Pratum Blog

HR and IT

An employee’s first day presents them with a flood of new information—and delivers with it a message of what the company values most. In a few quick hours, an employee receives directions about when to start work each day, which technology communication platform to use, what to wear and more. But where does cybersecurity land on your organization’s priority list? Is it talked about on the first day?

Information security policies and procedures should be an onboarding priority for every Human Resource (HR) department. And a strong relationship with the IT department will help HR develop and implement a productive, consistent onboarding process that prioritizes your business’s cybersecurity practices. Here’s how you can begin fostering a cybersecure work environment from the moment the offer letter is signed.

Start cybersecure practices from the beginning

Create an “onboarding checklist” that includes the tasks of everyone involved in the process. This reduces the risk of making common security mistakes and may be vital in maintaining your company’s compliance.

Explain Documentation Before Requiring an Employee’ Signature

After the employee clears the background check and arrives for their first day, it is time to explain and complete a few critical documents. Many compliance audits require these, so follow accurate filing and tracking procedures.

Confidentiality (or Non-Disclosure) Agreements
Employees gain access to various levels of sensitive and confidential company information such as company trade secrets, client information, financials, and employee lists. It is your responsibility to define which information is classified as confidential and communicate how employees are to handle the information.

Information Security Policies
The onboarding process provides a great opportunity to introduce key information security topics to employees. It is very important for employees to read and understand any information security policies your organization has that will be pertinent to their specific role. Employees should sign and acknowledge these policies on their first day of employment.

Bring Your Own Device Contract
If your employees access company data through their personal devices, a Bring Your Own Device (BYOD) contract, though not required, is best practice. A BYOD contract can help protect sensitive company information if a device is lost or stolen. It enables your company to enforce security controls such as password protection and remote wiping of sensitive information. These security functions are necessary for companies to ensure data confidentiality, security, and integrity.

Perform Cybersecurity Awareness and Training

The moment an employee receives access to the company network, cybersecurity becomes part of their responsibility. By providing information security awareness and training you can deliver insight into real world cyberthreats and explain why policies are in place, what consequences come with not following them, and whom to contact with compliance or security questions. Don’t rush through this process. Taking the time to stress the importance of cybersecurity produces vigilant employees who actively participate in protecting your organization.

Provision User Access

Best practices suggest using a concept called “least privileged access,” which means users receive access to only the information needed to do their specific job and no more. A process known as provisioning user access ensures proper configuration of each user’s least privileged access. The following controls help with this process:

  • HR and IT should involve management in the access request process. The employee’s hiring manager can either approve incoming requests or be the one to submit the request to ensure that the correct access is being granted.
  • HR should work with IT to implement role-based access control (RBAC), which ensures employees can access only resources and data required to do their jobs. Unfortunately, many organizations implement user-based access, which means they copy an existing employee’s permission set onto a new employee. This approach is very difficult to manage as organizations scale in size, and it can result in new employees getting access beyond their immediate needs, which violates the least privileged access principal.

Provisioning user access should be accurate and consistent across all new hires – especially if your company is subject to compliance requirements such as SOC 2, HITRUST, ISO 27001, etc.

HR & IT: Collaboration Through Onboarding and Beyond

Consider the relationship between HR and IT during onboarding (and beyond). An effective onboarding checklist is consistent and clearly communicates expectations for each person involved in the process. This alleviates many of the risks that can be introduced by missing important onboarding processes. And it ensures proper provisioning and information security practices are being followed.

If you’re ready to evaluate your current HR processes and implement an improved set of industry standard cyber security practices, reach out to a Pratum representative today!

vCISO helping client

Quality cybersecurity team members are hard to find in today’s market, which has led many organizations to consider engaging a virtual chief information security officer (vCISO) to lead their strategy. Engaging a fractional vCISO solves many of issues that accompany hiring a full-time employee, by letting you sidestep soaring salaries, high turnover and competition for the best talent.

But just as with any professional service, the market is full of people who market themselves as a vCISO without having the qualifications you want in an executive-level leader guiding your cybersecurity program. In this blog, we summarize key traits to look for to ensure that you choose a vCISO qualified to set a strategy that’s cost-effective, efficient and in line with relevant compliance frameworks.

Business Mindset

Cybersecurity strategy must align with your overall business goals. So you’ll want a vCISO who truly understands how your organization makes money, what makes it different from competitors and where leadership wants to go. Benchmarking your status against other organizations within your industry can be beneficial. But if you get the sense that a vCISO candidate delivers the same templated advice to every client, keep shopping.

History of Hands-on Work

Certifications are meaningful and a good differentiator among candidates. But hands-on experience trumps training among two similar-sounding vCISOs. If a vCISO has worked on an in-house security team before, they have firsthand knowledge of selling ideas to executives, working within budgets and getting team members to catch the security vision.

Communication Skills

Nearly every job listing throws this requirement in at the end. But with a vCISO, it’s mission-critical. A vCISO typically serves as the liaison between the IT leaders and the C-suite and sometimes the board of directors. They need to be able to make the business case for security investments in plain English. The vCISO will also represent you with auditors and regulators, so your success often rides on their ability to build relationships and persuasively explain your position.

Varied Experience

No single company or industry has a monopoly on best practices for cybersecurity. So the best vCISOs have worked in multiple areas, giving them broad exposure to ideas they can apply to your situation.

Background with Incident Response

Much of your cybersecurity strategy will focus on preparing an incident response plan and effectively dealing with breaches when they happen. Find out how much your potential vCISO has worked in this area. Ask for specific examples of when they’ve handled a breach.

Expertise with Multiple Frameworks

A vCISO will help you choose one core information security framework to guide your strategy. NIST 800-171 is one of the most popular, for example. But your specific business and industry may point you to another framework. Your vCISO should have broad expertise in following several widely accepted frameworks.

Regulatory Background

Some industries, such as healthcare and banking/finance, have significant requirements under regulations such as HIPAA or Sarbanes-Oxley. And nearly every organization has to understand its obligations for laws governing handling of personally identifiable information (PII) or credit card information (covered by PCI-DSS). Your vCISO should be able to accurately determine your requirements and help you meet them.

Current Knowledge

Hackers change tactics constantly, and lawmakers pass new information security regulations every year. Your vCISO should be on top of an ever-changing industry. If they only talk about threats and tactics from 10 years ago, that’s a red flag.

Package of Annual Services

The fee for quality vCISO service should include staples such as an annual risk assessment; an annual tabletop exercise; regular meetings with your team; and more. The vCISO isn’t just on call when you need them. They set the agenda and manage annual milestones in your program. Part of a Team – A one-person vCISO operation can bring a wealth of insight—but they’re still just one person. If you choose a vCISO who works within a larger organization, they can tap the knowledge of other vCISOs around them. And in a dedicated information security firm like Pratum, vCISOs have access to experts from the digital forensics team and SOC team when they need it.

Pratum's team of vCISO's are ready to talk about their work in all of the areas covered in this blog.

If you need help with your cybersecurity strategy, contact us today.

Data Security vs. Data Privacy

Security and privacy seem interchangeable to most of us. Cover one, and you’ve checked both boxes, right? Not exactly. Think of them more like the Yin Yang symbol. When you talk about data security vs. data privacy, you’re talking about two interrelated, but distinctly separate concepts.

And knowing the difference grows more important each month as nearly every organization evolves into a repository for Personally Identifiable Information (PII). That means that if you’re not thinking about your specific data privacy policy, you’re leaving your organization vulnerable to fines and lawsuits.

You're probably storing more customer data than you even realize thanks to everyday processes such as scanning business cards into your CRM, using cookies on your website, storing customer satisfaction surveys and more. And the giant data suction hose only gapes wider each month as the Internet of Things (IoT) and 5G’s rollout turn anything with power into a new surveillance node. Various experts predict the number of IoT devices in use by 2027 will reach up to 41 billion. You don’t need a tinfoil hat to see the implications.

Governments worldwide are increasingly committed to holding you legally liable for all that data you’re stewarding. You may not have a Chief Privacy Officer on the payroll yet, but it’s time for someone on the team to start thinking like one.In this article we'll help you understand the difference between data security and data privacy so you can ensure your policies pay attention both.

So What Is Data Privacy?

An IT adage says that you can have security without privacy, but you can’t have privacy without security. In other words, don’t get cocky about your privacy posture just because you’ve never had a breach.

Security ensures that no one gets unauthorized access to data. But a privacy issue arises when you knowingly give personal data to entities you shouldn’t share it with. Our friends at Facebook or Google provide a familiar example. Even if they have rock-solid security, they’re still selling details about you to advertisers, market researchers and others. That’s a privacy concern. If they DO get breached, they can have both security and privacy incidents.

Thorough privacy policies also address who within your organization has access to data and how clearly you tell customers what you’re collecting and what you’re doing with it.

How to Improve Your Data Privacy Policy

In this rapidly evolving privacy landscape, you’ll need a well-informed team to clarify your responsibilities. Along with a knowledgeable attorney, you should confer with a cybersecurity company such as Pratum on:

  • How evolving privacy laws apply to you.
  • Developing policies that adequately cover both security and privacy. With multiple standards emerging nationwide, it typically takes an experienced professional to write an across-the-board privacy policy you can count on.
  • Understanding what data you’re collecting and how long you retain it, both of which can impact your liability.
  • Training employees throughout your organization on their responsibilities. Your marketing department, for example, plays a key role in your privacy position. And your HR processes should address privacy from an employee’s first day through steps such as granting role-based access, which limits employees to only the data they need to do their job.

The Cost of a Privacy Violation

Every leader should get familiar with the legal concept of a “data fiduciary.” The New York Privacy Act currently working its way through that state’s legislature includes the phrase, and it’s likely to show up in a lot of laws. It requires companies to think about customers’ data the way a lawyer or physician does. Clients divulge their private affairs to you for just one reason: so you can serve them better. Leveraging that data for your own benefit, or even acting recklessly with it, violates your responsibility.

New York’s proposed law is the latest in a string of major new regulations that determine how entities handle information. This presents two key takeaways as you think about data privacy:

  • New data privacy legislation is in the works in multiple states and nations, including big economic players Brazil and India. Californians recently voted to create an agency to enforce its data privacy law. Pratum’s analysts anticipate this being a wakeup call for hundreds of companies that hold data for California customers.
  • Agencies are growing teeth when it comes to fines for data privacy violations.

During the first year of the European Union’s privacy regulations, the EU went light on fines, tempting some companies to risk paying a token penalty rather than invest in compliance.

Then the hammer fell. In 2019, the EU leveled its first big penalty with a $230 million fine of British Airways for violating the law’s requirements. Here in the U.S., Facebook absorbed one of the federal government’s largest penalties ever: $5 billion for violating consumer privacy, which is roughly 7% of Facebook’s annual revenue. You can do the math on how such a fine would impact your bottom line.

Right now, governments are mainly going after big companies. But the Federal Trade Commission’s long list of privacy enforcement actions proves they’re also pursuing plenty of firms that aren’t household names.

Note that some of the root problems that earned fines weren’t nefarious activity so much as crimes of omission regarding basic security hygiene. When the Equifax data breach earned the company a $575 million fine, its key problem was failing to patch its network in response to a known vulnerability, leading to the compromise of 147 million records.

Data Privacy Laws

Anyone in the healthcare or financial industries probably has a working knowledge of privacy regulations, thanks to standards like HIPAA and PCI. But the last two years have brought new privacy regulations to the broader market. Two big ones have set the course for many similar laws coming online:

  • What is GDPR? – The EU’s General Data Protection Regulation took effect in May 2018. You probably noticed its arrival when every website started asking you to confirm use of cookies. Under the law, EU, UK and EEA (European Economic Area) residents now have access to and can correct, delete, and export personal information. The law, designed to provide a unified standard across national borders, applies to anyone who collects data of EU citizens.
  • What is CCPA? – California led the U.S. consumer privacy charge with the California Consumer Privacy Act, which became effective on Jan. 1, 2020. Its influence stems not only from being the nation’s first such law, but from the fact that it applies to any company with customers or computers in California. That ropes in a lot of organizations. Smaller companies are exempted from the law, as it applies only to companies that have more than $25 million in annual revenue, collect data on 50,000 consumers or more or derive 50% or more of their revenue from selling personal information. (Click here for a full analysis of CCPA’s impact.)

Several states have passed their own privacy legislation, with a wide spectrum of requirements and definitions about controls, categories of covered data, etc. Several lawmakers have been working on concepts for a national framework similar to GDPR to make it easier for companies currently trying to comply with varying state standards.

If you’re ready to have a conversation about how all of this applies to you, contact a Pratum consultant.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.