You or your company have probably invested heavily in technical security controls such as firewalls, encryption, or setting up fancy server rooms. But even with deploying such hardened security controls and technology, companies still end up on the losing side. The simple fact is that the strongest defence in cyber isn’t any software or a server; it’s your own people.
Most companies see cybersecurity as a tech-only problem, but in reality, most cyber incidents start with humans making an error. This is the reason why today top security frameworks such as ISO 27001 and SOC 2 have emphasized HR security for organizations to understand and comply with, because it is important to understand the human side of cybersecurity.
How do companies make sure that they are on the right track? Well, it begins with focusing on your people at every stage of their time with you as an employee.
Securing the Start
A robust HR security process is achieved way before an employee can even touch the company’s IT equipment. Having processes, mentioned below lay the foundation for trust and set clear security expectations between the employee and the company.
- Due Diligence and Vetting: This involves a well documented formal background check on the employee. This is a must for any position that will be assigned sensitive information during their time at the company. Moving forward, the vetting process should be in line with the access rights and responsibilities that will be assigned to the employee, this ensures trust and competence.
- Defining Responsibilities: For companies it is necessary that employment contracts include strict and clear information security obligations that the employee must adhere to. Employees are required to sign Non-Disclosure Agreements (NDAs) and formally agree to the company’s security policies, this step allows the creation of a clear chain of accountability.
The Continuous Security Journey
Once the onboarding for an employee is complete, that is when security becomes a continuous journey and an effort to convert awareness into secure, actionable behavior.
- Continuous Education and Training: Providing your employees with a one-time training on cybersecurity is not enough. All around the world, companies are finally shifting focus to implementing an ongoing cybersecurity awareness program which emphasizes regular updates, simulated phishing exercises, and role-specific training. This way companies can maintain vigilance and encourage best practices in their work environment.
- Integrating Accountability: Integration of performance management can prove to be a vital tool for companies as it helps reinforce controls from security standards and frameworks. With the inclusion of security-related responsibilities in performance reviews, companies can evaluate if the employee is compliant and adhering to company policies and rules. For SOC 2 audits, performance reviews provide evidence that can prove that employees are held accountable towards their security obligations. Additionally, this also aligns directly with ISO 27001:2022, where HR security controls are defined under “Peoples Controls” (Annex A.6).
Managing the Exit
When the employee’s time has ended at the company, that’s when risks such as data loss can arise more frequently. Having a clear and well-defined offboarding process is critical for avoiding such risks.
- Immediate Access Revocation: The IT Security team in collaboration with HR must ensure that all access rights to systems, data, and any physical entity are revoked as soon as the employee has completed their offboarding. This involves actions such as deactivating employee’s email accounts, cloud services or any other service provided to them.
- Asset Retrieval: During the offboarding process, the employee must return all the assets provided to them during their onboarding, this process must be well documented and stored securely. Assets can include equipment such as company laptops, mobile phones, access cards, and any other IT equipment. Asset retrieval helps prevent any unforeseen unauthorized access and data theft once the employee’s contract has ended.
- Final Obligations: A formal final review ensures that the departing employee follows the company’s confidentiality and data protection policies even when they have left the company. Such measures define a clear understanding between the company and the employee of their post-employment obligations and any violation of the company policies can result in legal proceedings between the company and the employee.
For any business, especially those in the tech sector or SaaS, having a robust and secure HR process is essential and a key difference maker towards having a strong security posture. It is not only compliant with global standards such as ISO 27001 and SOC 2, it is also one of the main foundations for trust between companies and clients who demand their data and assets remain guarded under a strong security infrastructure.
Empowering your people with the right education, awareness, tools, and processes become one your greatest defence against your greatest risk.