Three-quarters of employees want HR to take more of a lead on information security in the organization, according to new research from data loss prevention company Clearswift.
The vendor interviewed over 4,000 employees in the UK, US, Australia and Germany and found a large majority believe that better HR policies and practices could help prevent data breaches.
Three-quarters of respondents said those who leak sensitive corporate information should be disciplined by HR, while 70% said references should include mention of any part a prospective employee might have played in a previous data breach.
In a parallel survey of 500 IT professionals, 68% said training was the best way to reduce the risk of a breach – again something the HR department could help coordinate.
Clearswift vice president of products, Guy Bunker, argued that HR can help the security function by rolling out training programs, tweaking policies and dealing with malicious insiders.
“All too often they are seen as ‘hire & fire’ – but they can be used to provide so much more value. Our research found most security professionals don’t see this changing until their organisation is hit by a major security breach,” he told Infosecurity.
“The problem is mostly one of willingness and understanding. Data is still seen as very technical, but in reality data isn’t always a complex trove of 0s and 1s – it’s your new business spreadsheet, customer credit card database, patent applications, employee salaries etc. It’s tangible things stored on your network. Once people understand this, it’s often much easier to get them to appreciate the importance of behaving securely.”
To help break down the silos between infosec and HR, CISOs can raise the issue in meetings and with non-technical staff, and also work with HR on creating security training programs.
“They can also employ technical solutions which are suited to engaging those who need to be involved, such as those which flag suspicious activity to the HR department or the employee’s manager so that they can make an informed decision about the correct response to that activity,” Bunker added.
“This might be sending a colleague’s personal information to someone outside of the business or downloading a client database to a personal storage drive.”
The research follows a Clearswift poll of 500 IT professionals in the same regions which flagged HR and finance employees as representing the biggest infosecurity threat to their organizations of any department.