To help combat this, fast-growing companies need to be aware of the risk and need to take appropriate measures to address the resulting security vulnerabilities, according to global cybersecurity company Palo Alto Networks.
Steve Manley, regional vice-president, Australia and New Zealand, Palo Alto Networks, said, “Overwhelmed HR departments may not think that cybersecurity is within their remit but, in today’s high-threat environment, keeping the organisation safe is absolutely part of their responsibility”.
“There are various ways HR departments can do this and it all starts with awareness. If HR departments take a blinkered approach that assumes the IT team will take care of security, then the risk of suffering a major breach will increase exponentially. Putting adequate security in place doesn’t have to be onerous; it just takes attention.”
1. HR apps
As companies grow, they need to migrate their HR apps to more robust systems. This opens windows of opportunity for cybercriminals to attack and for confidential employee information to be compromised. It’s therefore essential to build security policies into these migrations and to choose apps that have a proven approach to security.
This can be even more important as HR teams adopt mobile apps that let employees access HR functionality through their smart devices, as this can create a weak link if the device is compromised. The organisation should, at a minimum, require that smart devices with access to HR apps have two factor authentication.
2. Identity and access management (IAM)
As the workforce grows and more employees require remote access to systems, it becomes essential to upgrade IAM control measures to support a larger, more fluid employee base. Responsibility for this should be shared among the HR team, IT, and line of business managers.
Clear communication is required to ensure employees have access only to what they absolutely require to do their jobs, and that access is revoked the moment an employee leaves the organisation.
In a fast-growing company with many employees coming and going, it’s not uncommon for access rights to still be in place long after an employee has left, which opens up significant breach opportunities.
3. Employee onboarding and offboarding
The workload around employee onboarding and offboarding can be complex and burdensome. As well as managing forms and confidential information such as payroll details, HR departments need to ensure that employees have the right tools to do their jobs and access to the right systems.
It’s essential to ensure that employees are provisioned correctly at the start and that they hand back all devices and access when they leave. Managing this process gets more complex as the company grows, as there are more apps and business systems that employees need to access.
An automated approach, such as triggered alerts that are sent to the IT team, can potentially help address this issue and close the security loopholes that occur when the HR team forgets to retrieve devices and change passwords.
4. IT asset access and tracking
Related to IAM and onboarding/offboarding, tracking and managing IT assets is increasingly complex as the company grows. IT can sometimes lose visibility of who is in the organisation and has access to what systems and devices unless the HR team stays on top of this.
Furthermore, while some employees may work part-time and bring their own devices, others may work full-time and have devices provided for them. Ensuring all devices are properly managed and secured is essential to protect company data, so new systems and processes need to be considered to secure important information.
5. IT security training
According to the latest notifiable data breaches report from the Office of the Australian Information Commissioner, 34 percent of cyberattacks happen because of human error, which can include ignorance or laziness.
The most secure organisation is one in which there is a culture of security, and the HR department plays a significant role in setting and reinforcing this culture. IT security training and education must be stepped up to ensure internal behaviour matches the increased risk profile of the organisation. Training must be ongoing and it must resonate with all staff members, and be reinforced through simple measures like gamification.
“Every organisation, regardless of size, is a potential victim of cybercrime. Fast-growing companies can face additional risks because the frenetic pace of growth and expansion can often mean basic security measures get lost amidst the need to move fast and be agile,” Manley said.
“The HR department must be aware of its responsibilities and work with the IT department and line of business managers to help keep the organisation secure during the vulnerable growth phase.”