PEO Insider Issue

Every business faces different challenges whether from competitors, market changes, supply chain disruptions, or myriad external or internal forces. Yet every business, regardless of size or industry, faces a common threat: the security of critical data. Whether it’s the leak of proprietary business information or customer data, or a breach, or a malicious software attack, it can be devastating. Security incidents result in disruption, fines and a loss in customer confidence that can take years to recover.   

Security readiness in the face of persistent and determined threats is multi-faceted.  

First, of course, there’s investment in good security technology and controls. Whether those are on-premise technologies such as firewalls that guard a network perimeter or services such as managed security services, the core security technology must be present and operational to stop basic attacks and accidental breaches. Second, of course, is the infrastructure of a network itself. For example, the systems and servers that run in a building (e.g., employees’ computers, employees’ personal mobile devices).  

Third, there is what is known as “third-party risk.” This arises when services are provided by a third party, usually through the cloud. Attackers will often seek out service providers to attack and gain access or control over services used by their customers (for example the 2013 Target breach when 41 million credit cards were stolen after hackers breached Target’s system through the HVAC provider). So, it’s essential that any third-party system in use is at least as well-secured as the organization’s own security systems, otherwise a breach there will cascade and affect them just the same.  

All of this is well known and understood, although admittedly always a work in progress.  What is often underappreciated, though, is the importance of the other side of that security readiness coin – the human element. 

While technical controls and security tools have continued to develop rapidly, humans haven’t changed much in at least several thousand years. And that means the human element remains the attack vector of choice for many hackers.  

This is why attacks like “phishing” or compromising email accounts remain the most common forms of successful attack. People, even experienced employees, can often be relatively easily fooled into opening a document, clicking a link, visiting a website, or simply handing out sensitive information, all of which can lead to a devastating security breach.  

For PEOs this represents a special challenge given the amount of sensitive information they handle for customers (and their employees). 

Interestingly, this is why HR teams and service providers are now very much on the front lines of defending against hackers. Simply put, the best defense against cyber attacks is a workforce that can spot an attack, or one that can at least recognize suspicious activity and respond in the right way. All of this requires a very prepared workforce. 

Good hiring practices are, of course, essential to keeping data secure, and solid background checks are a critical first step in keeping potential security risks out. 

But what happens after a company has hired the best employees? How do leaders make sure they are ready to face the inevitable moment when a hacker targets that business? 

The answer is to invest in building what security experts refer to as the “human firewall.” In other words, employees who are trained, educated, and ready to stop attackers before they get a foothold. They can also spot a suspicious attack before it develops, and they know how to respond when they see a hacker trying to get in. This is where HR best practices must work hand-in-hand with IT and security teams. There are three consistent steps that PEOs must take to keep their employees (and those of their customers) safe from attack. 

Step 1 is to clearly establish support from senior stakeholders for a dedicated and focused security awareness training program. This first step is critical, because without support (and funding) from senior management, it will be impossible to establish and sustain the level of training necessary to make a difference. There’s plenty of resources out there that can be used to clearly demonstrate the financial impact of a breach, including reputable reports like the annual Verizon Data Breach Report. 

Step 2 is to work with IT or security teams to establish the training program. Most companies start with third-party content on security training (and there’s a lot out there to choose from).  Make it relevant, try to keep it enjoyable (there are some really good video training tools out there) and if possible, add a little incentive for employees to finish the training.  Regardless, if PEOs have step 1 nailed down, the HR team can push hard to make security training mandatory, and often that’s the only way companies will get everyone to follow through. 

Once PEOs have a security program established as part of onboarding and regular updates, it’s time to focus on step 3– keep at it. This is often the most challenging. The world of security, threats, responses, and best practices is constantly changing, so staying up to date is vital for any meaningful security program. Even more importantly, regular testing and training is important to keep security muscles toned; it’s easy to get busy and forget the basics or make a silly mistake. Even highly experienced security practitioners get caught from time to time, so leaders will want to make sure training and testing is repeated at least every six months.   

Attackers are constantly testing businesses to spot weaknesses and vulnerabilities. They also know that busy employees, trying to be helpful, can be easily fooled into leaving a virtual door open to attack. In fact, most successful business breaches occur for exactly that reason. PEOs must invest in training their employees to be ready when attacks call. It’s not about trusting, or not trusting employees, it’s about a serious commitment to keeping company and customer data safe. If the CIA can be breached (and they have been more than once), there’s a good chance any employee can make a simple mistake that leads to millions in lost business, fines and bad publicity. Yet, studies also show that once attackers see a business has good security tools and training in place, they will often simply move on looking for easier targets.  
 
Don’t be an easy target.  
 

GEOFF WEBB 
VP of Solution Strategy 
isolved 
Cypress, TX