Cybersecurity 101 for HR Pros
Think about all of the data your organization collects from employees, partners, and customers. Emails, documents, research, and other confidential information can be worth millions to an attacker. For criminals, attacking data centers directly can be time consuming and risky, so instead they seek out vulnerable employees with a high level of access. HR Professionals find themselves in the crosshairs because they are often the perfect target for those attackers.
Cybersecurity for HR Professionals aims to teach anyone, not just what to do in order to be more secure, but why those steps are important. Students will walk away with an understanding for how criminals take advantage of people online, and will be better able to protect themselves and their businesses. The course is a bridge between the information security world and day-to-day HR functions. High level best practices are distilled into a working knowledge that anyone who uses a computer every day will be able to grasp.
In this course, we'll tackle the basics of securing your accounts and devices and work our way to real world cases of political espionage and tax fraud. Along the way, we will cover major I.T. buzzwords such as:
Don't let your team make headlines for the wrong reasons! HR is in a unique position to help protect its organization. Note: The information in this course should be used as a guide. Always check with your IT department before implementing any changes to ensure it aligns with their directives and remains compliant with appropriate laws.
HR Jetpack is recognized by SHRM to offer Professional Development Credits (PDCs) for SHRM-CP or SHRM-SCP. This program is valid for 1.0 PDCs for the SHRM-CP or SHRM-SCP. For more information about certification or recertification, please visit shrmcertification.org.
This activity, has been approved for 1.0 HR (General) recertification credit hours toward aPHR™, PHR®, PHRca®, SPHR®, GPHR®, PHRi™ and SPHRi™ recertification through HR Certification Institute® (HRCI®). For more information about certification or recertification, please visit the HR Certification Institute website at www.hrci.org.
The use of the HRCI seal confirms that this activity has met HR Certification Institute's® (HRCI®) criteria for recertification credit pre-approval.
Title: Best Practices
Module: Securing Your Devices
In this section I’m going to cover a baseline of security steps you should take on your computers, smartphones, and tablets. At times the terminology may seem unique to one platform or another, but the principles are mostly universal.
Rule number one is that the Lock-screen should lock down your device. It may sound silly, but many people seem to have lost sight of just why you have a lock-screen on your device in the first place. Lock screens come in different flavors and with different features but generally it is the device’s version of a login screen. It is meant to prevent any one other than you from unlocking your device. Someone who picks up your phone on a park bench shouldn’t just be able to swipe and get in, and the same goes for someone who sits down at your workstation and just presses enter to bypass the login step.
With that in mind, here are some common lock screen protection options ranked from best to worst. First is the fingerprint. This is the best example of a low likelihood of being compromised with ease of entry. A fingerprint scan takes less time to enter than a password or a pin, while being a highly complex unique identifier.
Next is the password. Typically, longer and more complex than a pin. The downside is that because it is the most complex, it takes the longest to enter. Memory is also a problem, and you cannot access a password manager from the the lock screen of a device.
The password is followed by a pin. Probably the most popular method, and for good reason. A 4 or 6 digit pin is pretty easy for most people to remember and doesn’t take long to enter. It is also reasonably unlikely to be guessed.
A low-tier option is pattern unlock offered on many touchscreen devices: It is simple enough to connect the dots with your finger, however it can be fairly easy to crack. There also just fewer variables than most other protection methods.
A final option is one you should never use, Face Detection or Facial Recognition. To say it is flawed is an understatement. This method can be fooled by using a photograph of you. It can also incorrectly identify someone who looks similar to you, such as a family member, or just otherwise fail to recognize that it is someone other than you. Facial recognition is not a reliable way of protecting a device and should be avoided.
Chose the solution which best fits the way you use your device. The goal is to find the balance between convenience and security. If the method is too much of a hassle, you will end up turning it off. A good solution is one that works for you without you ever having to think about it.
Rule number 2 is to keep the device up to date. Updating was one of my global principles because it is just vital to run the latest, most secure version. Many people postpone the updates, especially on mobile devices, because they can be time consuming and a hassle. The downloads are large and sometimes require you to make space on the device. It is worth the time and effort because those updates are packed with security enhancements. Look for notifications about Android or iOS and make sure to upgrade as soon as possible.
Rule number 3 is to remove unused apps. On any computer, it is a good idea to keep only the applications you are going to use. Unused apps aren’t just taking up space, but typically on smartphones they have permissions to access your data. Some apps can backup photos, access your contacts, or track your location. These permissions are unfortunately the cost of doing business when it comes to smartphone ownership, however you should take whatever steps you can to limit just how many apps are using your private information. The fewer, the better.
Rule number 4 is to Turn On “Find My Phone” or “Find my Device” tools. If your device goes missing, you need to be able to locate it remotely and then be able to wipe the device if necessary to protect your private data. Apple has “Find My iPhone”, on Google’s Android Devices the feature is called “Android Device Manager”, and Microsoft also has a device locator. Make sure these services are set-up and you understand how to use them before you ever have to. You can test them at any time without causing any harm.
Rule number 5 is to turn off any unused radios. Bluetooth, Near Field Communication, known as NFC, and WiFi should all be turned off unless you are connecting them to something. An open, unconnected radio is an invitation to an attacker, especially in public places like coffee shops, parks, and airports. This will save your battery while protecting you from being unnecessarily vulnerable.
Rule number 6 is don’t use public hotspots. The WiFi at a hotel, coffee shop, or public library isn’t the same as what you’ve got at home and the risks are dramatically different. Public WiFi often has poor security in order to make it easy for guests to access. These locations are desirable for attackers because they can often find ways to watch the traffic across the network and see personal data. Some WiFi hotspots aren’t controlled by the venue at all, and are put up by attackers for the sole purpose of capturing traffic.
As you can see, there are lots of simple things you can do to drastically reduce your risk profile. Staying safe online and on internet connected devices is about minimizing risk and taking reasonable precautions. “Zero trust” is a phrase that is used a lot in cybersecurity, and although it sounds cynical, it is good advice. Start from that place of zero trust: don’t trust other people around your devices, don’t trust app developers, and don’t trust the networks you connect to. Healthy skepticism is the best way to stay safe until the tech industry at large is able to better secure internet traffic.
You completed 0% of this lesson
You completed 0% of this course
Lessons Not Completed:
Michael Wilson works with small businesses to build and protect their brands online. He is an IT Generalist whose primary services include: Web Design & Development, Cybersecurity Consulting & Training, and Social Media Marketing. He also provides outside support for organizations that need someone managing their email & web hosting. He has a Bachelor's Degree...