HR also fires people, and if they don’t do it the right way, that can be a huge risk to the company too. Many employees who leave a company take information with them illegally when they go. That might come as a surprise to some people, but it happens a lot, especially in sales organisations. A salesperson’s value depends largely on who they know, so the next employer might value them more if they have an address book of contacts. Realising it might give them an advantage; some salespeople try to take the sales database with them when they leave a company—secretly, of course. There’s a fine line here. If you have a business relationship with a customer, no one can expect you to not contact them again under different agenda, but taking the whole sales database without permission is illegal. This risk can be sometimes covered with anti-competition clauses in employment contracts. But in reality, this happens a lot, even with those clauses in place.
We had a CEO contact us and ask, “Can we track down whether someone has opened our sales database files and made a copy of them?” This happened after they fired a salesperson, then suddenly their customers started getting calls from that salesperson’s new employer. It was well timed and looked very suspicious, but in the end, there was no proof. The CEO wanted evidence that there was theft of data. The problem is that most companies forget to enable the file audit logging feature that allows the company to make a log of who opened or copied a file. No log, no evidence. They can’t generate logs retroactively.
It’s not just salespeople either. Maybe a system administrator left the company with all the data about the employer, like passwords and keys to information systems. Our advice is to be very nice to system administrators when you fire them. They can wield enormous power in terms of access to information and systems. Treat them well, even during the hard times.
HR plays another role in security efforts when they’re involved in complying with data privacy legislation. This area is quite new. The titles of privacy officer and data privacy officer have just started to appear in the last few years, as new legislation has started to mandate customer and employee privacy rules. HR used to be the lead in this area, but now there are managers with titles like Chief Data Protection Officer. Whatever the titles, HR is still at the heart of this because HR deals with employees’ private personal data. Sometimes they are needed as in-house experts when dealing with customer’s personal data.
The HR director is also connected to a lot of different security policies and will know company requirements about privacy and the local privacy legislation. They’re also the key players in dealing with representatives from unions. If a cybersecurity manager wants to make an acceptable use policy, they’ll have to get pretty deep into people’s daily work, and they’ll need to talk with union representatives, so they will need to work with HR for both. Let’s say the security department wants to install a CCTV system to monitor areas where people work, or maybe they want to track their computer use in some security-related cases. These are usually things that people feel are invasive, or they feel it’s against their privacy. The best way to seek acceptance is to go through HR, then talk to union representatives with them and plan the necessary improvements together. Early involvement is the key.
Because HR managers have a high level of security awareness, most cybersecurity managers are comfortable working with them. HR knows how to protect personally identifiable information, or PII. When they leave their offices, HR people usually take a lot of care to lock their doors, put all of the papers in drawers and lock them, lock their screens and computers, and take other physical security measures. Many of these security and privacy requirements are mandated by law. If HR makes a mistake, they might be liable for it, and they know it.
Threats in HR and Privacy
Data breaches and leaked personal information are the clear threats related to HR and privacy. Typical cases include stolen personal IDs or social security numbers. Stolen private data might also include street address, name, phone number, and credit card number, which is enough to conduct many different types of fraud on someone. Nowadays, it’s becoming very common that health institutions are breached, and all of the above data is stolen along with patient health records.
The simplest form of identity theft is someone stealing personal information and using it for phishing. There’s much more, though. Some people’s identities have been used to buy or sell a home or to shop online. It’s easy enough—some online shops allow customers to make purchases with post-payments, so all a hacker needs is a full set of information about a person’s identity, and they can make a purchase and send it to a false address, leaving the victim to pay the bill.
Identity theft, as horrible as it is, is seldom personal. Hackers rarely try to target somebody personally as a vendetta. It’s all for money, and there are a million targets out there. The only limiting factor is that attackers don’t have the resources to attack everybody at the same time. The one who is targeted is just unlucky. And these unlucky guys come in large quantities. PII is one of the hard currencies that cyber criminals use in their trade.
Once personal information gets out, there’s not much a victim can do. We recently heard about a case where someone in Finland was involved in a data breach. Back in 2012, his information was breached along with that of nine thousand others. You might think that information from 2012 was too old to be useful anymore, so what’s the big deal if the information was leaked? That may be true for a phone number or an address, but some private information doesn’t change, like a person’s social security number or their name. In 2018 this victim found out someone was fraudulently buying things online under his name, six years later! Once it’s out, it’s out.
Theft of personal information obviously leads to a loss of consumer trust, and it should be a major concern for companies that have a lot of B2C consumers. It’s getting worse; one recent data breach contained 1.4 billion user passwords. This trend has led countries across the globe to enact new laws about data breaches and spreading information with malicious intent. It’s going to take time for these new laws to become effective; however, the criminals won’t wait. They’ll do it anyway, with or without the law.
Companies can spend a fortune to make IT and technology virtually impenetrable, but the bottom line is that the people involved need to develop their security awareness. We have data that shows the biggest thing companies can do to improve security is increase awareness. Otherwise, someone is going to click the wrong link or open an attachment or do something silly. And there’s no patch for human stupidity.
Companies usually perceive themselves as being better prepared against these sorts of threats than they actually are. Employees often think, “Because I have a computer in front of me and I can do anything I want with that computer, then I can always avoid clicking a suspicious link or opening an unknown attachment. Because I can do it, I deduce that everybody else is in the company will do the same.” It’s not true. Most people don’t understand when they are being influenced or tricked. Human nature is one of the most difficult problems in security, and it always will be.