What has cyber security got to do with HR?

HR teams should not ignore the threat of a cyber attack on their business, as employees are often the first line of defence. Patrick Byrne explains why people teams play a key role.

Technology is a vital part of the day-to-day operations of every modern business. With internet-based communication and software solutions being prevalent and remote forms of working increasing rapidly, it is no surprise that more employers are reconsidering their cyber security.

It's also hard to ignore the ongoing threat of such incidents - most recently ready meal service Wiltshire Farm Foods was hit by an attack that forced it to cancel a number of deliveries, while a number of government and commercial websites in Lithuania were targeted by pro-Russian hackers earlier this week.

In a survey of risk management specialists by Allianz, cyber incidents were noted as being the most significant threat facing businesses in 2022. The risk of ransomware attacks and other various data breaches is now a bigger fear than Covid-19.

What is a cyber incident?

A cyber incident is a breach of a company's data protection processes which harms the confidentiality, integrity, or accessibility of personal data. Such incidents can occur in different ways, including malware entering a company's systems, phishing attacks, or denial-of-service attacks.

Cyber security

Data protection

While it might not be immediately obvious, there is an inherent connection between HR and such attacks. This is because such attacks usually involve employee personal data and the actions (or negligence) of an individual employee are often a contributing factor of the security breach.

The adage "prevention is the best cure" is paramount for managing the risk of cyber incidents.

How can HR help to avoid attacks?

Employees are often a company's first line of defence against cyber attacks. The government's cyber security breaches survey in 2020 showed that employees spotted 63% of breaches, whilst antivirus protection software only caught 7% of attacks.

Simple but effective training can be rolled out to all staff to train them on identifying suspicious emails and responding to an attack or data breach.

The company's data protection and IT procedures can also be covered, including issues such as how to safely use IT equipment, remote working rules, document management systems, and removing data from company systems.

Such training should be provided to new hires forming part of the company's induction process, with regular refresher training to maintain good practices. In addition, training tools and quizzes could be circulated to staff regularly to gauge whether they respond correctly to mock cyber security scenarios.

Know the data security framework

Keeping track of the employer's methods and reasons for storing and processing personal data is essential.

When a security breach occurs, and the compromised data contains employee data, knowledge of the employer's data framework will be crucial in remedying the breach, communicating to staff, handling any reports to regulators and dealing with any legal claims.

The information that HR should track and record includes:

  • The categories of employee personal data, including any special category of personal data stored by the business
  • Where the data is held, and who can have to access it
  • The purpose(s) of the data processing
  • The categories of recipients of employee personal data
  • The security measures in place concerning the data
  • Applicable retention periods

Data retention policies

Employers should also make sure that they are abiding by basic storage limitation principles. That is, ensuring data is kept for as long as it is needed for the purpose for which it is processed, which is a key principle of data protection regulations. This means that if data has achieved its purpose, it should be swiftly and securely deleted.

If such steps are not taken, in addition to the commercial concerns of not adhering to good storage limitation principles, companies run the risk of breaching time limits for storing certain types of HR data, action from the ICO, reputational damage and wider basis for legal claims to be brought.

The government's cyber security breaches survey in 2020 showed that employees spotted 63% of breaches, whilst antivirus protection software only caught 7% of attacks.

It is a good idea to include a written data retention policy in the company handbook so that all staff, particularly HR and IT employees, know when certain data should be removed securely from systems.

Factors that will be relevant to determining what retention periods should be adopted are:

  • Compliance with any statutory minimum retention periods, such as payroll records needing to be stored for six years from the end of the relevant tax year
  • Obligations set by an industry regulator
  • The relevant time limits for potential legal claims and regulatory action. For example, most claims carry a three-month time limit in an employment claims context
  • Underlying commercial requirements

Audits of HR documents

HR policies and procedures should be audited and updated on a regular basis to ensure compliance with these policies.

This will help to ensure that security protocols do not become outdated and that the business is properly protected. Such audits might include a review of data protection policies, privacy notices, IT security policies and data retention policies, data subject access request protocols and homeworking policies.

Also, HR should reassess the adequacy of protections within contracts of employment and contracts for workers and freelancers. Confidentiality provisions and post-termination restrictions, when drafted correctly, can help protect an employer's data during and after employment ends.

Monitoring employees and smart software

Employers are increasingly relying on technology as a tool that can support them in their cyber incident protocols.

This can involve monitoring employee activity on company equipment. However, such monitoring must comply with data protection laws, which generally means ensuring there is a legitimate interest for the monitoring in question and that a balanced approach is taken to ensure the monitoring goes no further than necessary in achieving its purpose.

Proportionate monitoring to highlight cyber risks is likely to be justifiable given the dangerous and prevalent nature of cyber attacks.

In addition, many employers use data protection software to guard their data and prevent unauthorised data from exiting their networks. For example, software that scans outgoing emails and notifies the sender if it detects that the data is being sent to the wrong recipient or a suspicious recipient.