Personnel Security
Cybersecurity

Cybersecurity Fundamentals – Personnel Security

Short on time? Listen instead.

What is Personnel Security?

Personnel security covers a range of activities related to the information security of your personnel, as well as making sure you hire and train your employees to protect organizational data assets. This type of security ensures you hire the right people and the training that might be required to keep them safe and your data secure. It also includes how you might need to act or react when an employee is to leave the company.

In this context, we are also discussing your contractors, business associates, and providers of services or products to your organization. These all fall under the personnel security umbrella.

Hiring or contracting workers, business associates, and providers

When it is time for you to bring in new workers or to contract with someone that can provide a service or products, it is a common tendency to think only of what you will spend to bring them in and what it will take to keep them on the payroll. While that is important, it is also essential to understand that your data is an asset you must protect. 

Most companies require some form of background check related to criminal or financial records, which requires the potential employee or contractor to provide information about any illegal activity, law enforcement run-ins, loss of jobs due to bad behavior, etc. Sometimes, these checks also involve looking at the applicant’s financial stability. But how many times has someone asked you if you ever told someone your work password or shared information belonging to the companies they worked for with someone outside those companies?  Have you ever required someone to disclose their connections with your business rivals?

If your organization is looking to obtain the services of a cloud storage provider, do they check into the employees that would be working the contract? When protecting your data, do you train to a level equal to or greater than your employees? Do they know how to do their jobs properly?

All these questions, and more, are important ones to consider. A service provider with inadequate cybersecurity standards can be as dangerous to your organization as an internal employee might be.

Training for Cybersecurity

Once you have onboarded a new employee or begun working with that Point-Of-Sale (PoS) equipment seller, you have to train them to protect themselves and your data assets. An internal employee is likely a relatively simple case, but how do you prepare that seller’s staff that comes to your locations for installations, repair, or replacement? 

Internally, you should have a cybersecurity awareness training program that teaches basic cybersecurity techniques. It should include policies and procedures, reporting possible incidents, handling common attacks (such as phishing emails and social engineering), and their security in the physical realm. Yes, ensuring they are safe in the work environment is part of cybersecurity. 

When dealing with providers you need to share information with, it is common and good practice to detail data handling and protection requirements in a contract. This contract gives you a document that is both informational and legal protection. If the provider is unwilling or unable to provide the assurances and protections detailed in the agreement, consider finding another provider. 

When you bring in providers or suppliers, there is absolutely nothing wrong with giving them access to your internal training programs and information. Doing so puts them on the same “page” as your employees while ensuring they understand the value you place on security.  Including the service provider’s employees might be an excellent way to ensure cybersecurity training is completed, even if the provider doesn’t have a program to provide it.

Some of the training you could include in your cybersecurity awareness program might be:

  • Types of attacks
    • Phishing
    • Social Engineering
    • Piggybacking or tailgating
  • Defensive measures
    • Email-related defenses such as not opening emails from unknown senders, not opening files in emails
    • Protect against social engineering by not divulging information that hackers  could use to gather access to data or networks. 
    • Protecting/changing passwords or authentication methods, not allowing someone to look over your shoulder at work
    • Don’t let anyone follow you into secured areas without permission and proper identification.

More training is available that could be used in a cybersecurity awareness training program. You will have to decide what is necessary and appropriate.

Letting someone go

The topic of firing someone is always challenging to discuss or train for, but it is a critical component of doing business. Letting someone go can be for cause (the individual did something wrong), no cause, lack of work, or any number of other reasons. Why and when you are letting them go and how you will do it need consideration.

Let’s talk about that first reason, for cause. If the person has made a grievous mistake and needs to be released (or their contract ended), consider why. If it is for a reason that causes distress to the company or organization, you may need to work with several people to accomplish the release safely and securely. You may call in human resources, the legal department, and possibly even law enforcement to close the situation appropriately. 

For cybersecurity, have a complete inventory of all physical and digital company assets. Those assets need to be recovered promptly.  All company assets must be identified and recovered before the person leaves the property.

In some cases, it may be necessary to release someone without notice. Doing this requires planning, and you should ensure that the person has an escort from the time of notification to when they finally leave the property. You should terminate any access to digital assets moments before (or simultaneously with) notification to protect them from theft or destruction during the process.

Even a relatively common release can become an issue, so beware of what appears to be a safe and manageable situation. Plan and implement the release with security and safety in mind.

How will this Affect You?

A well-vetted, trained, and secured workforce should be a priority for you and your organization. It is an investment that helps to protect those involved and keep your organization moving forward instead of potentially finding itself in rough waters over a personnel-related security incident.

Take the time to plan for your personnel security, and you will not regret it.

What should you do

It doesn’t matter what your organization does or who you are. There will always be a chance that your personnel or associates will be involved in situations related to cybersecurity threats. Knowledge, training, and experience can significantly reduce how those threats pan out for them and your organization. Plan for threats, acknowledge and work to remedy attacks, and learn from those experiences to inform and improve future security responses. 

Northstarr Recommendations 

As an information technology and Cybersecurity provider Northstarr can be an integral part of your personnel security planning and implementation team. Whether advising on hiring and provider contracting procedures, training and training validation, or simply looking at what you already have in place, Northstarr can ease your concerns about potential threats to your personnel or organization.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment.  We look forward to meeting with you!