Canadian HR Reporter

CANADIAN HR REPORTER October 31, 2016 14 FEATURES T&D Employee training critical in managing confidential data Errors in judgement could unintentionally expose companies to serious risks By Andrew Lenardon W hen it comes to secu- rity, employee train- ing is critical. A lack of training can lead staff to fol- low outdated or improper data management and information security protocols. As a re- sult, human error-related data breaches can occur, which could ultimately have a big impact on a company's bottom line and reputation. Almost half of Canadian large business C-suite executives and small business owners recognize that human error and lack of em- ployee knowledge concerning in- formation security protocols are the two biggest future threats to their company (41 per cent and 47 per cent respectively), accord- ing to a 2016 Shred-it Security Tracker survey by Ipsos Reid. Human error-related breaches can be easily mitigated when em- ployers provide employees with the right tools to separate fact from fiction. One of the best ways to educate employees on how to reduce risk is to implement regu- lar and comprehensive training programs on the best practices for responsibly managing, stor- ing and destroying physical and digital data. Unfortunately, employers are not prioritizing employee training on company information security procedures and industry legal re- quirements — only 31 per cent of C-suite respondents said they train employees more than once a year on how to remain compliant with their industry's legal require- ments for the storage and destruc- tion of confidential information, according to the survey. Results are similar on the small business front, with 39 per cent of owners reporting they never train employees on legal requirements or company information security procedures, and only 31 per cent conduct training on an ad-hoc or as-needed basis. With limited training and edu- cation on how to safely manage, store and destroy confidential in- formation, employees may be un- aware of their responsibilities or how their actions can open their business, personnel or customers to risk. Employees will be forced to decide as to what is and isn't con- sidered confidential. If they make an error in judgment, an orga- nization can unintentionally be exposed to serious risks such as theft, fraud, data loss and reputa- tional damage. Just as human resources man- agement takes a careful approach when it comes to employee train- ing on office devices, software ap- plications and workplace code of conduct, so too should informa- tion security training be integrat- ed as another formal exercise for all employees to receive. Regular training throughout the year pro- vides employees with the right mix of knowledge and skills to protect their employer from infor- mation security issues and helps mitigate the risk of data breaches caused by human error or lack of knowledge of security practices. Frequent training can also serve as an ongoing approach for HR to help keep risks top-of-mind among employees and ensure the information security policies and procedures are being followed. With this said, research shows there is certainly room for im- provement when it comes to en- suring all employees follow pro- cedures. For example, only about half of the C-suite (57 per cent) and less than half (43 per cent) of small business owners have a protocol for storing and disposing of confidential paper data that is strictly adhered to by all employ- ees. And 61 per cent of executives and 40 per cent of small business owners have a protocol addressing electronic devices that is strictly adhered to by all employees. Integrating information secu- rity training among the various training programs employees re- ceive through human resources helps the workforce become more aware of the risks associated with mishandling confidential infor- mation and ultimately protects the company against damaging data breaches. Myths and strategies An important first step is to set the record straight on common infor- mation security myths to ensure all employees accurately under- stand how to manage and identify security risks. Human resources management in both large and small businesses should consider the following information security myths and strategies to help busi- ness leaders protect their custom- ers, reputation and employees. Myth 1: Erasing data from a hard drive completely removes the information. Fact: Erasing, reformatting and wiping hard drives does not always ensure the data stored on it is inaccessible, and employees can accidentally expose confidential information when old hard drives are sent to be recycled, reused or resold. A best practice in proper disposal is for organizations to require obsolete hard drives be physically destroyed before dis- posal. Destroying the hard drive before the device is resold, recy- cled or disposed of ensures infor- mation is unrecoverable and pro- vides peace of mind the confiden- tial information is safeguarded. Myth 2: Disposing of confiden- tial documents in the recycling bin is better for the environment and safely discards company in- formation, as long as the paper is torn into pieces. Fact: Recycling documents is good for the environment, and protecting the confidentiality of company records is just as im- portant. However, recycling bins are unsecure and, therefore, con- fidential documents, regardless of whether they are torn in pieces or not, can be easily removed and compromised. To protect com- pany information and reduce the risk of a data breach, organizations should have locked consoles avail- able to all employees and require that all documents be shredded. Also, consider implementing a "shred-it-all" policy. is elimi- nates the guesswork of what is and isn't confidential while ensuring employees don't accidentally leave confidential information in an unsecure bin. Organizations can maintain their commitment to the environment while still protecting information as all of the shredded paper is recycled. Overall, the poli- cy leaves little to be decided around the type of information that should or should not be deposited in recy- cling bins, and is one of the easiest ways to avoid the mishandling of confidential documents and files. Myth 3: People can confiden- tially enter personal information on a website if they recognize the source or the sender that sent the link. Fact: Identity thieves and fraud- sters often capitalize on employee trust by impersonating govern- ment agencies or banks to request private account information or credentials. These scam emails are often designed to look real and may insist that personal or corpo- rate information is needed. ey may also urge an employee to visit a fake website where they are then asked to verify their identity by entering confidential information. Business or personal information should never be entered into a link from an email, even if the site appears credible. Experts recom- mend typing the website in directly or navigating to it via bookmarks. Myth 4: People can use their own smartphone or another device at work, as long as it is password-protected. Fact: With a growing number of employees working in mobile work environments, it has be- come common practice for em- ployees to use their own devices for work. While this allows for greater employee flexibility, per- sonal devices can create a number of security-related issues. Even if they are password-protected, all devices should be encrypted to protect the confidential informa- tion stored on them. Bring your own device (BYOD) security pro- grams should also be in place to protect the pathway from the per- sonal device to corporate systems. Myth 5: Keeping material at a desk at work is safe. Fact: Work stations pose a threat because loose paperwork on desktops can be vulnerable to snooping and data theft. Organi- zations should implement a "clean desk" policy that encourages em- ployees to clear their desks and lock documents in a filing cabinet or storage unit when they step away from their workstation for an extended period and at the end of each work day. is includes documents, files, notes, business cards and removable digital media such as memory sticks. Myth 6: Messages on smart phones or laptops are private. Fact: The visual hacking of information on mobile devices can occur almost anywhere, in- cluding most public places such as coffee shops, airport lounges, restaurants, as well as during the commute from work to home or even in the office. Organizations should provide employees with privacy screens for laptops, tab- lets and other mobile devices to keep confidential information safe from prying eyes. Myth 7: Public Wi-Fi is safe if it is password-protected. Fact: Even when password- protected, shared or public Inter- net connections can still expose valuable information to data thieves and hackers. Organiza- tions should establish policies that encourage employees to connect only to trusted networks for work purposes. By failing to ensure employees understand and follow informa- tion security policies, businesses are putting their organization and reputations at risk and po- tentially exposing valuable cus- tomer, employee and business data. But when data protection is prioritized and done well, it encourages more disciplined op- erations, increased customer and stakeholder trust, and minimizes the risk of penalties, fines or dam- ages to reputation caused by poor information security practices. HR has an important role to play to ensure information secu- rity training for employees is high on management's agenda. Infor- mation security must be seen as a shared responsibility among all employees and HR management must work with senior manage- ment to ensure they are banish- ing information security bad hab- its through consistent employee training and education repeated regularly throughout the year. Andrew Lenardon is global director at Shred-it International in Toronto. Credit: Maksim Kabakou (Shutterstock) Identity thieves and fraudsters often capitalize on employee trust.

• Cover