HR possesses some of a company's most valuable data, including employees' Social Security numbers and other personal information that a company must work to protect. Though some may believe HR professionals are mainly responsible for carrying out personnel decisions and benefits management, HR staff can and must help protect their organization from cybersecurity attacks.
HR staff can make many contributions to help fortify their organization's data security program and help keep the company resilient against attacks. Some of these include working on employee training and identifying sensitive HR records.
Here's how HR professionals can help bolster data security efforts.
Help establish and communicate established security policies
HR professionals should serve on the organization's IT and security governance committee and help create security rules.
HR staff should then communicate their organization's acceptable usage policy and confidentiality and nondisclosure requirements to employees. These may exist in standalone documents or as part of an employee handbook.
Organize security training
HR staff should ensure that all employees are receiving the necessary corporate training, which includes expectations around computer and internet usage. HR staff should also consider implementing periodic tests to ensure that security stays on top of employees' minds.
Work on data standards
HR staff should work with technical professionals and legal staff to establish company data classification and retention standards, as well as policies that meet state and federal legal requirements. They should also collaborate with tech professionals and legal staff to decide on wording for vendor, business partner and customer contracts.
In addition, HR should work with technical professionals to ensure they are properly destroying employee records in accordance with corporate policies around data retention.
Identify sensitive HR records
HR staff should work with technical professionals to discover sensitive HR records across the local network and in the cloud to help ensure those data assets are properly protected. They should also evaluate existing and emerging compliance requirements involving sensitive records.
In addition, HR should work with technical professionals and other departments as necessary to complete auditor or vendor security questionnaires that involve management oversight of sensitive records.
Keep an access record
HR staff should work with technical professionals to establish and maintain logs documenting HR's access to employee records and ensure that these logs are in line with internal security policies and compliance requirements.
Set an example
The HR department should serve as a leader in practicing the security essentials. Some of these best practices include the following:
- using strong passphrases;
- updating software when prompted;
- considering the physical security of laptops, tables and phones;
- avoiding clicking random web links or opening email attachments;
- following best practices for saving sensitive records on local computers, network servers, and in the cloud; and
- reporting suspicious behavior to the IT and security team.