Why Should Data Security and Privacy be an HR Initiative?
Technology is no longer the special province of programmers and engineers. Nearly every employee at every company relies on technology to do their job and will so increasingly. Human Resources (HR) plays a critical role in helping manage and train this fast changing workforce – especially when it comes to data security and privacy.
Whether your employees are in their first jobs, young professionals, seasoned workers, or – most likely – a combination of these, it is important that everyone (not just security professionals) has a basic knowledge of standards of privacy and security and feels responsible for your keeping your organization’s data secure.
It’s Just Human Nature
You might think that most data breaches are perpetrated by hackers and cybercriminals. These incidents certainly make the headlines. But the evidence suggests much more mundane causes as the root of most data breaches.
According to a recent survey of IT and security professionals conducted by the Ponemon Institute, only 8% of data breaches were caused by external cyberattacks.
Most data breaches, rather, were the result of human mistakes. In fact, 35% of data breaches were caused by the loss of a laptop or other mobile devices, 32% by third party mishaps or flubs, and 22% by malicious employees or other insiders.
Employee mistakes can even precipitate external cyberattacks. According Marc Van Zadelhoff, the VP of IBM Security, 95% of data breaches involve mistakes by those who already have access to an organization’s systems.
In other words, the firewalls and protections that keep people out won’t do anything about those people already inside.
As security consultant Steve Stasiukonis wrote: “All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.”
Let’s dig deeper to better understand what these human errors look like and why HR is uniquely positioned to help an organization address them.
Digital Tools in Human Hands
The nature of work is changing, and driving that change are the digital tools we use to create and collaborate. But technology is only half the equation.
As digital tools multiply, so will the number of people relying on them to do their jobs. Without a well-trained and well-managed workforce, technology can be misused or even abused.
Consider a recent survey of employees’ behaviors conducted by CompTIA. They found that most employees (63%) use work devices for personal activities, and most workers report performing work tasks on public networks, such as checking work email (78.5%) or accessing work documents (60%). These activities put your organization’s data at risk.
And it’s not just what employees are doing; it’s also what they aren’t doing. Security professionals told the Ponemon Institute that 87% of employees do not notify anyone when a USB drive is lost, 78% do not change passwords frequently, and 74% reuse the same passwords.
Addressing these kinds of behaviors is not simply a matter of better informing employees. It involves motivating and enabling them to build better habits – that is, creating a culture shift that we call “moving the elephant.”
HR to the Rescue: Protecting Data Security and Privacy
In the world of instructional design and behavior change, we use the analogy of the rider and the elephant to describe two parts of our thought process. The rider represents the conscious, rational part. The rider loves to analyze and plan. The elephant represents the emotional part. It follows its gut.
We would like to imagine that we’re always guided by the rider. But mostly we are led by the elephant. It’s what pushes us to do the wrong thing even when we know what’s right – it’s why we can’t resist clicking on that suspicious link and why we fail to update our passwords regularly.
If data security training were just a matter of informing employees about best practices, then IT could prepare a slideshow and be done with it. But data security and privacy training is fundamentally about moving the elephant. To see how, it’s important to understand why employees make the decisions they do.
For example, surveys suggest that many workers see a trade-off between efficiency and data security, and when forced, they’re choosing efficiency over security. In a recent survey, 15% of Millennials, 13% of Gen Xers, and 13% of Boomers said they were “very likely” to find ways around restrictive security controls, and 41%, 29%, and 15% respectively said they were “moderately likely” to do so.
In other words, between half and a third of the workforce have a clear preference for convenience over data security and privacy. This preference is an elephant problem, not a rider one.
Fortunately, most organizations have a department that is really, really good at moving the elephant: HR. At its core, HR is about managing people. It oversees employee training, onboarding, cultivating a positive corporate culture, and redressing employee conduct – which are the issues at the heart of moving the elephant and thus at the heart of good data security and privacy.
HR can help an organization create a work environment that empowers employees to use new technology efficiently while not sacrificing the safety and security of their or your organization’s data. Changing practices, beliefs, and attitudes about data security needs to be a priority for all companies.