60,111 UK businesses reported cyber security breaches in 2021, indicating the requirement for a cyber security policy.
Safe to say majority of us have or know a colleague who has received a suspicious ‘work’ email. These usually are asking for a favour involving money or requiring bank account details, normally from senior management or HR departments. Cybercrime has grown over the last few years following the pandemic, cybercrime targets individuals and can have a long-lasting impact due to involving personal data and finances.
Over a 12-month period reported in 2022, a ransomware attack affected 73% of UK organisations, highlighting further the requirement a proactive approach across the whole business.
How can HR departments improve cyber security in the workplace?
HR departments should introduce cyber security policies within employee handbooks and contractor contracts. A cyber security policy has positive attributes as it shows the company taking a proactive approach to cyber crime, emphasising the seriousness and helps in building trust as employees and contractors feel their information is secure and safe.
The main purpose of a cyber security policy is to protect employees, 3rd parties and customers data alongside maintaining the company’s reputation. We all have heard about Facebook and their breach in customer data leading to a loss in customer trust.
The cyber security policy should apply to everyone involved in your business not only full-time employees, but include agency employees, contractors/freelancers and even volunteers i.e., student interns. This means anyone who has access to your IT systems and hardware must be aware of your cyber security policy.
Companies must have all essential protection software; additional measures are also necessary for further protection of personal and confidential information. Further protection and consideration are vital for remote employees.
Unfortunately, some businesses do end up paying the ransom in order to get their information securely back, in the UK 13% of businesses who experienced a cyber attack had to pay the ransom in 2021. On average costing companies $1.08million.
Elements to include in the policy
Information on your IT security providers
Any suspicious emails should be raised with your IT security providers, investigations are required with phishing emails. The aim of phishing is to click links bringing you to a URL, which needs reported and removed.
The National Cyber Security Centre (NCSC) have the ability to remove scam email and website addresses, this is a free service for everyone to use. As of May 2022, the NCSC had removed 153 thousand scam URLs. However, if you have been a victim of fraud through a phishing email, this should be reported to Action Fraud (if based in NI, England or Wales) by visiting www.actionfraud.police.uk or by calling 0300 123 2040. Those living in Scotland should report to Police Scotland on 101.
Confidential information
Confidential information must be protected, businesses and their employees have obligations to keep it protected. Within the business’ cybersecurity policy confidential information should include:
- Financial information
- Information of customers, 3rd party suppliers or partners
- New technologies, formulas, or patents
- CRM/Customer information lists, both existing and prospect clientele
Protection for personal and company devices
Employees have a responsibility to ensure personal and company property (laptops/phones/tablets) are secure at home and in the office. This includes strong password control with at least 8 characters which aren’t easy to guess, further, these should not be keep in written form or within a document on a laptop. If passwords need to be shared, face to face is always best but with hybrid/remote working this isn’t possible – a phone call should be carried out.
No passwords should be sent in emails, due to high levels of phishing.
Employees should not be sharing their work devices with external individuals as this can be a breach of security protection and data protection, due to individuals accessing of links or websites outside work required web addresses.
Movement of digital data
Security risks arise when digital data is being transferred, large bulks of data should be transfer with assistance from security protection providers, this helps to decrease the risk of information being leaked or data protection breaches occurring.
Data leaks of customer or client’s information leads to poor company reputation, employers must ensure employees do not put the business in this position.
Other cybersecurity measures
- Locking of screens when away from desks
- Contacting IT/HR department as soon as possible if any company devices have been stolen or suspected hacking has occurred.
- If items have been stolen, password must be changed for all accounts
- Suspicious emails must be reported
- Threats which are perceived as a security weakness should be highlighted
- Avoiding downloading unauthorized or unsecured software on company property
- Checking for lock beside URL when researching/on a new website.
Disciplinary action
Expectations of all employees are to adhere to company policies if an employee’s action leads to security breaches can/will result in disciplinary action.
Example statements for employee handbooks
- Unintentional and first occasion, which is a small security breach: verbal warning alongside providing training to improve security processes.
- Repeated, intentional, or large data breach including financial or leaked customer information, disciplinary action may be severe, up to and leading to termination.
- The business has the right to examine each security breach as they see fit and, on a case-by-case base.
- If a data breach has not occurred but an employee has disregarded the security policy and does not take a proactive approach may lead to a verbal warning.
Cybersecurity training
Policies can help safeguard the business on a legal stance, providing everyone is made fully aware of the policy. Furthermore, implementing training is a key measure to reduce the possible impact of cyber-attacks. Training would involve illustrating the types and signs of hacking or phishing emails, for all employees especially those who are not confident when using technology.
If your business needs guidance for security issues, do not hesitate to get in contact!
Email: [email protected]
Call: 0800 111 4461
