IT Security Best Practices HR Departments Often Overlook

Published February 22, 2017

IT Security Best Practices HR Departments Often Overlook

IT Security Best Practices HR Departments Often Overlook

Maintaining a checklist of IT fundamentals will safeguard company information

As technology has evolved, so has our need for increased IT security measures in the workplace. Businesses tend to make sure their IT services company keeps firewalls and antivirus software updated to fend off malware supervillains. But software is only one security measure.

Businesses must also verify employees in every department follow proper security practices and procedures to keep data safe. Teaching employees IT security best practices ensures your business’ cybersecurity. But of all departments (other than IT), there is one that plays the biggest security role:

Human Resources.

The HR department is an important security link because they handle employee data from start to finish. This includes personal employee data like social security numbers and bank accounts, as well as business employee data like email accounts.

This gives the HR team extra responsibilities in the way of IT security. Specific practices will be different for each company. But working with a managed IT services company to create and execute a security checklist will keep your business safe.

Here are some tasks that should be on HR’s security checklist.

Disable or delete terminated employee accounts

Employee turnover is a fact of business. But when you fire an employee, or they quit, one of the first things to do is to disable their access to network systems like email, the server, websites, or other critical logins.

HR & IT should work together to complete these tasks in a timely and correct manner. When an employee is terminated, maintaining transparency between HR & IT can lower the risk of an upset former employee mishandling company information.

When an employee leaves the company, HR should. . .

  • Terminate access to email, servers, and other accounts
  • Ask the IT department or company for a list of currently active user accounts in all systems and make sure they correspond to people who should still have active accounts
  • Confirm disabled email accounts are not forwarding to email addresses outside the organization

Enforce strong employee passwords

Strong password security is critical to the security of a business network.

Businesses try many approaches to encourage strong passwords: mandated password changes, password security requirements, multi-step authentication.

But security experts say the culture around password authentication in business confuses employees, giving them less reason to care about password strength. If employees don’t care about password strength, your business is left with a weak underbelly.

It’s important to get employees to buy into password security and explain why securing their passwords protects the business as a whole.

So where do you start?

Don’t force regular password changes.

Changing passwords every few months can result in weaker passwords. When forced to change passwords, employees only feel the need to switch out a number or special character, such as “?” for “!”. Hopping around the keyboard every 90 days to refresh passwords strains users’ memory. HR should enforce password updates to strengthen IT protection, not annoy your employees.

Educate employees on password best practices

Make sure your employees know secure passwords characteristics.

One ironclad improvement is teaching employees to unlearn traditional password patterns, which hackers can crack without breaking a sweat:

  • Capital letters go first: Pegasus
  • Words are followed by numbers: Pegasus6
  • Random numbers are easy to remember in sequence: Pegasus678
  • Special characters punctuate the end: Pegasus678!

If your employees’ passwords are identical on different platforms, this sets the blackhat dinner table for an all-you-can-hack buffet. You might as well hand your company’s confidential information to hackers on a silver platter.

So, pull up your fortress’s drawbridge by breaking the password patterns: 19peg@sUS

Only grant employees access to company files they need

Protecting company information can become all the more overwhelming when permitting employees access to company documents of varying confidentiality. We want to set the appropriate restrictions for our confidential files.

One way to do this is to have your IT company work with you to set permissions on personal machines, service accounts (e.g. printers and scanners), and company-wide accounts.

For example, when an employee accesses a service account, their permissions should be restricted.

Defining what users can access and manipulate is known as Identity Access Management (IAM). Companies adopt IAM systems to manage employees’ electronic identities. These systems serve as one hub where IT can track, authorize, and audit employee’s electronic information. HR can sit with IT to delete accounts, pinpoint weak passwords, and set access authorization with a few clicks.

This central hub simplifies slip-ups for accesses and controls if your employees bring their own devices or work remotely. Some companies build their own IAM systems, but businesses on a budget should look into the many IAM software services available.

Create a Security Procedure Playbook for Employees

Hand out a security procedure playbook to your employees to show them individual IT security affects the whole team, and motivate them to tighten up security efforts. The playbook serves as a reference when IT is breached or if they simply forget a password. An example:

  • What you should do when an employee leaves or is terminated
    HR will need to delete the terminated employee’s account. Have the department report all access points to company files and information so they can be disabled.
  • How employees should handle their account information
    Do not share account information with any other employees or write out login credentials on paper or sticky notes.
  • What happens when an employee’s account is hacked
    IT will pinpoint the source of the breach. Users may be required to change their password. Refer to the characteristics of a secure password.

…And so on. As IT playbook should be filled with repeatable tactics that work and should make for easy reading, so employees don’t feel bogged down with another ‘how-to-manual”.

HR can make sure employees take business security seriously

HR can incorporate a few tasks into their basic procedures to keep your business technology safer.

  • Train employees on cyber security and explain how it benefits your company.
  • Have HR create a checklist for employee updates and another checklist for terminating past employees’ accesses.
  • Schedule password resets when necessary. Adopt a password manager to guard user credentials.
  • Inform employees how to create a secure password.
  • Have more than one form of user authentication.
  • Put together a system for managing, authorizing, and auditing employee accounts, such as an IAM system.

Have HR administer security tests

Before and after a security a breach, your company should test employees knowledge of basic IT protection.

IT Security Test

Erik Gudmundson
Erik Gudmundson
egudmundson@pegtec.com

Erik Gudmundson is an experienced leader in the field of IT service delivery. He is responsible for designing, proposing, implementing, and supporting cloud, on-premise, and hybrid IT solutions in computer-dependent business environments. As a trusted advisor to his clients, he communicates solutions and pitfalls/workarounds effectively.

No Comments

Sorry, the comment form is closed at this time.