The global CrowdStrike IT outage in July caused widespread chaos and financial damage to businesses large and small. Thousands of flights were canceled or delayed, an Alaskan 911 system was temporarily unavailable, broadcasters went dark, and for HR pros, the outage left many employees with the infamous “blue screen of death” and even upended payroll systems for some companies.
The meltdown served as a painful reminder of the vulnerability of technology that organizations rely on for basic functions. But cyber experts also see the high-profile outage as an opportunity for HR to deepen employees’ relationship with colleagues in the IT department, and reinforce employee best practices.
CompTIA’s chief technology evangelist, James Stanger, acknowledged that the CrowdStrike outage “was not something that individual users could do a whole lot about.” But he told HR Brew that the incident reinforces the importance of protecting any work-related technology—and educating employees about proper tech hygiene.
And while many organizations do have good tech hygiene policies, in some cases it’s dated—or as Stanger said, it’s “good hygiene for 10 years ago.”
“We’ve got to have good hygiene by upskilling our existing workers,” he said. “We need to do a better job at helping our existing workers have a much more productive relationship with the technology stack that…they’re using [at work] right now.”
HR and colleagues from the IT department need to measure, document, and track employee learning about the technology they’re required to use at work, he suggested, adding that employees need to be “digitally fluent,” not just “literate.
“The more we understand the why we’re doing certain things, then we’ll understand what we’re doing,” he said.
Michael Alicea, CHRO at cybersecurity firm Trellix, said employee training is crucial for maintaining an organization’s tech security.
“Every business has to decide for themselves and plan accordingly, but communication is…critical,” Alicea said. “Sometimes, one mistake from an improperly trained employee can cause an entire security system to crumble.”
Alicea said HR can work to reenforce best practices for good IT hygiene, including:
- Backing up important information frequently to the cloud or a local storage device
- Updating software regularly; when an update is shipped to a device, employees shouldn’t hit “update later”
- Using a virtual private network (VPN) when connected to public Wi-Fi, like at Starbucks or an airport
- Regularly scanning endpoint devices (such as laptops or work stations) for viruses; this includes phone or external devices if they’re ever connected to the primary endpoint
- Only using HTTPS—rather than HTTP—websites when private information will be shared (the S stands for secure)
- Always enabling two-step authentication when possible
- Training employees to be alert to phishing emails and spoofed email addresses; cyber criminals leverage “social engineering” to coax unsuspecting employees to click on links to malware
Quick-to-read HR news & insights
From recruiting and retention to company culture and the latest in HR tech, HR Brew delivers up-to-date industry news and tips to help HR pros stay nimble in today’s fast-changing business environment.
Employees need to be extra cautious of phishing scams, Alicea said, because “at a corporate level, you can enforce password changes…You can enforce the kind of password they use. You can enforce the websites that people go to,” but there’s no enforcement against phishing: employees need to be trained to spot them.
Zoom out. IT and HR have a shared responsibility to team up and operationalize best practices. While it may be IT’s role to ideate some of the more technical policies, HR is responsible for making sure the policy is documented and carried out, Stanger said. HR can become the “trusted advisor” to IT and to executive leaders.
“Because this is a people strategy that we’re talking about here,” he said. “If we’re talking about hygiene as something that’s more than just…an update or whatever…It’s something that needs to be tracked, because if you don’t track it, it doesn’t happen. It doesn’t improve.”
For Stanger, it comes back to education and ensuring employee competencies around the tech used at work, the protections in place, and how to activate them when something doesn’t pass the smell test.
“The organizations and individuals that crack that education [component]…the most efficiently, I think they’re the ones that are going to win out here,” he said. “Because if you have that, it allows you to leverage the existing controls.”
