© Dan Van Bogaert, J.D.

ROLE OF HRM WITH IT SECURITY RISKS

IN THE WORKPLACE

1

PURPOSE

Acquire understanding of broad variety of IT security risks that impact HRM

Attain competencies needed to train EEs regarding use of social media

Learn how to partner with IT professionals to identifyvulnerabilities related to HRM computer technologies

Gain general understanding of basic IT terms & related legal issues.

2

START WITH VULNERABILITY ASSESSMENT

Identify where risks that relate to HR activities

Threats & problems vary depending upon size of organization & nature of operations

IT professionals may recommendassessments for key HR activities

3

VULNERABILITY ASSESSMENT

Once identified, HR professionals may prioritizedvulnerabilities according to risk levels

Once prioritized, HR professionals need to developaction plans to eliminate, or at least mitigaterisks

4

KEY VULNERABLE HR ACTIVITIES

Using Social Media in the Workplace

Using Software for HR Functions

Maintaining Sensitive Info & Confidential Data

Using Computer Networks

Telecommuting or Working from RemoteLocations

Click here for audio5

HRM BEST PRACTICES: USING SOCIAL MEDIA

Once vulnerabilities identified & prioritized, next step is to develop & implement:

● Social Media Use Policy

● Train EEs on cyber safety standards

● Establish standards of acceptable EEcommunications

6

USING SOCIAL MEDIA IN THE WORKPLACE

• “SOCIAL”: interaction of humans

• “MEDIA” : generally, a method of communication, like a newspaper or radio

• “SOCIAL MEDIA”: popularly refers to all electronic communication primarily intended for social purposes

7

Click here for audio 

8

EVOLUTION ofWorkplace Communication

EVOLUTION OF COMMUNICATION ● Not long ago typewriters, carbon paper, mimeographs,

microfiche, & rotary-dial telephones were primary means communication & record keeping

● By 1970’s, however, computer systems started to takeover as the main vehicle for data storage &communication

9

EVOLUTION of Social Media in the Workplace

Today’s era of mobile devices

HRM is able to perform variety of functions with social network sites

Increased exposure to computer related risks & threats

10

HRM USING SOCIAL MEDIA IN THE WORKPALCE

Common uses:

referral programs recruitment campaigns

preliminary background investigations

sharing work-related info & documents

11

USING SOCIAL MEDIA IN WORKPLACEPROBLEMS & THREATS

privacy violations hacking, phising & spear phising misuse of commercial surveillance misplaced or stolen unsecured laptops & flash drives online defamation breaches of sensitive employer data, cyber-bullying,

viruses, worms, malware attacks copyright infringements

12

BRING YOUR OWN DEVICE

EEs like to use own mobile devices for work

Potential “win-win” for most ERs & EEs

Advantages: enhanced productivity, flexibility, reduced equipment costs

Disadvantages: ER lack of control, requiresreimbursement of EE expense

13

BRING YOUR OWN DEVICE

Need to be vigilant protecting privacyrights & guarding against breaches of computer systems

Accessing (remotely or on-site) organization’s databases & communicationsources from mobile device adds topotential problems & threats

14

BYOD APPs

May be vulnerable to spyware & malware attacks, or other risky content susceptible to hackers due to lack of:

preinstalled security software

firewall to limit Internet & connections exposedto intrusion through an unsecured communicationsport

passwords & personal IDs to authenticate users &control access to stored data

encryption15

POLICY DEVELOPMENT

POLICY MUST:

be sufficiently comprehensive to address vulnerabilitiesrelating to use of social media via mobile devices

be clearly communicated to all persons covered,primarily in onboarding & training programs

have HRM share responsibility for implementation require EEs to formally acknowledge receipt &

understanding of policy (usually part of EE handbook)

comply with applicable state social media privacy statutes16

SOCIAL MEDIA POLICY PROVISIONS

● Define scope, purpose, and terms, e.g. “social media”● Define acceptable work-related & personal communications &

etiquette ● Prohibit disclosure of trade secrets, confidential or proprietary

info & posting of ER logos, trademarks, service marks

● Spell out discipline, i.e. what happens when policy violated● Disclose restrictions on use of ER & EE equipment to post

information related to ER or customers, or use during certain work hours

(Caution: restrictions may not constitute an unfair labor practice)17

SOCIAL MEDIAPOLICY PROVISIONS

● Provide reimbursements of related expenses when EE required to use mobile devices for work

● Define privacy expectation limits

● Describe security restrictions & procedures

● Spell out physical security safeguards

● Prohibit posting personal complaints, harassments,promotion of violence

18

SOCIAL MEDIAPOLICY PROVISIONS

Remote access rules to address specialvulnerabilities related use during on-call flex-time periods, e.g. 4/10 programs, & other time off from work periods, e.g. mandated leave

Policy language should be also reviewed by legalcounsel before implemented

(For numerous sample social media policies, visit: http://www.compliancebuilding.com/about/publications/social-media-policies/ )

19

IMPLEMENTATION SOCIAL MEDIA POLICY

Best practices for managing EE’s use of mobile devices are thorough training programs & monitoring (within legal limits*) EEs’ use of social networking sites

Train EEs re cyber safety standards & procedures(Collaborate with IT professionals re program content)

*California, Colorado, Connecticut, North Dakota & New York laws prohibit ERs from disciplining EEs based on off-duty activity on social networking sites, unless the activity shown to damage ER 20

IMPLEMENTATINGSOCIAL MEDIA USE POLICY

● Clearly communicate policy training programs & onboarding

● Comply with applicable state social media privacystatutes

● HRM follow up training to insure proper use of social media by EEs

21

IMPLEMENTATING SOCIAL MEDIA USE POLICY

● Install advanced mobile device “wiping” technology &other software for deleting sensitive data when deviceslost or stolen

● Limit approved mobile devices & software apps

●Use security products that scan devices formalicious apps before allowing them to be connected to organization’s networks

22

Standards for EECommunications

Organizations have business purpose in protecting its reputation & reputation of EEs by:

placing limits on communications, networking sites or photo sharing sites

keeping personal info off the Internet23

Training EEs: Dos & Don’tsDON’T:

● Ignore phising scams

● Install location-tracking apps, unless necessary for ERapproved geographic tracking (GPS)

● Download attachments or software applications from unknown or unapproved sites

● Store ID & password on device, nor have device “remember”such info, especially if authorizes access to ER’s networks

24

Training EEs Do’s & Don’t’s

DON’T’● Reveal personal & private info (including passwords)

to strangers, just-met “friends” or unauthorized 3rd

parties

● Reply to spammers or sites offering “reward” in exchange for contact info

● Use insecure wireless networks

25

Training EEs: Dos & Don’ts

DOs: ● Regularly scan smartphones with up-to-date reliable antivirus products

● Use strong passwords to lock device & for logging into accounts, retrieving e-mail, accessing applications, databases networks, web sites

● Regularly change password per ER standards

26

Training EEs Dos & Don’ts

DOs:● Regularly check browser address bar to ensure logging

in through correct URL

● Download apps or allow automatic updates only fromapproved & trusted developers

● Access ER network only with approved & knowndevice

27

OTHER TIPS:EE USE OF SOCIAL MEDIA

Fix social network privacy settings to control access

Review network's privacy policy regarding posted personal info & info collected on EE visits:

Choose options to control use of info by sites &others with whom they share it

Change privacy settings to “private” so onlyapproved users can view it

28

OTHER TIPS: EE USE OF SOCIAL MEDIA

block advertising cookies through Internet browser’ssettings

only use “clean” work email address for known trusted individuals

be aware of monitoring of EEs’ workcommunications

use e-mail & file encryption software 29

Etiquette & Social Media

HRM implements policy by:

setting standards for Social Media etiquette

controlling EE use of devices in workplace

defining limits on EE expectation of privacy

30

8 Key Etiquette Rules on Use of Social Media

Expected EE behavior on mobile devices:

Be considerate: avoid interrupting face-to-face conversations

Take regular timeouts from use

Avoid anonymous retaliation

Limit indiscriminate photo takingcontinued next slide

.31

8 Key Etiquette Ruleson Use of Social Media

continued:

Check proper text grammar & spelling

Exercise personal safety; do not text while driving

Limit use of e-mails

Avoid “oversharing” (“TMI”) & discourage gossip in workplace

32

Best Practices Mobile Device Software Apps

• Guard against unsuspected malware or virus by ER preapproval of EE devices & app downloads

• Use Activation Lock iOS to remotely erase contents or disable lost or stolen devices; PIN number required to unlock

• Use only reputable app stores

• Use EE mobile “Digital Wallet” app for secure storage of personal info

33

HR SOFTWARE

Problems & Threats Solutions

Click here for audio 

34

Software for HR Functions: Best Practices

Best practices needed due to vulnerability to IT security risks (problems & threats)

35

USING SOFTWARE FOR 7 KEY HR FUNCTIONS

1st Partner with IT pros for assistance in developing timeline for implementation & reviewing potential vendors*

HRIS projects, e.g. enrollment, record keeping, & selfservice for EE benefits, payroll & attendance

Applicant tracking & signature (“e.g. “bamboo HR account” )

E-learning, including online training & courses

*[http://www.erp.asia/hr-implementation.asp; http://www.tmcnet.com/voip/0409/ten-steps-to-successful-software-implementation.htm ]

36

USING SOFTWARE FORHR FUNCTIONS

EE communications

E-recruitment methods, including display of career opportunities on web sites & use of socialnetworking sites

Performance evaluation

Succession planning

37

Software for HR Functions: Best Practices

● Study software choices*

● Install anti-virus software

● Keep abreast of social media rulings by the NLRB

● Monitoring EE communications● EE commincations, e.g.“anti-hacker alerts” & security tips, such as not emailing company usernames & passwords

[*Comprehensive vendor list at: http://www.capterra.com/sem/human-resource-software?utm_source=bing&utm_medium=cpc ]

38

Software for HR FunctionsBest Practices

Confirm high functionality, i.e. performs core HRfunctions as required by statute / regulatory authorities

● Adopt EE self service (ESS) / manager self service (MSS)

● Prohibit EEs copying or loading performance evaluationsonto personal devices that are available from software programs

39

DATABASE MAINTENANCE

Problems & Threats Solutions

Click here for audio 

40

MAINTAINING SENSITIVE INFO& CONFIDENTIAL DATA

PROBLEMS & THREATS

• “Sensitive” = not legally protected, but should not be made public, e.g. typically maintained by HRM relating to EE records, e.g. dates of hire, pay, & employee benefits

• “Confidential = legal obligation not to disclose, EE SS# or medical history

41

Maintaining Sensitive Info &Confidential Data

HRM BEST PRACTICES: HRM’s duty: raise EE awareness of how their use of computer technologies may compromise workplace security

Secure all employee data Restrict access to sensitive data to EEs with need to know Properly dispose of sensitive data Use password protection Control physical access to business computers

42

Maintaining Sensitive Info &Confidential Data

BEST PRACTICES, continued… Encrypt data Protect against viruses & malicious code (“malware”);

Install anti-virus & anti-spyware software Keep software & operating systems up to date Secure networks with firewalls to prevent outsiders

from accessing network data Restrict remote access to authorized EEs using properly

configured Virtual Private Network (VPN) http://www.virtualprivate-network.com/

Train Ees43

COMPUTER NETWORKS

Threats & Problems SolutionsClick here for audio 

44

USING COMPUTER NETWORKS BY HRM

PROBLEMS & THREATS1.Viruses, Worms”, Trojan Horses 2. SPAM3. Phishing4. Packet Sniffers 5. Maliciously Coded Websites6. Password Attacks7. Hardware Loss & Residual Data Fragments8. Shared Computer vulnerability9. Zombie Computers & Botnets

45

Using Computer NetworksBest Practice Tips

1. Keep personal Web browsing at home2. Keep confidential data confidential3. Use secure connections4. EEs to speak up if something wrong with

mobile device or PC5. Make sure EEs know the security policy; then

enforce it6. Lock your computer screen7. Use passwords

46

TELECOMMUTING & WORKING IN REMOTE LOCATIONS

Threats & Problems Solutions

Click here for audio 

47

TELECOMMUTING & WORKING FROMREMOTE LOCATIONS

THREATS & PROBLEMS:● Attacks from hackers & identity theft

● phising & spear phising

● privacy violations & Online defamation & cyber-bullying

● Unrestricted “cookie tracking” & misuse of spy software

● SPAM

● Virus, worms & malware attacks48

Telecommuting & Working fromRemote Locations

Provide remote workers with online policy manual, including:

procedures for termination, i.e. immediate suspensionof access to technology & accounts & return of accesscards & ER owned electronic equipment

procedures for checking in (or clock into online time tracker if paid hourly)

Provide telecommuters with secure ER email address & separate IP addresses

49

TELECOMMUTING & WORKING FROM REMOTE LOCATIONSTrain telecommuters how manage data & systems:

Use strong passwords, authenticate with token &password or PIN

Require approved computer equipment, i.e. port protection devices & VPN client software

Monitor files from ER’s LAN

Use “SOHO” Router

50

LEGAL ISSUES: STATUTES & COURT CASES

Click here for audio 

51

SELECTED LEGAL ISSUES

•Potential problems when HRM uses social media for recruitment and hiring?When looking at candidates’ social media profiles, HR professionals may learn information they should not have when screening candidates

•Negligent hiring claimsOnline “friending” between managers & EEs may increasechance—should a working relationship turn sour—of added claims in any subsequent employment litigation

52

STATUTES & COURT CASES

17 key federal/CA statutes directlyrelated to IT Security

22 federal/CA court cases

53

Q. & A.

54

CONCLUSION

© Dan Van Bogaert, J.D. Permission granted   December 15, 2014 SAHRA Webinar.

*Dan Van Bogaert, J.D. is an adjunct professor who regularly teaches for UCLA Extension HRM Certificate Programsand has also taught graduate and undergraduate courses at Brandman University, and Loyola Marymount University/LA. He can be reached at profdan@ssctv.net

Copies of comprehensive 50 page best practices guide, Role of HRM with IT Security Risks in the Workplace, is available in March, 2015

Click here for audio 

55

THANK YOU FOR YOUR PARTICIPATION

This Webinar presentation, including the foregoing Power Point slides, is intended only for general information purposes; It is not intended for legal advice nor as legal opinion. You should consult your own counsel for any legal advice in this area.

56