This month’s guest blog is from Emma Fay-Touhey of the HR Dept Emma provides excellent support to all of her clients, including ourselves, and we are delighted to have her thoughts on the vital role a good HR system plays in the defence against cyber-crime. If you would like a free HR review to see how your HR systems can help bolster your IT security please contact Emma on 01625 460694
How well do your HR systems support your IT security?
Whether it’s a WhatsApp Mishap, a Facebook ‘unfriending’ or an employee enjoying a little too much of an employer’s Internet access.
IT Security is a HR challenge for all employers and is only getting bigger as technology advances.
Most people have heard of Cyber Security and understand the threat, but how can a Company ensure that its HR systems communicate the importance of IT security to its employees to try and prevent serious issues from arising?
The first thing is to make sure you have a bespoke IT Security Policy within your employee handbook. This is going to be slightly different across organisations and sectors with some organisations, for example where staff have access to extremely sensitive data, placing more importance on this topic than others.
The policy should set out exactly what the Company expects from employees in terms of reasonable use of the company IT systems, which includes Internet, computers, company mobile phones and social media accounts (a separate Social Media policy is advisable where this is a key part of the business).
The policy should include details of who has overall responsibility for the Company’s IT security and what steps an employee should take when they feel there has been or could be a threat to the IT security. The key thing here is to avoid a blame culture – Employees should not be too frightened to speak up if they think they may have clicked on a phishing email or lost some data. Any delay in reporting is likely to make the problem worse.
Include anything else relevant to your IT systems, such as password policies, details around remote access (logging onto work emails on personal devices BYOD) and details of any specific software or systems that the Company use.
Training staff on the seriousness of IT security is a great idea, especially on how they can recognise different types of cyber-attacks as some employees will never come across this kind of thing in their personal lives and even just some basic training could save the business from a disaster later down the line.
Finally, what will you do if you find out an employee has breached the policy? Make it clear that, whilst genuine accidents do happen and need to be reported immediately to mitigate the damage, intentionally misusing Company IT systems will be handled formally through a disciplinary procedure. Ensure that the policy breach hasn’t happened due to a lack of knowledge or training – if it has, consider getting some refresher training to avoid the same mistakes happening again and to create a culture of continuous learning and support rather than one of blame!