HR, Not IT, Is The Key To Company-Wide Data Security
By Judy Kneiszel
A software glitch crashed computers in July, disrupting businesses and canceling flights all over the world. This cyber disaster is a great reminder of the importance of HR’s role in cyber security training, as all employees must understand how to do their part to protect company data and systems.
Why HR? Isn’t this an IT problem?
An organization’s Information Technology (IT) team is skilled at managing computer systems and networks, and troubleshooting technical problems. Communicating with workers who are less tech savvy, however, may not be the IT team’s strong suit.
IT professionals tend to speak in their industry’s jargon, which may go over the heads of those in other areas of an organization. A member of the IT department, for instance, will likely understand cyber security issues at a deeper level than members of the customer service department. But the customer service team’s handling of information can put data security at risk.
6 ways HR can play a bigger role in protecting company data and systems:
- Make the message of security engaging. HR should think of security awareness training less like a task employees need to complete and more like a marketing campaign. This can be done by creating messages that are easy to understand and visually appealing. Input might be requested from creative teams, like advertising and marketing, on how to “sell” cyber security.
- Work to change behaviors. Explaining security risks is a starting point, but creating a culture of security should be the goal. This can be done through practical exercises, like phishing simulations designed to test employees' responses to potential email and social engineering scams in real-world settings.
- Never stop training. Security awareness training shouldn’t just be an annual event that employees simply check off their to-do lists. To be effective, it must be ongoing so that employees understand their shared responsibility. One person’s decision (or mistake) could put everyone at risk.
- Take a multifaceted approach. Use a combination of communication channels to convey security awareness messages. This might include printed materials, lunch and learns, short training videos, FAQs, podcasts, and webinars. Security reminders might also come through weekly email updates, one-on-one discussions, team meetings, online chats, and more.
- Tailor the message to the audience. Not all employees will have the same level of technical knowledge or potential for impact when it comes to data and system security. Take the time to tailor materials and messages instead of taking a one-size-fits-all approach. Adjusting tone and content can also help ensure information resonates with individuals.
- Think about timing. Employees are most likely to learn if information is available right when they need it. For example, tips on how to create a strong password should be sent along with scheduled reminders to update passwords. It can also be helpful to display banners or pop-up messages warning employees when a confidential file is opened. Another great time to make an impact is after a security incident has occurred, or been averted, in your organization.
This post is locked to comments.
