Human Resource and Security Teams Should Work Jointly to Reduce the Risk of Cyberattacks

COVID-19 has not only changed the way we live but also forced many changes to standard business processes. This article will explore some challenges around human resource (HR) hiring, offboarding and contracting activities. As companies in multiple jurisdictions continue to look for advice from state and federal authorities on COVID-19 safe work plans, this article offers some security considerations from a physical security as well as cyber security perspective.

Onboarding

The days of a coffee meeting with new hires during an interview or on day one of the new job seem distant. Some of the challenges that recruiters and managers experience in the current virtual era include interviewing new employees, onboarding, working, and even team-building activities. As the new employees complete their three-or six-month tenure, their performance review is also likely to be virtual. Many new employees may have never even met a co-worker in person or even stepped foot into the office.

Apart from the obvious challenges that working remotely can bring, a less obvious, but equally important factor is ensuring new employees have the opportunity for a thorough induction, which includes training in the information security processes and policies. HR and Security teams must work collaboratively for an effective outcome in this area.

Tips for Employers Navigating the New Onboarding Process

• Do not skip on background or police checks. Now more than ever, you need to ensure the person you are interviewing online is legitimate. Does the person have the skills, qualifications and experience listed in his/her resume?
• Implement an ongoing training and education program for all your employees. Some roles like your system administrators or developers will need specific and ongoing training. One-off training and education sessions will not suffice in this “new normal.”
• Communicate the incident response process to employees at regular intervals through a newsletter or highlight the process on a common visible place like the Intranet homepage. Make sure all employees feel supported especially in this remote working arrangement. Additional measures include communicating VPN protocols, secure Wi-Fi considerations and using multifactor authentication, wherever possible. More cyber security tips for working from home are available here. 

Advice for Job Seekers

Individuals looking for jobs should also be aware that not all roles advertised are legitimate. Scammers use fake job ads to trick people into sending them money or personal information.

• Never transfer money or send bank account details to potential employers when applying for jobs online 
• Never send a copy of your driver’s license or passport at the online application stage
• Check the recruiter’s or hiring manager’s contact details. If you are unsure whether a call or email is genuine, verify the identity of the person contacting you through an independent source, such as a phone book or online search.  

Other Considerations for HR and Security Teams

The move towards remote working is here to stay for the foreseeable future. This means that the relationship between HR professionals and security teams has to be collaborative to meet the needs of a company from a physical and cyber security perspective.  

• Ask your security team to review and advise on best practices for tools and applications usage. While new tools may help with productivity, it’s important they are assessed from a risk perspective before being downloaded on devices.
• Review and revoke system access for employees on a periodic basis by implementing the policy of least privilege. Employees only require access and permissions to do their jobs, and this should be explained in the security induction during onboarding. 

Managing operational, architectural and technological access controls was a challenge before COVID-19. Now health controls such as social distancing, temperature screening and personal protective equipment (PPE) checks have added an entirely new element to maintaining proper access controls in office buildings.

• Access control systems will be even more important when a return to office in batches occurs. Access control restricts entrance to secure areas of a property, building, room, file cabinet, drawer, or other areas containing sensitive information, assets or data. They also monitor usage of certain spaces. For employees who were made redundant from their job or had left the company during the lockdown, check that their physical swipe passes are appropriately wiped if your company doesn't have an automated solution to manage access control. 
• Remind employees of the process for visitors or contractors attending the premises; it’s mandatory to sign in and provide identification.

Tune in to our Security Concepts podcast for more discussions on security risk challenges.