One of the sobering realities of business in today's world is that everyone is vulnerable to cyberattacks and the threat never subsides. What should businesses do?
We've all read accounts of massive data breaches and the news stories of thousands, sometimes millions, of people's personal information being accessed. While we didn't experience anything quite on the scale of the Equifax data breach in 2017, last year was still brutal in terms of the impact and costs of cyberattacks.
A story in USA Today pointed out that,
"Billions of people were affected by data breaches and cyberattacks in 2018 – 765 million in the months of April, May and June alone – with losses surpassing tens of millions of dollars, according to global digital security firm Positive Technologies. Cyberattacks increased 32 percent in the first three months of the year and 47 percent during the April-June period, compared to the same periods in 2017, according to the firm, which was founded in 2002."
And, so far in 2019, the picture is not less chilling.
According to Symantec Corporation, cybercriminals will steal an estimated 33 billion records in 2023, based on a 2018 study from Juniper Research. This was compared with the 12 billion records Juniper expected to be swiped in 2018. In addition, Jupiter expects that more than half of all data breaches globally will occur in the United States by 2023.
An article at the Society for Human Resource Management (SHRM) explains,
As identity theft capabilities expand, realistically no business can completely eliminate the risk of data breaches that may compromise their employees' sensitive information. But undertaking reasonable measures to prevent foreseeable breaches can decrease the risk of breach, as well as the risk of liability in the event of a breach.
Employers may want to review the U.S. Securities and Exchange Commission's 2015 update to its cybersecurity guidance. The guidelines are applicable today and are part of an emerging cybersecurity "standard of care" for organizations to meet,
While there is no single, overarching federal law that applies to every instance of cybersecurity. It very much is contingent on the situation and type of data accessed. For example, under the Fair and Accurate Credit Transactions Act (FACTA) and the Fair Credit Reporting Act (FCRA), businesses may be liable if the actions or omissions of staff lead to identity theft. These laws are specifically designed to protect consumer information, which includes data collected for employment background checks.
Not only are there consumer information issues to consider, but failing to adequately safeguard health-related information or medical records can cause an employer to be liable under the Americans with Disabilities Act (ADA) or the Health Insurance Portability and Accountability Act (HIPAA).
Cybersecurity as a Priority for Employers and HR Managers
Cybersecurity involves not only customer's or client's data and personal information, but also that of employees and of the organization's own data. Any one of these three realms of data protection are at risk 24/7 and it is the responsibility and often the legal burden of the business to secure them.
According to a recent article by Andrew Froman at Fisher Phillips LLC,
"A 2017 study by Nationwide Insurance estimated that 58 percent of U.S. businesses, nearly six out of every ten, have experienced a cyberattack. More than 20 percent of those victims spent at least $50,000.00 and took more than six months to recover. Seven percent, according to Nationwide, spent more than $100,000.00 to correct damages, and five percent took a year or longer to rebuild their reputation and their customers' trust. Not surprisingly, Nationwide concludes that businesses should consider cybersecurity insurance coverage, to protect against viruses, malware and direct attacks."
Businesses routinely acquire insurance coverage for a multitude of reasons, but cybersecurity insurance is a fairly new concept and not all businesses are aware of it, or have not taken the steps needed to acquire it.
While it is best to consult with an insurance professional regarding your specific cybersecurity insurance coverage needs and costs, the Federal Trade Commission (FTC) does provide some general guidance on their website.
According to an FTC resource entitled "Cybersecurity for Small Business - Cyber Insurance",
"Cyber insurance is one option that can help protect your business against losses resulting from a cyber attack. If you’re thinking about cyber insurance, discuss with your insurance agent what policy would best fit your company’s needs, including whether you should go with first-party coverage, third-party coverage, or both."
The FTC describes first-party cyber coverage as coverage that protects your data, including employee and customer information. Third-party cyber coverage, on the other hand, generally protects you from liability if a third party brings claims against you. The agency also recommends that your policy include coverage for:
- Data breaches (like incidents involving theft of personal information)
- Cyber attacks on your data held by vendors and other third parties
- Cyber attacks (like breaches of your network)
- Cyber attacks that occur anywhere in the world (not only in the United States)
- Terrorist acts
In addition, you should determine whether your cyber insurance provider will provide coverage in excess of any other applicable insurance you have, and if they will defend you in a lawsuit or regulatory investigation. Look for the words “duty to defend” in the policy.
Steps HR Managers Can Take Towards Improved Cybersecurity
While HR professionals need not become cyber experts, there are a number initiatives that can be led by HR departments to help mitigate the risk of cyberattacks, data breaches and other related cyber crimes.
Information from a post on the SHRM website offers the following suggestions:
1. Recruitment: Address the need for both technical and non-technical cybersecurity professionals.
- Understand the cybersecurity requirements of the organization and the roles in.
- Design employment offers that will not only attract good candidates but also retain them.
2. Risk Management Posed by and for Employees: Design a risk management policy to prevent and monitor cybersecurity risk in the organization.
- Educate employees on cyber risks and risks of non-adherence to security.
- Monitor for triggers that could induce security breach from employees.
- Create policies for personal devices used for office work or by workforce located at remote locations.
3. Ethical Hacking and Cyber Security Measures: Establish measure for cyber security on two fronts.
- Employee Privacy: Formulate a clear and transparent policy informing employees about the organization’s communication (digital as well as non-digital) monitoring policy.
- Hiring Ethical Hackers: Formulate policies for hiring and termination dates, non-disclosure agreements and communication protocols with professional ethical hackers.
4. Anticipate Skill Needs: Because the nature of cybersecurity is continuous change, the skills needed to combat cybercrime evolves.
- Ensure that assessments of organization’s cybersecurity competency and individual cybersecurity skills are conducted at regular intervals.
- Design training programs and also ensure continually updated information and resources.
HR Management and Employee Policies
Outsourcing HR functions is an increasingly common strategy for small businesses and the advantages are worth asking about. In addition to reducing your in-house costs, increasing accuracy and security, you can also benefit by freeing your HR resources for improving operational functions, recruiting efforts, policy manuals and training.
For example, with payroll management, you have a number of options for your HR and payroll staff. Software that can be installed in-house, or cloud-based programs offer a good alternative. But if you really want to take full advantage of the benefits available to you, outsourcing to a provider like Accuchex can still be the best decision.
Reliability, full-service options, and reputation are the hallmarks of a quality HR management service provider.
If you are currently looking to invest in outsourcing you get your free California Labor Law guide to help you make an informed decision or call Accuchex Payroll Management Services at 877-422-2824.