skip to content
CyberTIP: The Role of HR in Creating a Culture of Cyber Security

CyberTIP: The Role of HR in Creating a Culture of Cyber Security


The Inside Perspective
(April 7, 2015)

In recent months, the drumbeat of news reports about large corporate data breaches has created a new national discussion about cybersecurity. Sophisticated hackers and cyber-thieves are not just hunting "big game" but are also targeting small and medium-sized entities that have not taken adequate steps to protect their data. These smaller breaches may not make the front page or trend on Twitter, but they can be deadly to smaller enterprises.

The HR department at any entity, big or small, must help establish a shared culture of cybersecurity. For HR, this effort means (1) implementing comprehensive policies and procedures tailored to the data the company maintains, (2) educating employees that protecting company and customer data is everyone's responsibility--not just the job of the IT department, and (3) creating evaluation tools to measure how employees perform on issues related to cybersecurity.

TIP: As an HR professional, promote data security policies, educate employees about protecting sensitive data, and evaluate how employees perform related to security measures.

Every day, employees face choices that can expose a company to a data breach, notification requirements, fines, penalties, lawsuits, negative publicity, and more. Do your employees understand the importance of this issue? Has the Company determined (and are employees aware of) what data it has, where that data is stored, who has access to it, and how it might be accidentally disclosed? Does the Company have policies and procedures for the protection of confidential information and company systems? Have employees been properly trained on this issue?

HR should insist on including data security training during orientation. Targeted training should occur within separate business units. Helpful tips and reminders regarding cybersecurity should appear in company newsletters and e-mail alerts. Regular self-audits to check on compliance will serve an additional training function. And, knowing that behavior follows what is measured, periodic employee evaluations and performance reviews should include criteria related to data security.

Cybersecurity is not simply an IT issue; it is a matter of company culture and reinforced behavior, right down the middle of HR alley.

Authors
Alexander L. Maultsby
T (336) 378-5331
F (336) 378-5400
Eric A. Snider
T (919) 755-8758
F (919) 838-3111
Associated Attorneys
DISCLAIMER

Each of our lawyer's e-mail address is provided with his or her biography. If you are not a current client of our firm, you should not e-mail our lawyers with any confidential information or any information about a specific legal matter, given that our firm may presently represent persons or companies who have interests that are adverse to you. If you are not a current client and you e-mail any lawyer in our firm, you do so without any expectation of confidentiality. We will not establish a professional relationship with you via e-mail. Instead, you should contact our firm by telephone so that we can determine whether we are in a position to consult with you about any legal matters before you share any confidential or sensitive information with us.