Home Tell a Friend! Contact ICFE Link Exchange Search ICFE Subscribe ICFE About the ICFE
ICFE News Releases ICFE in the News Children and Money Financial Education Personal Financial Counseling with Paul S. Richard, RFC Credit Card Tips Credit File Correction Mending Spending Links and Resources Order Options
 

ICFE
ICFE eNEWS #18-06 - March 8th 2018

Ten Most Important Actions HR Can Take in Response to Cyber Threats

by Yan Ross, ICFE Director of Special Projects

In today's world of growing identity theft and cyber attacks, the Human Resources (HR) office of nearly every organization needs to be an integral participant in developing and implementing ways to avoid the adverse effects of these criminal activities.

This article is focused on small businesses and non-profit organizations, since there is evidence that larger companies already have both the budget and awareness to respond to cyber threats. Based on current reports, it appears that many HR professionals are easily lulled into a false sense of security, arising out of several common misconceptions.

“If you can keep calm in the midst of a catastrophe, you have probably found someone to blame it on.”

Adopting and implementing policies and procedures is an excellent place to start. These rules of operation provide the basic instructions and guidelines on running an effective and efficient organization. Also, they are periodically reviewed and updated, affording an excellent opportunity to include healthy cyber practices, sometimes referred to as good "cyber hygiene."

Who are the organizational parties for HR to include in this exercise?
• Starting at the top, the C-level executives
• Information Technology (either internal or outside contractors)
• Accounting and Finance
• Compliance and Audit Officers (including outside accountants)
• All employees with access to the IT systems

The TEN Actions

  1. Initiate a meeting with the relevant participants to review the current cybersecurity process. Depending on the organization's structure and dynamics, this may start with the next executive above HR or other person in the chain of command. Be clear this exercise is to support, not replace, the work done by the IT managers. Prepare a draft agenda for this purpose.
  2. Review the current policies and procedures for the presence or absence of information security and cybersecurity provisions. This exercise is usually carried out best in cooperation with the IT managers, in order to achieve the best coordination. Consider whether there is a need to designate such additional personnel as Privacy Officer, Data Protection Officer, or other appropriate information security responsible party.
  3. Determine whether this exercise can be accomplished using internal resources or if an outside facilitator may be preferable.
  4. Restrict access to individuals and devices necessary to conduct operations
    a. In conjunction with IT, establish the hierarchy of access for employees
    b. Restrict access by non-approved devices, such as flash drives and "Bring Your Own Device" (BYOD) hardware
  5. Establish an Employee Education Program
    a. Conduct "in service" workshops using internal resources and other professionals on such vulnerabilities as creating and maintaining strong passwords, avoiding phishing schemes and other social engineering attacks, and physical security
    b. Provide updates on cybersecurity issues on a regular schedule, or as new threats come to light
    c. Consider an offering an employee benefit to assist with identity theft restoration, as the organization loses time and resources when employees experience identity theft
  6. Review Legal Requirements
    a. Depending on the nature of the information collected and held by the organization, determine the responsibilities to protect it
    b. Such data as financial and medical information may have special requirements
    c. There are federal and State requirements, which may overlap or be inconsistent
    d. Pay special attention to maintaining the Confidentiality, Integrity, and Privacy of such data
  7. Adopt and Implement a Recovery Plan
    a. Despite all efforts to manage this risk, breaches do happen
    b. Establish a clear protocol to follow in the event of a data breach, including assigning someone to manage the breach and outlining what actions are needed to be taken
    c. Prepare to comply with notification to affected parties, according to the requirements of the relevant State jurisdictions
    d. Select a provider for remedial services in advance of a breach
  8. Update all Policies and Procedures with special regard to the identified cybersecurity issues.
    a. For each issue, determine and assign responsibility to the designated party
    b. Include provisions to prevent employee fraud
    c. Include a routine to follow to assure departing employees no longer have access
    d. Use this opportunity to deal with all threats to confidential and proprietary information, not just those vulnerable to cyber attack
  9. Conduct a Risk Assessment Exercise
    a. Evaluate risks to the confidentiality, integrity, and privacy of sensitive information
    b. Establish an appropriate response to each risk
    c. Evaluate the cost of responding to each identified risk
    d. Determine whether certain risks are subject to risk-sharing, such as insurance
  10. Consider Cyber Insurance
    a. For most organizations, other insurance coverage, such as general liability, Director and Officer, or Errors and Omissions, do not cover cyber events
    b. There are currently numerous insurance carriers offering cyber coverage
    c. The underwriting process to evaluate the scope of risk and liability can be valuable in helping to manage the underlying risks
    d. Based on the type and limits of coverage offered, and the premium cost, such cyber insurance may be a good investment for the organization

When should these actions be taken?
• At the earliest practicable time
• When new employees come to work, as part of the onboarding process
• This includes contractors with access to the system
• When employees leave, as part of the exit process
• "Clean out your desk and return your keys" is not enough
• This also includes contractors with access to the system
• Periodically as cyber threats are identified, at least once a year
• As other organizational participants may require or changes are adopted in the organizational policies and procedures

Implementing these ten actions will provide the foundation for HR to participate in a substantial step forward in responding to the threat of cyber attacks and managing the risk of damage to the organization caused by this growing challenge.

Yan Ross Bio PhotoYan Ross is ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, he has addressed Identity Theft Risk Assessment and management for consumers, organizations holding personally identifiable information, and professionals who work with individuals and organizations who are at risk of falling victim to identity thieves.

The ICFE's Certified Identity Theft Risk Management Specialist ® XV CITRMS® course is now available both in printed format and online.

The Textbook and Desk Reference edition of the course book is also available online. Bulk pricing and discounts for veterans and students available. Inquire at yan.ross@icfe.info


Paul S Richard PhotoICFE eNEWS is available FREE upon request by visiting our Web site and filling out the contact form, and selecting "Yes" for "Add to Mailing List. Please pass this eNEWS on to your peers and interested others and invite them to subscribe for free. Also, visit the ICFE's new Web site: StudentDebtHelp.org

Sent by:

Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)

About the ICFE:

The Institute of Consumer Financial Education (ICFE) was founded in 1982 by the late Loren Dunton (creator of the Certified Financial Planner (CFP) designation).  The ICFE is dedicated to helping consumers of all ages to improve their spending, increase savings and use credit more wisely. 
The ICFE is an award winning, nonprofit, consumer education organization that has helped millions of people through its education programs and Resources. It publishes the Do-It-Yourself Credit File correction Guide, which is updated annually. The ICFE has distributed over one million Credit/Debit Card Warning Labels and Credit/Debit Card Sleeves world wide.

The ICFE became an official partner with the Department of Defense/Financial Readiness Campaign in June of 2004.The ICFE was an active partner in the California Student Debt Resource Awareness Project (CASDRAP) which resulted in a new web site: (studentdebthelp.org).  CASDRAP disbanded in 2010, shortly after the web site project was completed.  In 2011 the ICFE assumed the single sponsorship of the (studentdebthelp.org) web site and is now responsible for its content and operation.

The ICFE is also an on-line help for consumers who spend too much.  ICFE's spending help was featured in PARADE Magazine in the Intelligence Report section. The money helps and tips are from the ICFE's Money Instruction Book, our course in personal finance.

Visit the ICFE's other web sites at: www.financial-education-icfe.org and studentdebthelp.org.  Both sites helps consumers and students with mending spending, learning about the proper use of credit, budget and expense guidelines, how to set up and implement a spending-plan and also how to access financial education courses and how to teach children about money. Other ICFE services include: Ask Mr. G,  a free eNews, and an online resource center for students, parents and educators, plus financial education learning tools and a book store.

Home ] ICFE News Releases ] ICFE in the News ] Children and Money ] Financial Education ] Resource Center ] Credit Card Tips ][ Credit File Correction ] Mending Spending ] Links and Resources ]  [ Online Store ]

 

Copyright ©  1997 - by Paul S. Richard
and the Institute of Consumer Financial Education, All Rights Reserved.
View our
Privacy Policy Our Terms and Conditions

Institute of Consumer Financial Education
PO Box 34070
San Diego, Ca 92163
Paul S. Richard, Executive Director
Phone 619-239-1401

FAX 619-923-3284

Questions for www.financial-education-icfe.org Click to go to Website Contact Us or 
Website Design Donated by Desgn School Programs

Please Tell An Associate, Friend or Family Member About the ICFE