• HR professionals should take part in a company’s data security process, making sure that goals are realized and messaging is fully comprehended.
• Enforcement of disciplinary actions involving employees must be monitored and supported by HR personnel.

There’s some disagreement in the business world over the extent to which human resources (HR) professionals should be concerned about data security in their organizations. Some believe that it’s solely an information technology (IT) function, and it might be for companies that have an IT department. But even in companies with IT departments shouldering the bulk of data security concerns, HR still has a role to play.

Creating policies

HR tends to be the keeper and communicator of company policies. A company cannot effectively protect the security of its data without creating a plan to do so and informing employees of that plan.

While HR may not be solely responsible for drafting a data security policy, it should be involved to help ensure company goals are consistently represented and that the messaging is clear. HR may also be able to provide a less technical perspective that may be more in line with the view of most employees.

Getting the word out

Contrary to popular belief, data security breaches aren’t as likely to be caused by rogue hackers as they are by current and former employees. In most companies, employees who have access to data that could be part of a costly breach aren’t just IT workers, nor are they limited to a company’s top executives.

HR’s job includes identifying any employee who might benefit from understanding the company’s procedures for protecting sensitive data and making sure HR has the information necessary to do its part to prevent a breach.

Employers in certain industries are required to conduct data security training. They may also be required to conduct such training by a contract the company holds with the government or another entity. Even in the absence of mandated instruction, training for employees is an important step in preventing data breaches.

Employees must know what personally identifiable information (PII) is, common ways data is compromised, and what’s at stake when it is mishandled. Training should review the company’s policies surrounding the protection of PII, as well as who to contact when a breach of such information may have occurred.

Workers can benefit from learning about traps other companies have fallen into in recent years. For instance, an employee might be faced with a phishing expedition.

A phisher typically drafts an email using real company logos from a source the employee would recognize and trust. The email directs the recipient to click on a link and, once redirected to a fake website, the worker is asked to supply a username, password, credit card data, and other personal information. Even if an employee doesn’t provide any PII, clicking a phishing link could give scammers dangerous access to the company’s network.

A significant breach of a major and well-known U.S. retailer in 2013 was thought to have begun when an HVAC (heating, ventilation, and air-conditioning) company with which the retailer did business was the victim of a phishing attack. From there, phishers gained access to the retailer’s data. This example not only reinforces the need to train employees, but also to ensure that vendors and contractors are vigilant about employee training.

Getting buy-in

Part of communicating a data security policy is making sure employees understand the risks involved if data is breached. Training should convey the seriousness of the employer’s internal policies and procedures. It must help employees understand precisely how failing to follow the policy (from each of their individual roles within the company) could contribute to a breach. Employees who don’t understand the point of the guidelines are considerably less likely to follow them.

Enforcement

As with any policy, HR also has a role in the everyday application of a data breach policy. Employers that hope to prevent a data breach must be willing to implement discipline when employees exhibit behaviors prohibited by company policies, even if those behaviors don’t lead to a breach of data. While HR professionals may not be the ones implementing discipline, they must ensure managers practice consistent enforcement and must provide support for discipline when needed.

Limiting access and protecting data

Beyond training, employers must ensure that individual employees don’t have unnecessary access to any PII. For starters, employers should verify that any PII collected by the company is amassed for a specific reason. Where data is necessary, controls should be in place to ensure it is available only to employees with a clear business need to access it.

When these controls include individual user passwords, employees need to be reminded to create them thoughtfully and to keep passwords secure. Despite an increasing awareness of the importance of data security, “password” and “12345” have been at or near the top of the list of most common internet passwords year after year.