HR teams are heavily involved in exchanging e-mails, opening and sharing attachments, and interacting over social media
It is not IT security technology that protects enterprise information; information security is a behavior that HR drives within the organization
A 2011 report published by the Data Security Council of India (DSCI) and the consulting firm PricewaterhouseCoopers (PWC) reveals that a majority of companies believe that their intellectual property is constantly under threat. With the increasing incidences of hacking and phishing, the traditional thinking on information security revolves around the perception of “external” threats. The reality, however, is far removed from perceptions.
The DSCI-PWC survey reveals that companies have started realizing the potential hazards of “internal” threats. Internal threats do not arise solely from malicious intentions of a disgruntled employee or an unscrupulous contractor. The survey reveals that 67% are worried about threats from sources that have legitimate access to the organization’s information systems, including the ignorant and unwitting HR team.
HC Online, a Australia-based HR magazine, published an article today that highlights the potential magnitude of threats to an organization’s information system from the HR department. With the increasing sophistication of information theft mechanisms, the organization’s role in ensuring information security has increased manifold. While continuing to invest in strong information security technology, it is equally important for the organization to drive awareness about secure working practices. The HR team is particularly susceptible to becoming victims of information crime. This is because HR teams are heavily involved in exchanging e-mails, opening and sharing attachments, and interacting over social media with service providers, prospective candidates, and external partners. At the same time, the typical HR professional is perceived as one who is barely aware of the know-hows of information security.
Following are some key information security essentials that an HR professional should know.
Recruiting mailbox- The hot target
HR is among the enterprise functions that require a greater number of interactions with external agents, including candidates, partners, and vendors. Most of these interactions include sending and receiving attachments, opening and sharing links, and viewing unprotected websites. The recruitment mailbox that an organization typically provisions for receiving job applications and resumes is a constant target for information criminals. As the HCA article suggests, the probability of malicious software entering corporate systems through a recruitment mailbox is significantly high. Besides working with the information security team to devise safe practices to manage a recruiting mailbox, HR professionals also need to look at secure interactions through social media channels.
ISO and NIST
Yes, standards exist. It’s just that most of us are not aware of them. The ISO 8 standards deal specifically with the management of human resources security and privacy risks. The National Institute of Standards and Technology (NIST) 800 series provides a set of research and guidelines on computer security that individuals and organizations should follow. Introducing these standards, plays a critical step in introducing safe IP practices within the organization.
The 4Ws and 1H
According to experts, every HR professional needs to have answers to the following questions. Having answers to them will automatically pave the way for safe information practices.
• What/where is my data?
• Who is responsible for it?
• Who has access to it?
• How sensitive is it?
Experts comment that an information security technology should be looked upon as the last line of defense for an organization. Information security starts at awareness and consciousness. Being at the vantage point between internal and external customers in an organization, HR’s knowledge of the know-hows of information security can be the difference between a safe and an unsafe information enterprise.