Don’t Get Hacked: HR Can Use ‘Cupcake Caper’ for Cyber-Security Lesson


Of the many ways to teach employees better practices for safeguarding company IT networks and computers, the "cupcake caper" may be the most memorable we’ve heard. 

Scolding employees for carelessness about cyber-security is unlikely to be effective, said Katherine Jones, director of talent research in the intellectual capital group at consultancy Mercer. Instead, she suggested getting creative. 

For instance, if an employee leaves a laptop open, unlocked, and unguarded, why not demonstrate in a fun way how that might come back to bite the employee in the backside? Jones said you could make the lesson hit home by going on the employee’s laptop and sending out a mass email offering to bring cupcakes for the entire office the next day. 

Human resources departments may not think they’re on the front lines of cyber-security, but they have to assume some responsibility for their organizations’ defense against mounting threats, according to Jones. 

One important role for HR is "to create a culture where it is safe to raise a concern’’ about the possible consequences of unintended carelessness for cyber-security, without fear of reprisal, she said. 

She also said HR can take the lead in training employees on dealing safely with "phishing" emails and taking other basic precautions, such as keeping a ‘‘clean desk’’ without passwords written on sticky notes and investing in computer privacy screens. 

Moreover, HR has a unique vantage point to sense in advance where internal threats might come from. ‘‘Nobody knows more than HR about things that are going to cause anguish and angst, like an impending layoff, or mergers and acquisitions,’’ Jones said. ‘‘People who act maliciously under these circumstances have usually done so before. HR can have managers monitor such people.’’ 

Culture of Security

‘‘Creating a culture of security is the key thing, where employees feel engaged and accountable,’’ said Grant Bourzikas, chief information security officer at well-known antivirus software firm McAfee. ‘‘Tie it back to their job. A lot of it is collaboration—we partner on a lot of education on the basic security hygiene employees should exhibit, such as ‘phishing’ tests.’’ 

There are ‘‘hundreds of ‘handling errors’ that occur across large companies,’’ according to Robert Bleimeister, who is currently program director at the Conference Board and formerly worked at insurance giant AIG as vice president of HR Global Operations, and at PwC and IBM as HR transformation and technology partner. 

He said employers should take steps to curtail risks posed by employees’ personally owned devices, including peripherals that they might connect to employer-provided equipment. For example, company-owned laptops should be set not to read flash-drives plugged into them at all. 

Bleimeister offered additional examples of security mistakes, including the following: 

 HR personnel emailing unencrypted, personally identifiable information to their own personal email service, such as Google’s Gmail, to work on at home;

 Carrying payroll reports on a print-out, floppy disk, or flash drive to a local bank, especially in offices in the developing world;

 "Unsecured, printed-out compensation reports left on a desk;’’ and

 "Not providing the same policies, procedure training, and oversight of contractors, as we give employees." 

HR Decision Support Network offers an array of resources for tackling tough workplace issues, including "Cyber-Security: How HR Can Deal With Security Threats," a strategic white paper available here to subscribers. See all the tools and targeted content we provide by starting your free trial today.