The human resources department helps the company find people, hire them, train them, fire them, and manage the whole personnel process. For some reason, there are a lot of jokes about HR people being evil, maybe because they control people’s careers. But they are essential to any organisation. They have a say in the allocation of money for salaries and benefits. They are the gatekeepers for employment issues and education and training. Because cybersecurity is first and foremost a people problem and only secondarily a technology problem, cybersecurity managers should consider HR folks essential partners.
HR actually tends to be quite helpful to the cybersecurity manager. We don’t remember a single instance when HR hasn’t wanted to help improve security. In fact, HR managers usually become friends with the cybersecurity manager.
The cybersecurity manager should find those few cybersecurity issues that actually belong to HR or where HR is instrumental, then enlist their help. The cybersecurity manager can place certain checks and security controls on the employment process, then just stay hands off. Set HR up with the right tools then let the HR machine run on its own.
Security in the Hiring Process
When starting on the job, the cybersecurity manager should meet with someone in HR as soon as possible—preferably an HR manager or director—and have a discussion about security. Ask the HR manager or director the questions below. Their answers will help you understand which security measures are in place and which are not.
- What do you do for security when new employees start at the company?
- Is there any formal security training provided?
- How does the company maintain its security awareness continuously?
- What do you do when they leave the company?
The discussion will also help establish a relationship between the cybersecurity manager and HR personnel, and establish the cybersecurity manager as someone who is there to help. In fact, if the company is big enough to hire employees with cybersecurity skills, or if it’s hiring a cybersecurity specialist, the cybersecurity manager might even be able to help HR craft the security requirements in their job descriptions. For example, if they are looking to hire an internal auditor for security, HR will probably not be able to define what skill set and capabilities the role and the candidate should have, but the cybersecurity manager certainly can.
Best Practices for HR
Advocate for HR to pay attention to basic security measures:
- Review all aspects of the résumé or CV.
- Conduct a background check. (If you use an external service provider for the background check, check on them too.)
- Call previous employers.
- Verify candidate’s identity.
- Assign equipment, keys, and access rights, and have them sign for it.
- Provide induction and familiarisation training
The cybersecurity manager can guide HR to create—and use—a hiring checklist. The checklist should include simple things like verifying the candidate’s identity—are they really who they claim to be? HR should check each new hire’s CV and certificates to make sure they match. They should also have procedures in place that require the new employee to sign for any computers, keys, and key cards issued to them. Other checklist items include assessing which user access rights are appropriate for the new employee—what access will they get to the network and services, both within the company and externally? The HR manager should also ensure that the employee receives access induction and familiarisation training when they start the job. The cybersecurity manager should make sure HR has this hiring checklist in place and that every hiring manager uses it each time someone is hired.
Next, the cybersecurity manager should make sure HR is providing at least basic security training to each new employee. The company may have internal policies and procedures in place about security, but if they’re not part of the induction training, then the new hire won’t know about them. If she doesn’t know about them, she won’t comply, leaving the company open to a possible security breach. The responsibility for that breach would then make it through the chain of responsibility, from the supervisor all the way up to the CEO. Ultimately, the responsibility lies with the company.
Security in hiring requires attention to detail, but at the same time, the cybersecurity manager should make sure they don’t lose track of the bigger picture: usually the biggest risk is hiring someone who is not a good fit for the company. The cybersecurity manager can’t forget that the main goal of the HR process is to find the right person for the job.
Security in the Firing Process
During firing, HR should also have a checklist. The hiring manager or supervisor essentially reverses the hiring process:
- What does the terminated employee have that they need to return?
- Did they give them all back? Did they get a signed receipt for returning their equipment?
- When should account access be disabled, and where did they have access to?
- Are there any foreseeable disputes that make it wise to end access early?
- Or will the departing employee keep temporary access to computers or accounts?
It’s up to each company how they want to implement different types of exit scenarios. But there should be a plan and set policies in place. In our experience, which includes firing CEOs, it’s best to have an established checklist and follow it every time without fail.
If possible, it’s useful to have the employee sign the checklist and agree in writing that the computer will be returned that day before they leave, that they understand that their email password will no longer work after a certain date, and so on. When they sign that list and hand over the items, there can be no dispute about what was agreed to and what was done.
The best practice is to make security discussions with new hires a standardised process. If you make it a process, it’s not personal. It’s just a typical work conversation. “I have this HR paper; can we go through it together? We have to do it. It’s policy.” This is much easier than arguing over a computer or access rights or what to do with an email account. If the employee doesn’t like how they’re being treated, you can blame the paper, the policy, the process, and the bureaucracy.
Subscribe To Our Newsletter
Get the latest intelligence and trends in the cyber security industry.
Cultivating Security Awareness
All of these things have to be part of a cybersecurity awareness programme or plan, but the overall goal is to improve security awareness within the company. There is no fix for human stupidity or carelessness, but security awareness training can help avert the worst problems.
We’ve spoken with cybersecurity managers in high positions and asked them how much emphasis they put on technology and how much on awareness and human behaviour. One said he’s putting half the budget on awareness. It sounds like a lot, but think about what happens if you don’t. A simple email can be used to steal millions of dollars from a company. If employees aren’t aware of such a risk, no amount of technological protection can save them.
We worked with one person who received such an email. It appeared to be from the CEO and said, “I’m travelling and this is a busy case. Here’s the bill that should be paid to a service provider in the far east. It’s nighttime out there. Please just put the payment in, and then we can handle the proper paperwork later.” The bill looked legit. The email looked legit. The only thing that was not correct was the account number and bank. That company lost $17 million because of that email. Security awareness and training is the only thing that helps in those cases.
Even drastic technological measures to prevent cyberattacks can fail. Recently, in Singapore, the government enacted a new regulation that requires all public entities—governments, schools, hospitals—to disconnect from the internet; they had to use different computers for internet and physically separate networks for internal needs. It sounds like this change should help, but people can be fooled into overcoming that “air gap.” If that happens, this technical measure isn’t helpful. The money stolen in the example above would still be gone. Just recently, the health information of 1.5 million people was stolen from SingHealth, a major healthcare provider in Singapore. A simple click on a wrong email could still cost your organisation millions.
Attackers pay attention to human behaviour; they will try to fool somebody within the company into unknowingly assisting them with the fraud or hack they are performing. If all staff remain alert to these attempts, many of them can be avoided. Not long ago, someone tried to get billions of dollars from the Bank of Bangladesh in one of the largest attempted cyberattacks in history. In the end, they were only able to steal tens of millions, not billions, all because someone in the company noticed a typo in one message and put a halt to the scheme.
These examples illustrate the need for security awareness training. Human carelessness is hard to regulate. But training employees at least every year can prevent needless disasters like those described above.
Budgets for Training
Training is going to require a budget, and that money might come from a variety of places. The HR budget will likely cover induction training and basic security training. Extended training, such as a week-long course on security auditing, will probably come from the auditing department’s budget.
Say a finance institution needs some software development. They would be required, usually, to train their developers with cybersecurity in their development work. It’s fairly technical training. HR would be instrumental in first getting basic training to everybody in the company, but beyond that level, they probably need to involve different departments separately.
Centralised training stays with HR. Specialised training migrates to the various departments.
Make HR Happy
HR is happy when the cybersecurity manager helps them acquire the proper training and create the guide for the training. But they usually do not like when a cybersecurity manager forces on them a new security checklist or process. It feels like extra work. The best way to help them gain ownership is to talk with them and let them come up with the process and structure on their own. This way, HR can figure out for themselves the best way to do training and then build a programme from scratch. A cybersecurity manager who imposes training requirements may face resistance and have to do a lot of pushing and pushing to make progress. But when a cybersecurity manager is clearly there to help HR implement their own ideas, their input is usually welcome.
In the end, a company is nothing but a bunch of people working together. As in any relationship, reciprocity is key. HR, instrumental in a lot of important activities in the company, can cause problems for the cybersecurity manager if the cybersecurity manager is not helpful to HR in return. On the other hand, we’ve never seen an HR director who didn’t want to improve cybersecurity. Make HR your friend, and you will be much more successful as a cybersecurity manager.
Making It Stick
The cybersecurity manager knows what’s needed in HR security, but how do they get their message to stick? The best way is to ask for help. Go to HR with a set of requirements and ask them, “How should we do this?” The process of discovering the problem and the solution helps the HR specialists become involved and invested in the resulting work.