JLT
How HR can improve cybersecurity
By: Rachel Fenner

​A recent study (Mercer's 2020 Global Talent Trends Study) revealed that two thirds (62 per cent) of executives believe the greatest threat to their organisation's cybersecurity is employees' failure to comply with data security and not hackers.

The solution? Involving Human Resources (HR) in local government management of cybersecurity.

According to Microsoft, the majority of organisations assign cyber security responsibilities to IT, risk management, legal and finance.

A recent audit of 10 local governments by the Auditor General found that all had "significant shortcomings" in their IT practices.

The report found that HR security was not effective at six of the 10 local governments audited, security at four was partially effective and none had effective HR security.

At many audited local governments, a number of former staff members still had access to IT systems.

The Auditor General also found times when there was inappropriate access to systems by former employees without an acceptable explanation.

Communication between HR and IT at the end of an employee's employment would have prevented these scenarios.

The termination of data access rights needs to happen within 24 hours of an employee leaving.

This includes the termination of access to sensitive documents, to confidential information about people in the community and social media channels.

Inadequate HR security controls in these areas could result in an information leak, legal action, financial damage, ruined reputation and a loss of community trust.

Other weaknesses identified during the audit where HR could be play an important role included:

  • No requirement for background checks before employing staff and contractors
  • Confidentiality and non-disclosure agreements not required for new staff
  • Inadequate induction and ongoing programs to inform staff and contractors of their information security responsibilities.

During induction, local government HR managers should include training for new staff members in the secure use of smartphones, computers, laptops and technology.

There needs to be clear policies in place around what can be posted on social media – especially in relation to sensitive data.

HR can teach new employees how to practice good "cybersecurity hygiene".

Cybersecurity risks go up when there is inadequate training and policies in the following areas:

  • Password security
  • The use of new technology
  • Remote access
  • Digital transformations

With more staff members working from home cybersecurity protocols can be weakened further.

Being able to access emails and documents on personal smartphones is also a cybersecurity risk.

HR and IT should have conversations about the consequences staff members face if they breach cybersecurity measures or refuse to take part in training.

HR should get involved if employees lose equipment, when data is stolen "accidently", or when they make a faux pas on social media.

Ultimately, the Auditor General recommended that local government should assess the risks unique to their business practices, ensure there are plans to improve cybersecurity and put in place processes to monitor ongoing cybersecurity risks – and HR can place a vital role in these plans.