Cyber-attacks have been hitting the headlines recently, whether it’s large businesses like Jaguar Land Rover or less obvious targets such as the Kido nursery chain, it seems cyber-attacks may be on the rise. Whether the perpetrators are looking for financial gain or are doing it for other reasons, one thing is clear – a cyber-attack has the potential to cause significant disruption and potentially costs – financial and/or reputational – to affected businesses. As such, cybersecurity is likely to be a high priority for businesses of all sizes.
To complement any measures your business takes in that area, you may wish to think about putting together an HR action plan – aimed at helping your business to combat the risk of cyber-attacks from an HR perspective and helping your business to take appropriate steps in relation to your people if the worst does happen.
Whilst your HR action plan will need to be tailored to your business and your specific circumstances, here are five things you may wish to think about:
- Reducing the risk of your employees being the point of vulnerability
- Preparing employees to mitigate disruption
- Handling communications
- Dealing with suspected employee misconduct
- Managing the HR aspects of serious disruption to your business
Cyber-Attacks – Does Your Business Have an HR Plan? Part 1
Reducing the risk of your employees being the point of vulnerability
Employees can be a point of vulnerability in many ways when it comes to your systems and data, for example:
- Clicking ‘dodgy’ links in emails
- Falling for ‘phishing’ or other scams
- Downloading unauthorised software
- Not using strong passwords, inappropriately sharing passwords, or otherwise failing to keep these secure (e.g. jotting it on a post-it note for easy reference, not being aware of who may be watching when logging in to company systems outside the office, e.g travelling on a train)
- Connecting company devices to public networks
- Losing an unsecured company device, e.g a laptop, such items are being avoidably stolen whilst working remotely
Raising awareness of IT security issues and making sure your employees are familiar with and up to date on any relevant policies, procedures or practices in your business is a must. When it comes to cybersecurity, it’s important that employees are aware of the part they play and know how to act appropriately to help protect your business.
It will be important to identify areas in your business where there could be particular vulnerabilities in relation to your people and take appropriate steps to combat these. Often, promotion of policies, training and ‘refreshers’ are key actions. For example, do your employees know what to do if they receive a suspicious email?
Whilst IT security issues can be unintentionally caused/contributed to by employees, sometimes it can be deliberate. Whilst less common, it is an issue that was recently highlighted in the news. You may have heard reports of the BBC journalist who was approached by hackers who offered him a substantial amount of money if he helped them to gain access to the BBC’s systems. Your business may wish to make it clear to employees what they should do if they are approached in this way, and that such co-operation with hackers will be considered a serious disciplinary offence.
Preparing employees to mitigate disruption
It’s important to think about what steps you can take from an HR perspective to mitigate disruption if a cyber-attack does happen. It will come as no surprise that planning ahead can help to put you in a better position. As an example, you may have heard about the cyber-attack that caused disruption at several European airports recently; after check-in software used by several airlines failed, some resorted to checking passengers in using pen and paper.
You may wish to think about what measures your business could put in place to keep things going if you no longer had access to key IT systems/programmes and the role your employees will play in this. In some cases, it could mean not just having a plan but employees may need a bit of training in advance too. Depending on your business and the nature of employees’ roles, it may see them needing to fall back on seldom-used skills (that are a bit more specialised than just using pen and paper…). Knowing you have these skills and a plan in place should they be needed can help to give your business a little peace of mind and minimise disruption should a cyber-attack occur.