Recent, highly publicized data security incidents highlight the continued vulnerability of corporate information systems. Notably, employees who fall prey to sophisticated phishing e-mails and other scams often contribute to the success of cyberattacks and other assaults on an employer's information systems. Consequently, technical fixes, alone, will only partially reduce the risk of a data breach. For that reason, human resources professionals and in-house employment counsel can play a critical role in reducing the risk that their organization will be the next victim.
Below we list eight tips the "people side" of an organization should consider taking to supplement and enhance the organization's technical safeguards for sensitive information:
- Conduct Background Checks: Job applicants, temps, and contractors who will have access to sensitive information or administrative privileges for information systems should be subject to a thorough background check before they start working, and periodically thereafter, focused on evaluating trustworthiness.
- Confidentiality Agreements: Consider requiring all employees with access to sensitive information to sign a confidentiality agreement that not only requires non-disclosure of confidential information, but also describes steps employees must take to safeguard the employer's confidential information.
- Security Training: Train all employees, regardless of access rights, on information security as part of the onboarding process and provide periodic security awareness reminders. Provide additional training to all employees authorized to access sensitive information.
- Security Incident Awareness: All training should include information on what events constitute a security incident and how to report a security incident internally.
- Recognize Phishing Emails: Training should also include information on how to recognize and report phishing emails. Employees commonly are responsible for activating malicious software, such as ransomware, by clicking on a link or opening attachments. They routinely are duped into disclosing to scammers their network log-in credentials in response to what appear to be a trusted requestor, such as the organization's IT Department or a business partner. And, hundreds of payroll personnel have disclosed all of their organization's W-2 forms in response to bogus requests from a senior executive.1 Given the prevalence and serious consequences of these scams, companies should consider sending fake phishing emails to employees and providing additional training to employees who fall for the test scam.
- Need-To-Know And Minimum Necessary: Ensure that employees have access to sensitive data only on a need-to-know basis and limit authorized access to the minimum necessary to perform job responsibilities. Access rights should be modified when job responsibilities change and terminated promptly after the employment relationship ends.
- Require Strong Passwords: Require that employees use strong passwords, i.e., at least eight characters with a mix of letters, numbers, symbols, and cases, and prohibit employees from sharing their passwords with anyone, including the IT Department.
- Prepare For A Security Incident. Even companies with robust information security programs will experience a security incident. Many incidents naturally will be reported to HR professionals or in-house employment counsel, such as the disclosure of W-2 forms in response to a phishing e-mail or the mis-direction of an e-mail with an attachment containing social security numbers or health benefits information. HR professionals and in-house employment counsel should put in place a plan for responding to these "non-IT" security incidents.
1. For more information about W-2 phishing, please see Philip Gordon, It's W-2 Phishing Season: How to Stop, and Respond to, Tax-Related Identity Fraud Aimed at Your Organization's Employees, Littler Insight (Mar. 7, 2017).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.