Human resources executives play a critical role in any organization, but the banking industry often demands even higher levels of diligence while these professionals embrace responsibilities for implementing an assortment of new policies to reflect ever-changing state and federal regulations. This heightened sense of flexibility and anticipation of change should also hopefully inspire HR and financial institutions to seize more opportunities to work together at furthering initiatives which can effectively boost cybersecurity.
The first step is to recognize that no one operates in a vacuum in the cybersecurity space. To the contrary, a greater flow of communication and coordination with other corporate officers can be crucial in providing better protection for a financial institution’s overall network security.
Additionally, HR should help Information Technology professionals see beyond the shortsighted assumption that cybersecurity merely presents a technical challenge. For starters, HR professionals need to fully understand the needs of the bank’s Chief Information Officer and/or Chief Information Security Officer and actively offer assistance to help.
Where HR can help
An initial checklist of potential areas of assistance should include:
1. Hiring practices. HR may amend hiring practices such as background checks and references to include screening for cybersecurity risks. Upon hiring, employees should be educated and trained on organizational cybersecurity protocols. When necessary, the bank must discipline those who violate the rules.
2. Employment contracts. Judicious use of employment contracts to create contractual rights and remedies against key employees who facilitate network breaches should be considered.
3. Passwords. Poor security practices with respect to passwords can be a hacker's gateway into a bank's computer network. Common high-risk practices include not using passwords when necessary, using passwords that are easily broken—like "password"—and identifying passwords in emails and other electronic communications.
4. Recognizing malware. Malicious software, or malware, is any software used to gain access to a computer network, often to disrupt operations and/or to gather sensitive information. Frequently, employees unwittingly download malware onto the organization's computer network. While some malware may get through no matter what HR does, training employees to recognize malware such as phishing, worms, Trojan horses, ransomware, and spyware is an important contribution.
5. Identifying insiders. Cyber criminals sometimes recruit current employees to facilitate entry into the organization's network. HR has an important role here. For example, HR may help identify employees (and former employees) who may be disaffected or otherwise have motives to cooperate with hackers. As a rule, former employees should not have access to the network.
6. Mobile devices. HR will want to review policies and practices with respect to mobile devices.
• What kinds of data are available on such devices, and how is the data encrypted?
• Is access to such data limited to certain employees?
• Can the data be quickly—and remotely—destroyed if the mobile device is lost or stolen?
• When is the data removed from the mobile device?
• Does HR collect all company-owned mobile devices at the conclusion of employment?
7. Inventory of assets. The organization will likely want to identify its assets with respect to cybersecurity and inventory them. Whether or not HR is tasked with this particular function, at a minimum that staff can add value by insuring that the task has been appropriately addressed.
8. Responding to a breach. A successful attack on an organization's network can create an absolute crisis, and responding to it can become the organization's top priority.
Before the breach happens, has the organization developed a response plan?
Carrying out the plan represents an enormous role for HR as a part of the response team, defining roles and responsibilities, and coordinating personnel activities across the organization.
9. Clear screen and desk policy. While not for every organization, a clear screen policy directs all your organization’s employees to lock their computers when leaving their desks and to log off when leaving for an extended period of time. Such a policy can work in tandem with a clear desk policy to enhance office security from prying visitors—or even disloyal colleagues.
10. Termination procedures. If not done previously, HR may reconsider termination procedures considering network safety issues. Have passwords been changed and access terminated? Have all portable electronic devices, thumb drives, and company data in whatever form been recovered?
HR must be part of equation
As previously mentioned, the introduction and likelihood of further regulatory obligations—particularly ones that impact the cybersecurity space—further underscores the need for HR professionals to reexamine current policies and procedures.
For example, professionals located at banks and other financial institutions in New York must consider the New York State Department of Financial Services (NYSDFS) regulations, and additional legal obligations that this or other regulators might impose. Among other things, the NYSDFS regulations require that organizations hire a chief information security officer, whether as an employee or as a third-party service provider.
Either way, the CISO's list of responsibilities can prove to be very challenging. This includes reporting annually to the organization's board of directors, or equivalent governing body, on the organization's cybersecurity program. Whether an organization hires a current employee, outside candidate, or a third-party service provider as its CISO, the person or organization performing this role will likely rely upon the assistance of HR to fully discharge their duties.
Overall, HR professionals at any financial institution need to help create an environment that enables leadership to recognize that behind the technology and hardware, cybercrime is a human activity.
As a result, greater collaboration and communication within the organization can ultimately help produce policies, training, and other safeguards that offer better and more resilient security.
About the author
A. Jonathan Trafimow is a partner of Moritt Hock & Hamroff LLP. He chairs its Employment Law Practice Group and co-chairs its Cybersecurity Practice Group. In the cybersecurity space, Trafimow focuses on the intersection of technology and human resources best practices in assisting clients with preparing written information security plans.