How Organizations Can Make Data Security a Part of Their Company Culture
Often when we have a vision of company culture, we think about fun stuff like foosball tables, free food, and wearing Aloha shirts on Fridays. But a prominent component in company culture is safety and security. We want workplaces that are safe for our employees. We want customers to know that the information they give us is secure.
At this year’s SilkRoad Connections Conference, Elijah Technologies President Andy Reisman reminded us of the activities human resources professionals can do throughout the employee life cycle to emphasize data security. This is certainly an area where HR can step up their game.
First of all, Reisman was quick to point out that the goal of creating a data-secure company culture isn’t to cut employees off from data. Employees need access to technology, systems, and data to do their jobs. But he did say that companies might want to consider utilizing the principle of least privilege, which means giving users access to only the functions they need to perform their work. This isn’t to imply that users aren’t trustworthy. In fact, some users will tell you that they don’t want more access than they need. It’s about creating a safe and secure work environment.
The second point that Reisman wanted HR professionals to know was that they don’t have to become the company’s forensic IT specialist. But it is for HR to have a general understanding of capabilities. For example, did you know that in some operating systems, organizations can see external device insertion activity? So, the company could see if an employee inserted a flash drive into their computer a couple of days before they left the company.
When it comes time to think about implementing a data security program, there five activities to consider:
- Conduct a data theft risk analysis. Organizations need to ask themselves, “What positions are at risk?” For example, business development roles could be considered high-risk because of their access to client information and pricing structures. Senior executives could also be considered a high-risk position.
- Partner with accounting and legal. Human resources will want to establish a budget for creating, implementing, and maintaining a data security program. The budget and plan will be based on risk factors and costs. The company’s legal and accounting departments should be consulted throughout the process.
- Focus on new hire onboarding with security in mind. Organizations will want to decide if non-disclosures, non-competes, and intellectual property agreements have a place in their hiring processes. In addition, the company should teach employees about good password management in orientation.
- Regularly monitor data security. Technology is changing all the time. As such, organizations will need to keep policies current and make sure employees stay up-to-date on those policies. Companies will also want to decide how to balance employee trust with monitoring. The goal is to create a safe and secure work environment without eroding employee trust.
- Manage employee access in a timely fashion. Organizations should include in their offboarding policies the best way to manage employee access to information when they resign. That includes knowing what to do when employees go to work for the competition. In some cases, employees simply don’t remember all of the paperwork they signed when they started and need a friendly reminder. It’s about being prepared.
Technology is a prevalent part of our personal and professional lives. On an individual level, we use technology every single day. So, organizations need to consider that technology is part of their company culture. That means creating systems, processes, and policies that will ensure the data being captured is safe and secure.
Employees want to know their data is safe and secure. Customers want the same. Human resources departments have the task of facilitating the operational ways to bring data security and company culture together in a transparent and authentic way.