In last week’s blog, we covered some of the major costs companies incur when employees have their personal data compromised. Today’s article will focus on four key steps human resources can take to prevent these costs by protecting their company’s greatest assets — their employees.
Step one: Provide thorough and continuous training
Just as you train your employees on other work-related tasks and policies, you must ensure they fully understand the risks of identity theft and security breaches, how to handle personal data, and steps they should take to keep themselves and the company as secure as possible.
The risks of identity theft and security breaches
One of the first steps in educating your employees should be to explain the risks identity theft and security breaches pose. It’s important to relay that these violations don’t just cost the company a fortune; they can also have a tremendous impact on employees. By many estimates, it can take hundreds of hours and months of the victim’s life to fully restore their identity.
Here are some resources you might find of assistance:
- How Does Identity Theft Work? Steps From Beginning to End
- How Long Does it Take to Correct Identity Theft?
- Hackers Agree, Humans are the Most Responsible for Security Breaches
- When You Protect Your Employees, You Protect Your Company
- Why Companies Should Care When Employees Have Their Identities Stolen
How to handle personal data
Along with senior members of your organization and IT department, you should craft a document that outlines the best policies for managing the personal data of employees. Since many managers often have access to HR’s records, it’s imperative you create guidelines for anyone who might come into contact with this sensitive information.
A few items to consider might include:
- What information about employees should be stored on the network
- Who should be allowed to view or edit sensitive employee data
- How, and under what circumstances, this data should be shared
- Where it is acceptable to access this information and where is it not (ex: public WiFi)
- How this data should be stored and encrypted
- What steps to take if sensitive data is compromised
Recognizing and preventing various cyberattacks
One of the most important actions an HR professional can take is to train their employees on how to identify and avoid various cyberattacks. While there are many types of cyberattacks, the two most common are ransomware and phishing.
Ransomware is an attack that hijacks your company’s computers and demands victims to pay a significant bounty before restoring access. This costs businesses around $1.5 billion a year, and that number is growing. While there are many ways ransomware can install itself on your machine, the most popular means is through phishing emails.
Phishing is a scam used to install malware on a victim’s device, steal the victim’s personal information, or in many cases, do both. This tactic is exceptionally successful, especially when scammers disguise the emails to appear as if they are coming from the victim’s colleagues or boss.
If you spot the signs below, chances are the email is actually part of a phishing scam:
- Misspellings and grammatical errors throughout
- Missing or incorrect contact details in the signature line
- The email doesn’t sound as if the sender wrote it
- The salutation is oddly worded or contains vague terms like “employee”
- When you hover over a link, it reveals a different URL than stated
- A request for large amounts of private data from a company executive that seems oddly timed or out of place
- Something just feels off
If an employee encounters any of the above issues, they should contact their manager, along with HR and IT immediately.
You should be especially careful when reading emails on your mobile phone. On desktops, it’s much easier to hover over a link before clicking it, or to check more thoroughly for misspellings. Plus, as a rule, people are more distracted when looking at their phones than they are when using a desktop. Make it a practice to always exercise more caution on your phone.
The following resources will also help you plan your training:
- Ransomware’s New Payment Model: Name Your Own Price
- Phishing for Dollars: How Identity Theft Is Leaving Businesses and Employees on the Hook
- How Account Takeovers Happen and What You Can Do to Protect Yourself
Step two: Develop a comprehensive cybersecurity plan
It’s not enough just to teach your employees about the dangers of ransomware attacks and how to identify signs of potential phishing. You need to work hand in hand with your IT department to create a comprehensive cybersecurity plan. If your organization doesn’t have a dedicated IT team, you may want to begin by reviewing the FCC’s Ten Cybersecurity Tips for Small Businesses.
When crafting your plan, you’ll need to consider the following questions.
- How will you encrypt files that contain sensitive data, like employee records and all other confidential data
- How will you conduct internal risk assessments
- Who will oversee continued training for employees and managers
- Should you hire an outside team to assess our network vulnerabilities
- Who will compose your in-house team to address security issues
- How to structure an incident response policy
- What the plan will be if employee or customer personal data is exposed
Please keep in mind that the above points are just a few of the questions your organization will need to answer when crafting your cybersecurity plan.
Step three: Offer identity protection services as an employee benefit
In today’s digital age, it’s likely that data breaches have impacted every household in America. The chance your employees may become victims of identity theft is staggering. That means a lot of lost productivity, missed work hours, and a huge hit to your bottom line. However, there are steps your organization can take to protect both your employees and your business. It all begins with providing employees with a comprehensive identity protection service.
With so many plans on the market, selecting the right one for your organization can be tricky. Just make sure the following features, which come standard with InfoArmor’s PrivacyArmor®, are included:
- Dedicated customer support for your organization
- Scalable and flexible payment models
- Comprehensive product education and a dedicated client relationship advisor
- Proactive alerts that notify employees on applications for credit cards, wireless carriers, utility accounts, and non-credit accounts
- Monitoring of high-risk identity activity such as employee password resets, fund transfers, unauthorized account access, compromised credentials, address changes, and public record alerts
- Tools to monitor and preserve an employee’s reputation across social networks
- A dedicated advocate to guide and manage an employee’s full recovery process, restoring credit, identity, accounts, finances, and their sense of security in the event identity theft does occur
- Identity theft insurance to cover your employee’s lost wages, legal fees, medical records request fees, CPA fees, child care fees, and more
Some additional resources you may find of value include:
- Identity Protection to Be Top Employee Benefit for 2018
- Introducing Identity Health: Protect Your Privacy in a New Reality
- Features Your Identity Protection Service Should Include
- The Landscape of Identity Protection
Step four: Always stay vigilant
Finally, you and your team must always remain vigilant. While this may sound easy, it can actually be quite demanding. Information overload and the ever-evolving nature of cybersecurity can often cause burnout in even the most conscientious employees. The good news is you don’t have to do it alone.
If you’d like to know more about how InfoArmor can help protect your organization and employees, please reach out. We’ve been in the identity protection business for over a decade, and we’d love to show you the difference we can make for both your employees and your bottom line.