Canadian HR Reporter is the national journal of human resource management. It features the latest workplace news, HR best practices, employment law commentary and tools and tips for employers to get the most out of their workforce.
Issue link: https://digital.hrreporter.com/i/796194
CANADIAN HR REPORTER March 20, 2017 NEWS 3 plications," he said. "We see a fair number of personal devices acci- dently get left in public settings, so you want to make sure that device is self-locking so if you do forget it, it will lock or you can wipe it." But creating a BYOD (bring your own device) policy is one of the first places to start, according to the experts. "HR should work with the IT security organization (to ensure) such a policy is in place and ap- propriate training program about the elements of those policies are in place for the employees," said Clyde. BYOD training is still in its nascent stages in the corporate world but it is getting better, ac- cording to Raman. "From an HR interaction stand- point, we are starting to see… strong enforcement of policies, a good understanding and signoffs from an acceptable-use point for their BYOD devices." However, many companies know their initiatives are out of date, found a Citrix survey in Jan- uary of 4,268 IT and IT security practitioners in 15 countries, in- cluding 265 from Canada. ree- quarters (73 per cent) feel their company's security framework is "outdated and inadequate." "Policies were written for ev- eryone going into the office and using the company's equipment, services and never having any of that leaving the facility — they don't necessarily apply to what's going on today," said Roemer. "What's been put in place doesn't reflect the realities today of highly mobile and even nomadic work- ers in a lot of ways: People bring- ing their own devices and people using cloud applications." Another challenge involves the differences between what IT pro- fessionals want and what employ- ees need to do their jobs. "Generally, there is a disconnect across the board," said Wilson. "If you don't have a strategy that is aligned with your business, how are you ever going to win or be in a position where you are able to defend the company properly?" ere is a balancing act that must be accomplished. "How much security can the organization push down to the mobile device and not impact the user experience?" he said. "It's finding that balance between allowing your users to use that consumer-grade device and ac- cessing all those wonderful apps and the things they want to do on a personal level, but then ensuring that data from a business point of view remains secure." Training essential, but lacking Employee training and communi- cations are also key parts of what HR should be facilitating. "For HR departments, it's help- ing to understand how people are working, what they need and then letting them know how they should best be utilizing these de- vices securely and not have a very labourious policy, but very simple steps that help people to under- stand how to protect themselves, protect the organization, and pro- tect the customers and everybody else that integrates with them," said Roemer. HR should be conducting regu- lar user-awareness training, said Wilson. "Most organizations that I have been involved with do yearly secu- rity training. I do not believe that is sufficient to be able to reinforce the concepts to end users and keep them top of mind." Training should be done in a "programmatic way" and com- pleted at least four times per year, he said. "Quarterly is a much bet- ter approach." The investment in training should pay off in terms of fewer security incidents, said Raman. "ere's enough literature and research to prove that a more educated user is better prepared for the types of threats that we see today, than an uneducated one." But some experts believe the level of education remains low, said Roemer. "We're finding there isn't enough training: It's very shallow in a lot of organizations with com- panies not having formal BYOD polices — people are figuring out how to do this (on their own) and it is word-of-mouth." With a phishing test (in which a user clicks on a malicious link sent via email), even after training, ig- norance can persist, said Wilson. "Once you have reinforced that user training and shown them what to look for — even though you have educated them well — 10 to 15 per cent of users will still click that link." Organizations are starting to do a better job of user awareness training and outlining the expecta- tions of using this personal device while people are at work, but there is a lot of user awareness that needs to go into an effective bring-your- own-device program, he said. "Every organization that adopts BYOD should have an acceptable- use policy that is reviewed with every new employee in the or- ganization and refreshing it on a regular basis." The dialogue should also be happening early with new employees. "is is an onboarding type of conversation," said Raman. Encouragingly, the level of knowledge about what could go wrong is rising. "Employees are more aware than they used to be," said Clyde. "(But) we have a long ways to go." 'Educated users better prepared for threats' CYBERSECURITY < pg. 2 "Policies don't reflect the highly mobile, nomadic workforce."