Earlier this month, a significant cyber attack affected a number of organisations, with employee personal data being stolen.
Policies and procedures are at the heart of any business. They provide structure, guidance, and accountability, as well as ensuring that everyone is treated fairly and consistently. As a result, it means that a business can have the right procedures in place that minimise or remove risk.
HR typically create and maintain policies that deal with the employment lifecycle, such as recruitment, disciplinary, grievance and equal opportunities. However, as technology advances, and more is used within the workplace, HR must also now be involved and influence the development of more broader, operational policies, such as data protection, fraud protection, and money laundering for instance.
In a recent high-profile data security case, eight organisations have had their payroll data stolen by a cyber-crime gang based in Russia, which has now issued an ultimatum and will publish the data if not met. The data includes national insurance numbers, dates of birth and home addresses of employees from companies including BBC, Boots, British Airways and Zellis.
Even though operational policies are more focused on the way in which a business operates, there will always be the human element, as this case highlights. This cyber attack is not about what an employee has done (intentionally or not), which is what the ‘usual’ HR policies are there to prevent, but the result of the attack is a serious impact on those employees who had their sensitive personal data stolen.
An employer has a duty to safeguard and protect employee data and must do so through having stringent policies and procedures that are kept under continuous review in order to keep up to date with evolving technology. However, in order for the policies and procedures to be effective they must be effectively communicated and form the basis for data security training, which must be provided to all employees at least on an annual basis.
Furthermore, in 2022, the Information Commissioner Officer warned that the biggest cyber risk to business is complacency not hackers, following the ICO issuing a £4.4 million fine on a UK construction company for failing to keep personal information about its workforce secure. In this case, the company had failed to put in place appropriate measures to prevent a cyber-attack, and in this instance, the personal data of 113,000 employees was gained through a phishing email.
HR play a vital role not just in the development and implementation of data security policies, but that they are working effectively, amended as technology evolves and are effectively communicated and trained on.
If you would like support in safeguarding your business from cyber attacks, or any other data breach, contact HR Solutions.