The HR department is the perfect fit for taking on the role of cybersecurity culture creators.
It is often reported and commented on in the IT and wider business press that in order to mitigate the ever-increasing risk of cybercrime, that an organisation needs to develop a ‘cybersecurity culture’. This is loosely defined as when all members of staff have an awareness of threats and how their day to day actions on the creation, management, movement and sharing of data may increase or decrease that threat.
But where to start? Maybe the front door, as new employees commence their time with their new employer. By this I mean through HR, the team that attracted, interviewed, negotiated and convinced them to sign on the dotted line.
Within the first few days, or weeks of an employee’s new life they will be taken, by HR, through a process of induction. This general orientation with the organisations aims, structure and offices will have a small segment of Health & Safety allocated to it. Why? Because no company wants to suffer the consequences of any form of accident, incident or in the most extreme and sad cases, fatality, occurring during the working day.
As a sometime employee of organisations, a contractor in others and a freelancer to many, I have sat through many Health & Safety presentations. I have always found them quite pleasant as they inform me how to pick up a box correctly, how to not run with scissors and not to slip on the wet tiled floor in the reception area.
In recent years, I have seen more and more cartoon like videos as hapless stick figures fall and break bones. So why not create a similar video where the stick figure clicks on a link in a phishing email, or maybe when they send company confidential information to their GMail account they are ravaged by the wolves of data protection, or maybe even when they witness a disgruntled employee start to take a virtual machete to one of the departmental shared folders they raise an alarm to the designated Data Protection Officer?
I have often concluded that Health & Safety is to protect all aspects of ‘physical’ wellbeing within an organisation, therefore Cyber Security should be seen as protecting the ‘digital’ wellbeing of an organisation.
Although Health & Safety often gets unjustly criticised, I wonder how many injuries have been avoided and lives have been saved in the decades since the legislation came into effect. And although I wasn’t in work in the early 1970s when this new culture dawned I’m relatively confident in my prediction that many employees at the time saw it as either a threat, or a waste of time. However, as the diligent team in HR have continued to bring in new blood they have slowly turned around that super tanker of ambivalence to one that is lightly peppered with safety tape, high vis jackets, safety signage and skill sets that collectively keep us all safe. So, if a culture of cyber security is to be created, then we need to go through the same process.
It won’t change overnight but the natural churn of an organisations staff will ensure that within a handful of years cyber security is ingrained within the everyday activities of most, if not all.
If forward looking HR departments were to take up this challenge, then they in turn would generate a new market opportunity for small scale design agencies, animation studios and filmmakers to start crafting simple but effective communications tools on the perils faced by employees when faced with some dubious digital request, or what to do when a colleague asks to ‘borrow’ their login details.
They could develop little checklists and internal communications material with easily remembered phrases and tag lines, that are provided to staff alongside their shiny new laptops or tablets. Reinforcing the need to stay vigilant against the cyber criminals.
How about extending their remit of privacy on matters of HR to include a confidential ‘Actionline’ that employees can call to report cyber security concerns, even if that is witnessing fellow employees purposefully circumventing cyber procedures? After all it only takes one breach, one ransomware attack to bring down an entire business. Any employee whose diligence prevents such an issue would deserve rewarding, another job for HR in this new-found role.
If that wasn’t enough, maybe HR could state on its company intranet the number of days without a cyber incident? Similar to the ones that you often see on building sites where they list the number of days without a physical incident. Ok, that might be a bit too much right now, but why not think creatively about this issue?
HR is the perfect place to start this cultural change. They set the precedent on how new employees undertake their duties. They set polices that are adhered too and will undertake disciplinary action when required. They have the skills, the structure and the history of being able to slowly force through cultural change. They can do it again for cybersecurity. All that’s required is for them to live up to their name and show a little resourcefulness.