By: Amy Matthews, SPHR

Earlier in the fall, we had a member reach out to us and ask about cyber security.  At first, we were a bit confused—thinking this to be an IT matter, not an HR matter.  After some brief research and internal discussion, it became clear that this absolutely is an issue for HR.  Ideally, there is an IT department to partner with on this issue, but if not, this is in the wheelhouse of human resources.

Let’s start simply.  Cyber security is defined as “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.” Once you know what it means, you can easily see how this is aligned with HR goals. It is HR’s job to protect the company and its employees. This includes our data and systems.

There are several areas to consider when looking at creating a cyber security policy. However, the best defense is also a good offense.  Educate your employees on what to look for, and how to react and handle attempted breaches to your system.

In fact, something happened to me awhile back that proves this point.

I received an email that looked like it was from my boss. I receive emails from him often enough that I didn’t think anything of it, and I didn’t check the return email too closely.  The email simply said, “Are you in the office?”  I replied “Yes.”  Shortly thereafter, I received another email, phrased in a way that he would never write. The email asked me to purchase some gift cards online and send him the links. My eyebrows went up – and I looked at the email address again.  Sure enough, the actual return email address was something like xfgd579@domain.com. It was SPAM!  I forwarded it to our IT department, so they would know something was happening out there.

This is a common scam, and, unfortunately, busy people who just don’t know any better, follow through with these directives and the money is gone.

What can we do about these cyber threats?

  1. Have an ethics policy (what to do and how to behave online and electronically). For example, placing “Big Sale Item” in your subject line is a 99% guarantee that your email will go straight into a spam folder, and might get your domain blacklisted.
  2. Create (and adhere to) password guidelines, and change them, often
  3. Follow an “Acceptable Use” and /or “Clean Desk” policy
  4. Create (and adhere to) an email policy

If you have an IT department, there are many safeguards that can be put in place—many of these in a Neo-Matrix kind of way that most of us don’t understand. Couple that with some strong policies, and your company is less at risk.

Remember, just having a policy isn’t enough.  Everyone in the company must follow the policies that are created. This is easier to do if the rules are simple to follow, and easy to understand. Training, along with some templates and guidelines, is a great start to be better prepared against cyber threats.


NAE is hosting a FREE event in Reno on Friday, November 9th to discuss current scams affecting Nevada businesses (including the latest cyber threats) and how to protect yourself. Join us!