Leaks of confidential data from companies are still not uncommon. They may even turn into major scandals, such as the case of recent hacker attacks on the servers of Sony Pictures film studios or Ashley Madison, the online dating site for people who are married or in a committed relationship. Most data leaks, however, are committed not by hackers from North Korea or anywhere outside, but by employees. Protecting corporate data is therefore not just a matter of IT but also HR.
According to the website of the Chartered Institute of Personnel and Development (CIPD), a British professional organisation comprising experts from the field of HR and education worldwide, HR professionals should more actively participate in the fight for corporate data security. Specifically, they should take the following steps.
1. Ongoing employee training
Training on cyber security should not be aimed only at newcomers and nor should it be a one-off event. Employees should be educated continuously and practically in this area. Lectures based on classic PowerPoint presentations are not a good idea; instead, try, for example, a fake hacker attack.
2. Training of HR professionals
Especially large companies have already implemented systems able to track suspicious employee activities. When HR professionals learn how to use these systems, they will better understand the information flows within their company and anticipate problems more easily.
3. Identification of employees with access to confidential data
Remember that social networks have made mass sharing of information very easy. HR staff should thus be able to identify employees who have access to confidential information and carefully consider how to include the ban on sharing such information in their employment contracts.
4. Hiring a specialist
Your IT department should have a real specialist able to deflect or, in the worse case, stop hacker attacks. Do not count on the fact that any "IT guy" can do this.
5. Immediate reaction in case of data leakage
If someone steals confidential data about your company and employees from your systems, this data will most likely appear somewhere publicly. Your duty is to inform the affected employees immediately, offer support and follow your crisis procedures.
-kk-