An employee’s first day at a company presents a flood of new information—and signals what the company values. In a few hours, a worker receives strong messages about where to park, how to use the copier, what to wear and more. During that rush of first impressions at your company, does information security appear on the list of priorities?
Remember that along with giving a new employee access to your health plan, you’re handing them credentials to access company data. Are you teaching new workers how to protect that data? Do they understand that every employee has responsibility for information security, not just the IT team?
Information security should be an onboarding priority for every Human Resource (HR) department. And a strong relationship with the IT department will help HR create a productive, consistent onboarding process that puts the importance of your business’ cybersecurity practices at the forefront of your employees’ minds from day one. Here’s how you can start fostering a secure work environment from the moment the offer letter is signed.
Start secure practices from the beginning
Create an “onboarding checklist” that includes the tasks of everyone involved in the process. This reduces the risk of making common security mistakes and may be vital in maintaining your company’s compliance.
Explain Documents Before Signing
After the employee clears the background check and shows up for their first day, it’s time to explain and complete a few critical documents. Audits require many of these, which means you need to follow accurate filing and tracking procedures.
Confidentiality (or Non-Disclosure) Agreements br> Employees gain access to various levels of sensitive and confidential company information such as company trade secrets, client information, financials, and employee lists. It is your responsibility to define what information your company classifies as confidential and make your employees aware of those things from the beginning of their employment.
Information Security Policies br> On the other hand, there is information that employees are free to share, but must do so in a secure manner. Again, it is important to define those things so employees understand they are accountable to the processes protecting that information. The onboarding process provides a great opportunity to introduce key information security topics to employees. It is very important for employees to read and understand any information security policies your organization has that would be pertinent to their specific job role. Employees should sign and acknowledge these policies on their first day of employment.
Bring Your Own Device Contract br> If you allow employees to access company data through their personal devices, a Bring Your Own Device (BYOD) contract, though not required, is best practice. A BYOD contract can help protect sensitive company information if a device is lost or stolen. It enables your company to enforce security controls such as password protection and remote wiping of sensitive information. These security functions are necessary for companies to ensure data confidentiality, security, and integrity.
Perform Security Awareness and Training
The moment an employee receives access to the company network, cybersecurity becomes part of their responsibility. Security awareness and training introduces real world cyberthreats and explain why certain policies are in place, what consequences come with not following them, and whom to contact with compliance or security questions. It’s easy to rush through these processes and sign off on documents as you work through your onboarding checklist, but taking the time to stress the importance of security awareness produces vigilant employees who actively participate in keeping your organization safe.
Provision User Access
Best practices suggest using a concept called “least privileged access,” which means users receive access to only the information needed to do their specific job and no more. A process known as provisioning user access ensures proper configuration of each user’s least privileged access. The following controls help with this process:
- HR and IT should involve management in the access request process. The employee's hiring manager can either approve incoming requests or submit them themselves to ensure that the correct access is being granted.
- HR should work with IT to implement role-based access control (RBAC), which ensures employees can access only resources and data required to do their jobs. In contrast, many organizations use user-based access, which means that HR and IT copy an existing employee’s permission set onto a new employee. This approach is very difficult to manage as organizations scale in size, and it can result in new employees getting access beyond their immediate needs, which violates the least privileged access principal.
Provisioning user access should be accurate and consistent across all new hires – especially if your company is subject to compliance requirements such as SOC 2, HITRUST, ISO 27001, etc.
HR & IT: Collaboration Through Onboarding and Beyond
Rethinking the relationship between HR and IT during your onboarding tasks (and beyond) is an essential step in providing clear expectations regarding cybersecurity from the very beginning of employment. An effective onboarding checklist is consistent and clearly communicates expectations for each person involved in the process. This will not only help alleviate any risks in missing important onboarding processes but also ensure proper provisioning and information security.
If you’re ready to evaluate your current HR processes and implement an improved set of industry standard cyber security practices, reach out to a Pratum representative today!