· Features

Could HR cut cyber risk through employment terms?

Perhaps the profession needs to deal with cyber risk before rather than after the fact

As the saying goes: to err is human. But when it comes to the loss or theft of sensitive data, being human can be an expensive business. Is it time for HRDs to weave data security obligations into employment contracts to reduce cyber risk?

There is a growing awareness that negligence is now a significant cause of data vulnerability. A recent study by Shred-it found that 88% of senior managers cited employee mistakes as one of the biggest information security risks. Data from the Information Commissioner’s Office shows that 63% of all cyber security incidents reported between July and September 2018 were caused when confidential data was emailed out in error, far exceeding breaches triggered by hackers.

With crippling fines being issued by the data regulator every month many organisations are busy trying to drive up standards. HRDs are contributing to this conversation but their input is generally limited to training, testing and awareness-raising. Some people might argue that technology is developing at a faster pace than people management skills can match. If this is true should HR leaders address cyber risk through employment conditions as well as organisational culture change?

I believe this is an issue that needs to be debated urgently, particularly because current employment frameworks mean that action around a data breach is usually taken after the event – whether that’s a disciplinary investigation, training review or changes to staff onboarding. But are after-the-event measures enough? IT is increasingly becoming an HR issue so shouldn’t HR directors be taking pre-emptive action beyond learning and development?

It’s important to remember that contractual obligations should always underline the responsibilities of both employer and employee to foster a seamless commitment to data security. Reviewing policies that define the use of social media and mobile devices as well as data protection is a good place to start. Procedures must be robust, evaluated regularly and clearly communicated to employees so they understand how to comply and what the consequences of non-compliance are.

If effectively implemented, there is nothing in the law preventing employers from inserting clauses into an employment contract to the effect that an employee, if found to be grossly negligent in causing a cyber breach, could face action for gross misconduct.

But there are many issues to consider. If cyber negligence clauses are introduced then questions about what’s reasonable, balanced and proportionate need to be thought through first. Where do you draw the line between an honest mistake, recklessness and wilful negligence? How do you decide whether to escalate action or support improvement? Where do the responsibilities of employees start and the duties of employers end?

There is also the issue of intention. When will it no longer matter if an employee didn’t intend to expose company data? Ignorance is no longer an excuse with racist or inappropriate sexual behaviour, so when will this be the case with cyber negligence?

In line with this issue of ignorance, HRDs proposing a contractual way forward will be obliged to focus on their duty to make sure staff are supported to carry out their roles effectively. They must monitor employees to ensure their behaviour is consistent with their obligations and learning and development is key here.

The importance of employee training both at induction and during the course of employment should never be underestimated. Today we are seeing a new generation of cyber security education resources and awareness platforms that can help with this by mapping directly into HR management. For example, some programs can identify an individual’s propensity to click on phishing emails and websites through a testing process and then suggest tailored training aids, videos and courses that can support that particular employee.

The same goes for cyber security tools that can play their part by classifying sensitive data so it can’t be emailed externally, ‘burning’ confidential emails after they’ve been read, or encrypting sensitive telephone conversations.

Cyber security contract clauses won’t stop people from being human, but they can set and enforce standards for both employers and employees. Terms and conditions can help to ensure that both are held to account for acts and omissions that compromise important data.

Speak with an HR director in an organisation on the wrong side of brand-destroying publicity or a GDPR fine, and I'd wager that they would prefer a gram of prevention to a tonne of cure.

Peter Matthews is CEO of Metro Communications