Team of engineers discussing projects in a high-tech factory setting.

Cyber Security

ByVance Moore Reading Time: 6 minutes

Protecting an employer’s data and information technology systems may require specialized expertise. Depending on the particular industry and the size and scope of the business, cyber security can be very complicated. However, even the smallest business can be better prepared.

Every computer can be vulnerable to attack. The consequences of such an attack can range from simple inconvenience to financial catastrophe. While a thief can only steal one car at a time, a single hacker can cause damage to a large number of computer networks and can wreak havoc on both the business and the nation’s critical infrastructure.

Start with these simple steps:

  • Use anti-virus software and keep it up-to-date.
    • Activate the software’s auto-update feature to ensure cyber security is always up-to-date.
  • Don’t open email from unknown sources.
    • Be suspicious of unexpected emails that include attachments whether they are from a known source or not.
    • When in doubt, delete the file and the attachment, and then empty the computer’s deleted items file.
  • Use hard-to-guess passwords.
    • Passwords should have at least eight (8) characters with a mixture of uppercase and lowercase letters as well as numbers.
    • Change passwords frequently and have different passwords for different accounts.
    • Do not give the password to anyone.
  • Protect the computer from Internet intruders by using firewalls.Back up computer data. Many computer users have either already experienced the pain of losing valuable computer data or will experience it at some point in the future. Back up your data regularly and consider keeping a copy of the data off-site.
    • There are two forms of firewalls: software firewalls that run on your personal computer, and hardware firewalls that protect computer networks, or groups of computers.
    • Firewalls keep out unwanted or dangerous traffic while allowing acceptable data to reach the computer.
    • Don’t share access to computers with strangers.
    • Check the computer’s operating system to see if it allows others to access the hard-drive. Hard-drive access can open up the computer to infection.
    • Unless you really need the ability to share files, your best bet is to do away with it.
  • Regularly download security protection updates known as patches. Patches are released by most major software companies to cover up security holes that may develop in their programs.
    • Regularly download and install the patches or check for automated patching features that do the work for the user.
  • Check the security on a regular basis.
    • When clocks are changed for Daylight Savings Time, evaluate the computer security. The programs and operating system on the computer have security settings that can be adjusted.
    • Are there multiple door locks and a high-tech security system at the office? It could be that tighter security for the computer system is also needed.
  • Make sure coworkers know what to do if the computer system becomes infected.
  • Keeping data in the cloud doesn’t relieve business leaders of liability if your data becomes compromised. Cloud service providers should “do their due diligence” in making sure your data is secure, but IT must do theirs to make sure those providers are doing their job.
  • Sign up to receive free email alerts from the Department of Homeland Security National Cyber Alert System about new threats and learn how to better protect cyberspace, at http://www.us-cert.gov/.
    • Train employees on how to update virus protection software, how to download security patches from software vendors, and how to create a proper password.
    • Designate a person to contact for more information, if there is a problem.

Here is a great one page overview of email phishing to distribute to employees: Social Engineering Red Flags.

US-CERT is a partnership between DHS and the public and private sectors. It was established to protect America’s Internet infrastructure through coordinated defense against and responses to cyber-attacks.If you need assistance developing your data security policy or in dealing with employee issues related to it please call Catapult’s Advice team at 919-878-9222.

Written by a Catapult Advisor
Protecting an employer’s data and information technology systems may require specialized expertise. Depending on the particular industry and the size and scope of the business, cyber security can be very complicated. However, even the smallest business can be better prepared.
Download Document

Frequently Asked Questions

What is HR’s role in workplace cybersecurity?

HR is responsible for the human side of cybersecurity: onboarding employees with security policy acknowledgments, administering mandatory security awareness training, managing access control (ensuring departing employees’ access is promptly revoked), maintaining records for compliance audits, and partnering with IT on insider threat monitoring within legal and ethical bounds.

What employee behaviors create the greatest cybersecurity risk?

The top human-factor risks are: phishing susceptibility (clicking malicious links), use of weak or reused passwords, using personal devices for work without security controls, sharing credentials with colleagues, downloading unauthorized software, and failing to report suspicious activity. Regular phishing simulation training reduces click rates by 50-80% on average.

Should employees be disciplined for falling for phishing attempts?

A punitive-first approach to phishing failures typically backfires — employees hide mistakes rather than reporting incidents, delaying response time. Best practice is a training-first, discipline-for-repeated-failure approach. Employees who click a phishing simulation are automatically enrolled in additional training. Discipline is appropriate only for egregious, repeated, or intentional security violations.

What HR policies are essential for cybersecurity compliance?

Essential policies include: Acceptable Use Policy (covering company systems, personal device use, software installation), Password/Authentication Policy (MFA requirements), Data Classification and Handling Policy, Remote Work Security Policy, Social Media Policy, and an Incident Reporting Policy with a clear, no-blame reporting channel.

How should HR handle an employee who is suspected of a data breach or insider threat?

Involve IT security, legal counsel, and HR simultaneously. Do not tip off the suspected employee before preserving evidence. Follow a documented investigation protocol. The employee may need to be placed on administrative leave during the investigation to protect systems. Termination for confirmed insider threats requires thorough documentation of the investigation and findings.

CH

Written by Catapult HR Practitioners

PHR SPHR SHRM-CP SHRM-SCP

The Catapult HR team includes certified HR practitioners (PHR, SPHR, SHRM-CP, SHRM-SCP) with 65+ years of combined employer-side HR experience serving businesses across North Carolina and South Carolina.

Published: June 11, 2021  ·  Last reviewed by a Catapult HR Practitioner: March 23, 2026   About our team →

Similar Posts