Imagine watching helplessly as your business crumbles due to a critical data breach or loss of information. That’s exactly what happened to the owners of Toronto-based Avid Life Media when one of its platforms, the extramarital dating website AshleyMadison.com, had member information leaked by hackers in August.

The company was brought to its knees in a matter of hours as millions of users suddenly found their personal payment details and adulterous dalliances shared online. Media reported apparent suicides and even extortion attempts in the wake of the breach, while embarrassed spouses the world over tried in vain to explain their Ashley Madison memberships.

Business owners across Canada wondered: Could we be next?

MORE AVID LIFE: What Every Business Can Learn from the Ashley Madison Hack »

The answer, according to IT security experts, is a resounding ‘yes.’ Any organization can be hacked, with those storing valuable information such as credit card numbers or personal information being a particularly enticing target. Recent data breaches amongst retail powerhouses such as Target and Home Depot offer a reminder that if Fortune 500 companies can face a hacker’s wrath, then so too can a small to medium-sized business—and with limited IT security resources it would be even easier prey.

But perhaps the most important lesson from Ashley Madison—a company whose tagline boasts ‘Life is short, have an affair,’ and, unsurprisingly, has received little public sympathy for its ongoing breach-related business woes—is that SME owners face far greater data security risks from their own employees than some nefarious hacker.

According to 2014 IBM study a stunning 95% of IT security incidents involve human error. Those could be due to an employee opening a phishing email, accessing an off-limits website that exposes their organization to malware, or by inadvertently providing access to sensitive information. Sometimes the cause is far worse, even if the net impact is the same. In the case of Ashley Madison, some experts believe the leak was the responsibility of a single, disgruntled employee.

MORE HOMEMADE HACKS: What You Can Do to Prevent an Inside Job »

What employers often overlook in an era of increasingly rapid digital change is that data and information security is as much about managing employee behaviours as building an ironclad IT infrastructure. Employee-friendly initiatives from encouraging staff to work remotely to bring-your-own-device policies are only further exacerbating the information-management challenge for these businesses. This exposes SME owners, managers and even HR professionals who are left to manage the fallout when a staff member’s carelessness puts their organization at risk. Indeed, companies of all sizes need to realize that smart security starts by re-evaluating their employee policies and workplace protocols, then reinforcing a key message: company-wide data security is a shared responsibility, with clear and escalating consequences for non-compliance.

So, how can SME owners protect their organization’s data, yet still maintain innovation, collaboration and productivity in an environment of connected computing and cloud-based information management? It starts with these four key HR law considerations:

Workplace policies and employee codes of conduct

Let’s be clear: any organization can be hacked at any time, or face a data breach when a disgruntled employee is allowed access to sensitive files. But having workplace policies and an employee code of conduct that set clear expectations for data management and online behaviour—including, but not limited to, social media use, internet use, personal device use, and data management access policies and protocols—can help reinforce the notion that your organization takes security seriously, and will terminate the employment of any staff member that breaches it.

Most importantly, these policies help demonstrate a company’s due diligence efforts and ensure that employees are properly trained from the point of hire to protect both their jobs and your information in the event of an attempted hack.

Employment contract design

If your organization doesn’t already require employees to sign contracts with confidentiality clauses, make that a top HR priority. Ensuring that employees agree not to disclose confidential information may seem like an obvious clause to add to any contract, but it’s one that employers often overlook. Without this agreement, your organization could face challenges upholding a just cause termination in the event that an employee leaks important data.

Of course, these clauses need to be limited in scope and duration, so seek the advice of an employment lawyer to ensure your contracts will be enforceable in a court of law. In the event that your contracts do lack such a clause, remember that organizations reserve to right to offer departing employees a severance payment in excess of their statutory entitlements in exchange for a promise of post-employment confidentiality.

Worker-friendly protocols and systems

I’ve worked with an array of companies over the years, many of which invested heavily in complex IT security systems, and have watched them face successive hacking incidents and data-management protocol breaches. The reason: their systems were either too complicated or cumbersome for employees to use efficiently.

While workplace policies can help ensure compliance, even the most diligent worker will eventually let their cyber guard down if data management processes become overly challenging. In other words, think carefully about how any new IT security system might impact workflow and your workplace culture before making a purchase.

Employee training

Employees cannot be expected to properly manage data without adequate training. That means developing a comprehensive onboarding process that informs employees on the proper use of systems, their security-management responsibilities, and outlines the various scenarios in which they could be tricked into exposing their organization’s IT infrastructure to malicious software, or surrendering data to a fraudster. Because hackers are constantly developing new methods to illegally access information or sabotage organizations’ data security systems, that training needs to be updated at least annually.

Laura Williams is an employment lawyer and founder of Williams HR Law in Markham, Ont. She has more than 15 years experience providing proactive solutions to employers aimed at reducing workplace exposures to liability and costs that result from ineffective and non-compliant workplace practices.


What are you doing to avoid becoming a victim of cybercrime? Share your strategies using the comments section below.

Loading comments, please wait.