The responsibility to combat these data breaches falls on a number of entities, including HR departments, security experts, the government and a number of other entities. The stakes are high, with valuable, private employee and employer information the apple of malicious hackers’ eye.
The principle entities associated with employee and employer data security are continually evaluating plausible solutions as well as trying to keep track of the evolution of the problem.
Where does the problem truly lay?
Within each organization, assessing where the danger of a data security breach comes from is an important undertaking. Research from global cybersecurity organization Clearswift indicated a company’s own finance and HR departments are actually a substantial threat. At 46% and 39%, respectively, respondents expressed worry that those departments pose a risk.
Top officials are likely to be especially protective of company data, while low level employees often lack access to sensitive information. The “middle-aged, middle managers” are in the Goldilocks zone for danger, under pressure and prone to mistakes or even foul play. Statistics indicate male, office-based employees are considered the biggest threats to company data.
“Despite all the security worries about people working out of the office on whatever devices they want, those in the office actually have easier access to sensitive data, so are more likely to lose it,” says Heath Davies, chief executive officer at Clearswift. "We're not proposing targeting individuals, but if you can understand the combination of factors that make certain people in certain roles more of a risk, you can focus your resources on ensuring those breaches don't happen. Further, a whopping 88% of companies had experienced a security incident in the last calendar year, with 73% involving past or current employees or customers/suppliers."
Attacks need to be handled on the frontline
Businesses are worried about breaches; a Graham Company survey indicated a majority of companies view a cyber-breach as their No. 1 concern. Even cyber extortion has become a tangible fear, with 31% of respondents considering it a “significant” risk. Consulting with security companies to address those concerns is one recommended action, but handling matters in-house, and having a plan in place in case there is an incident are also advisable, according to an Employee Benefit News article.
“Many employers think still that data loss is someone else's responsibility,” says Nick Rockwell, director of benefit solutions at LifeLock. “Where does employee data get exchanged and why is this information being shared are questions that should be asked and understood by HR.”
Employers can offer identity protection for employees as a measure to shield workers and the organization, the piece states. Health care costs, though, were cited in the survey as an area of concern for many employers, with many not “fairly well” or “very well” prepared” to deal with the risks associated with costs.
What’s the government’s role?
There have been a number of legislative conversations regarding solutions to security problems, but definitive action has already been taken by the courts. According to a Security Info Watch story, a federal appeals court has ruled the Federal Trade Commission now can regulate cybersecurity measures used by organizations
Stu Sjouwerman, founder and CEO of IT security awareness training firm KnowBe4 said this ruling should grab the attention of executive and HR departments. “This is a real wake-up call,” he said. “Now that the FTC has become a watchdog with real teeth, I’m sure that the legal department with HR and C-level execs are going to be sitting around the table and saying, ‘We really need to get this going because if we don’t, the government is going to come down on us like a ton of bricks.’”
Companies’ concerns about the balance between protecting people and data and facing potentially damaging negative press has also played in role in shaping what sorts of rules will be needed, as legislation to create standard provisions and guidelines for notifying victims of a cyber-breach has been kicked around.Last modified on Monday, 07 September 2015