Recently I was asked by a cybersecurity professional, “Can you give me some examples of controls related to Information Security?”
“Proper vetting and onboarding of new employees.” I could sense the disappointment in hearing my answer, but he did not dismiss it as a trivial concern.
Even if employees are not all privileged users, they are inside the firewall and within our card-key controlled facilities. With technology so prevalent, there is hardly any separation between security and information security. Protecting the workplace is, or should be, one of our top priorities.
In this post, I address HR Compliance and how some “best practices” result in the exact opposite of what we intended. Practices resulting in:
- The erosion of self-protection mechanisms
- Poorly-trained staff lacking resources to execute tasks
- Transfer of risk and accountability from managers to subordinates
- Abuse and negligence handling sensitive employee data
I present specific scenarios, some representing “the perfect storm” of all four unintended effects listed above:
Personal observation: In a WiFi-enabled fast food place, a minimum wage worker meets his prospective supervisor to verify his I-9 documents. The supervisor takes a photo of his Driver’s License and Birth Certificate using his iPhone, emails it to himself, and submits the proper I-9 form to corporate using his laptop over public WiFi.
Personal experience: Filling out an on-line job application exceeding one hour (including a 200 question psychology assessment and background check information), culminating with an eSignature validated with job portal login, password, and SSN, which after submission, was presented in clear text when “printed for your records.”
Pre-employment drug screening: Some employers and occupations have a legitimate requirement, while others do not. This invasive practice is sometimes abused as a compensating control for lack of managerial supervision or proper vetting procedures. As a “voluntary requirement” for organizations claiming to be 100% drug-free, this can be quite discriminatory. Who gets screened may depend upon whether one is an employee or a contractor, when they were hired, etc. Often, only poorly-compensated, under-skilled employees are tested while others responsible for critical roles (like conducting information security or compliance audits) are not. What’s the risk-basis for this? Someone on anti-depression medication with a cache of semi-automatic weapons in their basement gets a free pass, while those occasionally partaking in recreational drugs do not?
Employee liability: Some employees are required to sign an affidavit stating they can be held personally liable for loss or damage to company or customer assets, accidents, breaches of information or misuse of company resources. I personally recall participating in a new hire orientation for the Department of Homeland Security. We were all handed a very thick legal document to sign, while being told, “Security begins with you”. One person spoke up, questioning how one could assume liability for security if the system itself wasn’t secure. “Are you going to give us time to read all this?” No, we have a big job to do in very little time. If you want to read it afterwards, ask us for a copy.
Which segues into my final example, HR personnel themselves: often underpaid, understaffed, often temporary contractors. Once upon a time, HR personnel helped employees understand corporate policies and procedures, resolved conflicts in the workplace, or offered services to improve their lives at work or at home. Some still do but many employers have cut way back on investing in human resources.
Is it any wonder why employees might become discontented or dismissive of compliance efforts? Doesn’t this represent a real risk to an organization’s values and mission?
We have this golden opportunity to utilize our employees as trusted custodians within the enterprise. What is the business case for jeopardizing their security in order to protect management’s compliance with its own standards?
An Army Ranger once told me, “Never pass a problem”.
Or an opportunity.