. Think of an employee hurriedly clicking through e-mails while worrying about the meeting she must attend in 10 minutes. No amount of training will cause her to pause before clicking a malicious link in a phish-ing e-mail. Her automatic behavior must change before she will slow down and take the time to think.
Changing employees’ automatic behavior is a slow and daunting task. We all have experience with short, embedded instructions that we have internalized in such a way that they modify our unthinking actions. Let’s look at two examples from childhood (please fill in the blanks):
- ____, ____, and ______ before you cross the street.
- If you are on fire, ____, ____, and ____.
How did you learn to stop, look, and listen before you cross the street? How do you almost instinctively know to stop, drop, and roll if you are on fire? It wasn’t a PowerPoint presentation or a 20-minute training video that seared those instructions into your subconscious. Rather, it was multimodal repetition: You sang a song about the instructions in kindergarten, your teacher told you what to do, there were posters in your classroom, and your parents repeated the advice.
To raise your employees’ security posture (and shore up the weakest part of your cyberdefenses in the process), “think before you click” and “when in doubt, shout it out (to the help desk)” need to become as instinctive as “stop, look, and listen.” The more often those messages are repeated—with varied methods of delivery—the more likely they will change behavior and improve your security posture over time.
Your company’s culture can substantially help—or hinder—your cybersecurity efforts. Digital security awareness must become a cultural value—part of the daily fabric of company life. That doesn’t happen by accident. Rather, companies that have digital security as a core value proceeded deliberately and intentionally.
Like most elements of company culture, leadership sets the tone and agenda for digital security. Thus, company leaders who are (or at least appear to be) invested in cybersecurity send a powerful message to employees. On the other hand, if cybersecurity is a known orphan ignored by company leadership, a cultural change will be difficult, if not impossible, to make.
Friend or foe?
An often overlooked element of a good security culture is employees’ willingness to report possible mistakes, particularly their own errors. A digital intrusion or data loss that is detected within hours or days is almost always less damaging than a breach detected months (or longer) after it occurs. Unfortunately, the average time between a digital attack and detection is more than 200 days, and the gap is getting larger.
Since many cyberattacks involve employees in some way, workers’ willingness to swiftly report slips and mistakes is vital to reducing the time between a breach and the discovery. Security-conscious companies know that and inform employees that reporting mistakes is unlikely to lead to discipline or termination. Obviously, employees with malicious intent will be subject to severe discipline, but such employees are not likely to report mistakes anyway.
An accidental or unthinking lapse in judgment may result in additional training, but it is often counterproductive for employees to believe that reporting a mistake will lead to more serious consequences. In the end, your company has a choice: Recruit employees as frontline sentinels or discourage them from reporting incidents. The choice you make can have a profound impact on your overall security culture.
Orphaned policies do little to promote cybersecurity. On the other hand, thoughtful policies that align with your organization’s demonstrated attitude and priorities are essential to a good security program.
Of course, a compliance element is essential to a good security policy. Whether it’s the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI) security requirements, or a regulatory scheme that affects information security, having proper policies in place allows you to stay in compliance.
However, an organization that seeks only to check off a box is likely making itself less—not more—secure. Meaningful digital security requires that policies be acknowledged by employees, enforced, and reinforced through training and awareness. Ideally, employees will review and sign off on your company information policies as part of the onboarding process. Ensuring that significant digital security policies are limited to a few pages will help. If your policies are longer than that, consider giving copies to employees, along with a short summary sheet that employees must sign.
Aligning policies and training is an often overlooked step. Obviously, conflicts between policies and training are bad. A trainer who can’t answer basic questions about your policies sends a clear message that the policies are for the shelf, not real life.
Finally, nothing says “we don’t care” quite like failing to enforce a policy. From almost any vantage point, an unenforced policy is generally worse than no policy at all. Following through, of course, means imposing consequences. Consequences, however, are not synonymous with discipline. While you should impose discipline, up to and including termination, for repeated or malicious conduct, consequences for less serious issues must be given with an eye toward encouraging employee self-reporting, not deterring it.
Often, people think of “security” as a fence around something that is being guarded. In cybersecurity, your “fence” will almost assuredly fail to stop all breaches. Thus, a good cybersecurity program includes four layers of defense:
- Protect your system (the fence part).
- Detect when someone gets in.
- Contain damage.
- Respond appropriately and recover efficiently.
Empowering employees to become digital sentinels assists in protection and detection. But HR also has a critical response role. Every meaningful data breach has an HR component. It could be coordinating off-site management of employees working remotely because of a problem with a primary system, pulling in the right employees from across the company to respond to an incident, or simply telling employees what is happening and what they can and cannot say.
A strong response begins with quality preparation. From HR’s perspective, preparation includes many tasks. Review your company’s incident response, disaster response, and business continuity plans to determine how they affect employees logistically, intellectually, and emotionally. What portions of the plans merit separate HR planning? A preplanned framework for handling employee communications can be a real asset after a cyberattack. While you cannot account for every scenario, talking through the notification process and developing your general message ahead of time will prevent confusion and disagreement after a hack.
Need to learn more about the cyber threats that are lurking and what HR should do about them? Listen to BLR’s on-demand webinar Managing Shadow IT Threats: A Tactical Game Plan for Guarding Against Damaging Data Breaches. Armstrong Teasdale attorneys Daniel C. Nelson and John P. Hasman discuss what shadow IT is and why employees don’t realize the danger; how shadow IT works—and the real risks it poses to your company; how to train employees on handling company data so you can better protect your company’s intellectual property; IT security steps to immediately take to prevent shadow IT risks; legal ramifications your organization could face in the event of a breach; and what not to do—as illustrated through case studies revealing the types of mistakes to avoid. For more information, click here.
We do not intend to pick on HR professionals. We have a similar message for other non-IT personnel, including legal, finance, risk management, operations, and, most important, senior management. Today, good cybersecurity depends on what all employees—not just IT personnel—contribute. Digital threats have moved out of the server room and into every office, cubicle, and lunchroom. So should your response.
Daniel C. Nelson, C/EH, CIPP/US, is a certified ethical hacker, litigator, and privacy and data security attorney with Armstrong Teasdale LLP in St. Louis and Denver. He can be reached at [email protected].
Daniel C. Nelson will be leading two sessions at the 2017 Advanced Employment Issues Symposium. First, How to Work with IT to Develop a Comprehensive Written Information Security Program to Safeguard Sensitive and Confidential Information and Protect Against Data Security Breaches, a 2-hour super session in the pre-conference , is designed to teach you how to communicate and work with IT to conduct a risk assessment and develop a thorough written information security program. As part of the main conference’s “Security and Risk Management” track, Nelson will present Apple v. FBI: Legal Impact the Fight to Unlock the iPhone Could Have on Issues Related to Employee Privacy and Ownership of Corporate Data and Devices, in which he will cover Who should have access to devices and their data, including for how long and from where, strategies for setting up permissions for company-issued devices and countering legal concerns and risk of “BYOD”(bring your own device) policies, which corporate data and email rules may require rewriting, and more. For more information, click here.