Establish Cybersecurity Culture On An Employee’s First Day
- Written by: Matthew McGill and Kenli Parker
An employee’s first day presents them with a flood of new information—and delivers with it a message of what the company values most. In a few quick hours, an employee receives directions about when to start work each day, which technology communication platform to use, what to wear and more. But where does cybersecurity land on your organization’s priority list? Is it talked about on the first day?
Information security policies and procedures should be an onboarding priority for every Human Resource (HR) department. And a strong relationship with the IT department will help HR develop and implement a productive, consistent onboarding process that prioritizes your business’s cybersecurity practices. Here’s how you can begin fostering a cybersecure work environment from the moment the offer letter is signed.
Start cybersecure practices from the beginning
Create an “onboarding checklist” that includes the tasks of everyone involved in the process. This reduces the risk of making common security mistakes and may be vital in maintaining your company’s compliance.
Explain Documentation Before Requiring an Employee’ Signature
After the employee clears the background check and arrives for their first day, it is time to explain and complete a few critical documents. Many compliance audits require these, so follow accurate filing and tracking procedures.
Confidentiality (or Non-Disclosure) Agreements
Employees gain access to various levels of sensitive and confidential company information such as company trade secrets, client information, financials, and employee lists. It is your responsibility to define which information is classified as confidential and communicate how employees are to handle the information.
Information Security Policies
The onboarding process provides a great opportunity to introduce key information security topics to employees. It is very important for employees to read and understand any information security policies your organization has that will be pertinent to their specific role. Employees should sign and acknowledge these policies on their first day of employment.
Bring Your Own Device Contract
If your employees access company data through their personal devices, a Bring Your Own Device (BYOD) contract, though not required, is best practice. A BYOD contract can help protect sensitive company information if a device is lost or stolen. It enables your company to enforce security controls such as password protection and remote wiping of sensitive information. These security functions are necessary for companies to ensure data confidentiality, security, and integrity.
Perform Cybersecurity Awareness and Training
The moment an employee receives access to the company network, cybersecurity becomes part of their responsibility. By providing information security awareness and training you can deliver insight into real world cyberthreats and explain why policies are in place, what consequences come with not following them, and whom to contact with compliance or security questions. Don’t rush through this process. Taking the time to stress the importance of cybersecurity produces vigilant employees who actively participate in protecting your organization.
Provision User Access
Best practices suggest using a concept called “least privileged access,” which means users receive access to only the information needed to do their specific job and no more. A process known as provisioning user access ensures proper configuration of each user’s least privileged access. The following controls help with this process:
- HR and IT should involve management in the access request process. The employee’s hiring manager can either approve incoming requests or be the one to submit the request to ensure that the correct access is being granted.
- HR should work with IT to implement role-based access control (RBAC), which ensures employees can access only resources and data required to do their jobs. Unfortunately, many organizations implement user-based access, which means they copy an existing employee’s permission set onto a new employee. This approach is very difficult to manage as organizations scale in size, and it can result in new employees getting access beyond their immediate needs, which violates the least privileged access principal.
Provisioning user access should be accurate and consistent across all new hires – especially if your company is subject to compliance requirements such as SOC 2, HITRUST, ISO 27001, etc.
HR & IT: Collaboration Through Onboarding and Beyond
Consider the relationship between HR and IT during onboarding (and beyond). An effective onboarding checklist is consistent and clearly communicates expectations for each person involved in the process. This alleviates many of the risks that can be introduced by missing important onboarding processes. And it ensures proper provisioning and information security practices are being followed.
If you’re ready to evaluate your current HR processes and implement an improved set of industry standard cyber security practices, reach out to an HBS representative today!