8 Ways HR’s Superpowers Secure Businesses

Media Thumbnail
00:00
00:00
1x
  • 0.5
  • 1
  • 1.25
  • 1.5
  • 1.75
  • 2
This is a podcast episode titled, 8 Ways HR’s Superpowers Secure Businesses. The summary for this episode is:
Ensure your Applicant Tracking System is secure
05:26 MIN
Cybersecurity awareness training
03:47 MIN
The importance of SSO
01:09 MIN
Hybrid Environment best practices
03:13 MIN

Abbey Szentes: ... Aboutthe eight ways HR's superpowers secure businesses, and a look at how HR partners with IT to accomplish these goals. To give a quick overview of what we're going to discuss today. First, Anh and I are going to introduce ourselves. We'll cover the eight superpowers we have prepared for you all today and then dive into any questions that you may have for us in the meantime. So who are your hosts for today? So my name is Abbey Szentes. I am Trava's HR Generalist. My role at Trava is to realign HR and talent acquisition programs within the company's vision, goals, and values. And I really help to execute every aspect of the employee lifecycle here at Trava, so everything from onboarding to compliance to payroll and I'll hand it over to Anh introduce himself.

Anh Pham: Thank you, Abby. Welcome, everyone. My name is Anh Pham, I'm currently a senior security engineer at Trava. My role here includes overseeing Java cybersecurity program from A to Z and also act at the cybersecurity SME for both internal and external customer. And then most recently I helped with getting us to attend ISO 2701 certifications.

Abbey Szentes: Which is a huge accomplishment for us here at Trava, so we definitely appreciate Anh and his team's work on that. So a quick snapshot at the superpowers we're going to cover here today. We have eight prepared for you and we really want to call out that these superpowers improve include a lot of best practices that Anh and I use here at Trava, and it will cover the entire employee life cycle that employee may go through at your company. It's really important to also emphasize though that we're going to be talking a lot about what Trava does, but that may not be exactly what your company does or what may be able to be accomplished for you. So we do still just want to recommend though that these really are best practices and they will still be applicable to your company no matter what maturity level that you're at. For those small companies, there still can be collaboration between different individuals. Or if HR and IT, for example, are not separated at your company, that individual's still taking off and putting on different hats. So there's still collaboration between that. And then for our bigger companies, you may have a whole team of individuals on your HR or IT and cybersecurity staff, and these are great reminders for those best practices that we have today. So moving on to that first superpower, we're going to talk about the power of attraction when it comes to recruiting and interviewing. Our first recommendation is to ensure your applicant tracking system, or ATS, secure and that the integration into your company and systems is set up properly. That word secure can be defined in various of different ways and especially between different companies. Some companies may require a SOC2 cybersecurity certification or an ISO, like Anh just alluded to, certification as well. But some companies may just want to see what the applicant tracking system's security documents may look like. Our major call out here is to ensure having IT check out whatever security documents that you're able, that they're willing to share with you to ensure it truly is a secure system that you're going to be integrating into your company. With that integration, the collaboration between the HR and IT having clear communication is absolutely key during this time. Anh and I worked together on an ATS integration earlier this year, and being sure that it fit with our schedules, we were on the same timeline and we had that clear communication on what was happening, was really vital to make that integration extremely smooth. Now we've talked a lot about ATSs, but we do want to recognize that some companies may not have the budget for an applicant tracking system and that's fine. And there's ways that you can still be secure when it comes to applicants applying to your company, working through that process and going through interviews. Our recommendation for that would be have a separate email and if you are putting resumes into a traditional folder filing system, that those folders are restricted in whatever system you're using, whether that be Microsoft or Google. And then also ensure that you're being mindful with the appropriate parties that you're sharing these documents with. That's something that's going to be key and something that you'll hear quite a bit throughout this webinar is making sure folders are restricted if you're filing in a traditional manner, and making sure that appropriate parties have access and are granted and taken that access away when appropriate. The final mention we'll say about the ATS is having, is ensuring that it's secure through ensuring that it's not asking for irrelevant sensitive information. A year or two ago there were incidents where applicant tracking systems or job boards were pretending, impersonating companies and asking applicants for sensitive information like bank account or social security numbers. One, if you are an applicant and see that, please report it to the company. It may be a scam and a bad actor at hand. But also if you see that happening within your own applicant tracking system, be sure to take it to IT and try to figure out what the issue is there. Then when it comes to being smart about sharing resumes internally, if you do have an applicant tracking system, that would be our recommendation is to just share profiles within that. You can limit permissions within an ATS so that they can only see so much of the candidate profile and you can hide some of that, again, sensitive information that could be included in an application. If you're not using an ATS and using that traditional folder filing, making sure again that those folders are locked down. A really big key with locking down folders within Google Drive, for example, is within the folder, the folder could be locked down. But then sometimes documents like PDFs may not be restricted as well. If you're unsure on how to restrict folders or documents within a folder, be sure to reach out to IT and they will be able to help you for sure. When it comes to not only sharing resumes but sharing calendar availability with candidates, again, if you're not doing this through your ATS, be sure that you're not sharing a full calendar access to applicants when you are sharing, trying to schedule an interview with a hiring manager for example. The best practice here would be to manually email a candidate what that hiring manager's availability options are and then scheduling it through corresponding with that applicant rather than giving that applicant a hiring manager's full calendar access, which could include private meetings within the company where they could gain access to information that they don't need to have. The final recommendation we have for the power of attraction is having role questionnaires. This goes both ways when it comes to the interviewer or recruiter and that hiring manager. During these role questionnaires, if there is a new requisition that needs to be made, you really want to cover what needs to be asked versus not. Again, for both ways. It's helpful for HR to ensure that the recruiters are looking for the correct qualifications or experience within a candidate, but also that the hiring manager, again, a trust but verify checkpoint to ensure they're not asking for sensitive information that's unnecessary to the application process. Anh, do you have anything to add to this slide?

Anh Pham: No, I think you covered pretty much everything.

Abbey Szentes: Awesome. So we'll move on to our second superpower here today, which is telepathy. So telepathy, when it comes to that knowledge exchange during the onboarding process when you've hired a new employee. So we're really talking about training and awareness when it comes to cybersecurity. Our first recommendation is to have those expectations set clearly during orientation and onboarding. Now these expectations goes back to that collaboration between IT and HR. IT, or your cybersecurity expert, should really be the ones developing what those expectations are, ensuring that the process is written out correctly. And then HR is the messenger in this sense, ensuring that it is delivered in a clear manner and that it is being able to be referenced later if there is an incident that arises, that new employee can then go back to their orientation deck and say, " Oh hey, this is who I need to contact," for example. Best practice would be incorporating these expectations either before they start, during that first day, or within a week of onboarding just to ensure again that expectation is clear and upfront in the beginning. And it's really important that within those expectations, a security contact is identified for the organization. For us, that is Anh, so it's great to be able to point to one particular individual. Or if there's a separate, you're at a larger company, a separate email address that people can reach out to if their laptop were to be stolen or hacked into. When it comes to the awareness training, I'm going to touch on this a little bit and then hand it over to Anh explain what we do here at Trava. But when it comes to a awareness training, there's a couple of options that you have here. So I've seen it where companies have created their own cybersecurity awareness training with their resources internally and their experts internally and record it and present it out. Or you can look into purchasing a commercial provider for those cybersecurity awareness trainings. And I've even also seen it if you have a learning management system or LMS, sometimes they have free options that are included in your subscription that you can use as a part of that cybersecurity awareness training. But Anh, would you mind talking a little bit about what we do here at Trava?

Anh Pham: Sure. So yes, at Trava we do perform regular security awareness training and also we do very regular efficient simulation exercises. We're lucky enough to be able to get a commercial tool to facilitate both of these trainings. Our security awareness training is really meant to address the different well- known and common cybersecurity threats, but we also look at emerging cybersecurity threats that our employee and organization faces every day. And then with all of that, we then use our system simulation to put that in practice. So giving our employee a chance to see, for example, of what phishing emails look like and how to accurately spot them. It's important to note that these kinds of training need to be done regularly. So the cadence is really up to the organization on where you are in terms of your maturity level and how you can afford this. But at Trava, we do both of these monthly and we also have an onboarding security awareness training that looks to address all of these common cybersecurity threat at the higher level so that we can get our new employees get started quickly and as securely as possible.

Abbey Szentes: Absolutely. Thank you. Moving on to our force fields superpower. So we're talking specifically about system access and location. First, it's who's having access. I mentioned it earlier but really wanted to highlight it as its own superpower, but making sure that HR is helping to define which roles need access to what systems and at what point during their employment does that access need to be granted. And the collaboration with IT here is that they're the ones executing when and who that access is given. When it comes to remote versus office settings, again, it's setting expectations and then communicating those through policies, which we'll actually dive into a little later in the presentation. But again, that's a collaboration between IT and HR that Anh will speak about later. And then finally, when it comes to that access, making sure that it's being reviewed on whatever cadence is going to work for your company. Here at Trava, we do this on a quarterly basis where IT will send HR a list to audit to ensure the accuracy of who has what access and to really just, again, another trust but verify checkpoint for the two departments to ensure that we've covered all of our bases. Anything else to add here, Anh?

Anh Pham: No, nothing new to add, but I think it is very important to really reemphasize that access review needs to be done as a collaborative effort between both HR and IT. And this is because HR system should be considered a source of truth for all access and identity requests and then IT, as Abby said, is the executor of dual access grant in no revocation. So whatever HR say, goes.

Abbey Szentes: As per usual, right?

Anh Pham: Indeed.

Abbey Szentes: Awesome. Moving around on to our Captain America's Shield when it comes to data protection. So we're going to talk more about employee files and how to store those. So when we talk about employee files, we want to be really specific with what kind of data and documents that we're going to be filing in those employee files. So in this instance referring to any employment documentation. So when it comes to the background check, an offer letter, their I- 9 form or any other employment documentation throughout their entire lifecycle at your company. Those are the types of documents we're referring to, because when you really think about it, HR is handling a lot of different data classes when it comes to the documents that we're handling. Everything from those employment documents I was just mentioning to payroll data, employee PHI, job descriptions and so forth. So we want to ensure that these are all being properly stored in appropriate places with appropriate securities around them. So where files are being kept, again, if there's not a formal human resource information system that is implemented at your company, then using Google folders is typically the route that I've seen a lot of companies go down. Or if you're a Microsoft company, using the OneDrive. Again, the restriction of the folders and where those folders are stored is really going to be important. You want to ensure you're not sharing, you're not uploading documentation into your company's shared folder, for example, your shared drive on Google Drive, or a shared folder that was previously shared with someone and you think that's locked down, you really want to keep them as separate as possible. And if you are that smaller company in that scenario and you begin to mature, you really want to start looking into other solutions outside of that traditional filing of within folders on your laptop to maybe potentially looking into a human resource information system or HRIS. The HRIS, the benefits with that are really that it's locked down. The administrators are all HR, the employees only have an employee profile within that in that they can't access other profiles from that standpoint. So again, it really mitigates the risk of confidential information being shared. When you're at home, and obviously, Anh and I are working from home today, but we do have a hybrid option, but if you are at home and you want to print a sensitive document, there's a lot of things that go into securing that physical piece of paper as well. So we recommend you don't print, but if there is an absolute necessity for you to print something with sensitive information, we really want to ensure that that document is then physically stored in a secure location. So whether that be a cabinet with a lock and key, whether it's once you're done with it, done with its use, making sure that it's being shredded in the appropriate manner as well is going to be key to ensure, again, no bad actor comes into your house or wherever you're living and takes some information just off the top of your desk because you haven't properly stored it. And then another thing with files on your laptop, you really want to ensure that you're auditing those files and ensuring that nothing that is no longer relevant is still on your hard drive, your Google Drive, making sure that's happening on some sort of cadence. Best practice would be quarterly to ensure that that data is not being stored for no reason, and again, it mitigates that risk of a bad actor coming in and taking that data. Anything else to add here, Anh?

Anh Pham: Yeah, I guess I'd like to also touch on some of the things that IT security can help with securing these kind of data classes as well. So as IT security and also as a close partner with HR, here is a few examples of where you can come in and help securing these data. So one of the first ones is, you can also set up monitoring and alerting for when permissions are changed to these lockdown location, the storage files. And these alerts should go to both HR and IT security when it happens. Additionally, there are commercial data classification tools out there that you can implement, and what this tool does is they go through and scan of your file locations and then identify anything that store sensitive data and from there you can tell whether you have filed the content sensitive data that being stored outside of approved locations. And then lastly, if you can afford it, there are also DOP solution that you can put in to make sure that these kinds of files are further protected from loss, from potential loss.

Abbey Szentes: Awesome. And I will actually, we'll keep it with on Anh to talk about the dark magic of passwords.

Anh Pham: Sure. So almost everything we use today require password, right? If we are lucky, we might only need to work with one or two system and thus only need to remember one or two password, but that that's usually not the case for any of us. On an average, most employee will probably need to access between 10 to 15 different system to perform their work. So they have 10 to 15 separate passwords to remember. Me personally, I know that I access on an average of 30 to 40 different system and then personally I probably have about 120 different credential outside of work. So I'm probably one of the extreme cases, but you get the point. So because of their store, securing password is very important. And then to secure password, you should definitely take a look at a password manager. It is a very basic control but it's also very important and in most organization actually overlook them or don't implement them properly. So what is the password manager? As its name suggests, it really is a software that provide a capability for employees to store password securely. However, today password manager also allow employees to store many other secrets too. They include confidential note, payment card numbers, encryption keys, and anything else that you don't want to disclose to and approve, or not the right parties. And then on top of that, these password manager also have capability to facilitate secure collaboration and sharing of these secrets. So you can share them to internal employee or external partners if you need to. Also, I want to touch briefly on the importance of SSO. So having access to 10 different system and having 10 different password to secure, having a password manager will alleviate a lot of the risk, but SSO sort of take that protection even further and sort of reduce all of those passwords you want. So now you only have to remember one, you only have to put one password into your password manager. So there's less exposure to risk, there's less exposure to loss and then you can protect those a lot more closely. And then MFA, this should no longer be a new topic at this point, but it is so, so important. MFA is probably the most effective defense against password based attacks and a stolen credential. And with the rate of cyber crime targeting employee and credential continuing to rise, having MFA is an absolute must in every organization. And you don't have to spend a lot of money to get MFA. Whatever identity system that you use right now for your organization MFA is probably an option that can be enabled. So if it's not enabled right now, definitely reach out to your IT just to be in contact and just ask them, "Hey, can we get this turned on?"

Abbey Szentes: And I would just emphasize that as an HR professional, those bad actors can go on LinkedIn and they know that HR professionals have that confident and sensitive information. So having that multifactor authentication is really vital to help prevent anything from happening. Or if someone were to impersonate you or so forth. HR individuals really are targeted because of the access they do have. And now on to the cosmic awareness of policies, I will hand it back over to Anh cover that.

Anh Pham: Sure. So as the person that responsible for Trava's cybersecurity program, I have started many different policies. But for the purpose of this webinar, I want to specifically highlight these. And then even though policy are usually created by the IT or security team, the process is actually very collaborative between security and other business functions. And even in this case for these policy, HR play a very important role in the creation of them. So an acceptable use policy really aimed to establish a set of rules and guidelines for the appropriate usage of company resources such as a system network technology. It set expectation and boundaries for employees and also for service provider, if you have them. A remote working policy is so important now in this new age of teleworking, mostly someone you know is probably working in a hybrid setting or completely remote setting. So this policy provide clarity to both employees and employers on how remote work should be approached and managed. If your organization allowed the use of the personal devices, then a BYOD policy becomes vital. This policy govern the use of personal devices such as smartphone, tablet, laptops, anything else in that spectrum, for work purposes. It really outlines the rights and responsibility for both employee and employers when it comes to using personal devices for work. Finally, a code of conduct policy. Set the expected standard of conduct for all employees within an organization. So it aims to promote ethical behaviors, integrity, professionalism, and ultimately try to foster a more positive work environment. And as I have mentioned previously, even though my name is stamped on this policy as owners, there's actually a very closely collaborative process that go into creation of these. And if you have to create this policy, make sure you reach out to your HR personnel and get input from them.

Abbey Szentes: So our seventh superpower for today is invisibility, which we're going to talk more about confidentiality and privacy in that hybrid environment. So I know a lot of companies are starting to ask their employees to come back to work in some capacity back in the office, whether it be a couple of days a week or some individuals going back full- time at the office. There are a couple of best practices we want to remind you all of that will help with that confidentiality and privacy while you're working at an office or in a co- space too, co- office space or even a coffee shop. So our first one is to have that privacy, to have a privacy screen protector. Really what this helps to alleviate is any what if scenarios. So if you're looking at payroll or a confidential employee matter and you have someone, you're in an open office space and someone's next to you, having a privacy screen protector alleviates the oh, what if they can see my screen? Or what if they can pretend like they're taking a photo or selfie and zoom in. There's a lot of, not to be a pessimist about it, but to be realistic that there are bad actors out there, especially when it comes to, again, targeting specific individuals within a company. Another best practice is to lock your laptop when you're walking away. It's kind of a no- brainer when you're at a coffee shop. You obviously just don't want it to be stolen, but sometimes when we are back in the office space we think, oh yeah, I can leave it up. They're my coworkers. They're not going to see anything, especially if the third bullet point happens, which I'll get to you in a moment. But just locking it when you're away again just alleviates the what ifs. What if you were working on something, again, that was sensitive and you don't want your coworkers to see or it's not appropriate for some of your coworkers to see? Locking that laptop mitigates that risk of that happening. And then badge surfing. We really want to prevent any type of badge surfing and by that we mean if you have to use your badge to scan into your building to unlock the door and walk in, you want to ensure that no one walks in behind you without scanning their badge as well. There's actually a store that I know of a consultant who had a reluctant CIO having them come in to do some cybersecurity best practices for them and the CIO was very abrasive and said, "We're never going to be able, no one can get into our network. There's no way possible." Well the consultant, through badge surfing, was able to get into company property, went to the IT, pretended to be an employee of the company, said they spilled coffee on their laptop and the IT individual didn't check or ask for a company badge and the consultant was able to not only get into the building but get a company laptop, all because no one asked him for a badge that he didn't have. So definitely want to make sure that you're being very cognizant of individuals doing that, even if you know them too because it could also be for other reasons as if there were to be a fire or a fire drill and they want to check everyone in the building. Companies can do that through the badge scanning too. So it serves a plethora reasons. The final bullet point I'll touch on before handing it over to Anh is talking about confidential conversations, ensuring that those are in soundproof rooms. Again, a lot of coworking spaces or even coffee shops, they may have some doors that you can go into or rooms that you can go into with doors. But making sure that you're in a space that no one can hear you again just alleviates the what if scenarios that could come up. Anh, over to you.

Anh Pham: Yeah, sorry, I was on mute. I also want to sort of highlight something about the no badge surfing. It doesn't just apply to non- employees, just apply to employee if they forgot their badge, right? I'm sure you've been in those situations where you go to work, you forgot, you bring your badge but somebody else forgot and they ask you to just swipe them in. So that's obviously being nice or we're sort of tempted to do that for them. But as a security best practice, you probably shouldn't do that. Ask them to contact your IT security function, your front desk, to get themselves a temporary batch and really swipe themselves in. So it's important to know that it's not only just applied to non- employees. And then into encryptions. This is probably one of the most effective way that IT security can apply, can most effectively control that IT security can deploy to protect confidentiality and privacy of data. So we know that most of us probably have laptop for work and laptops and mobile devices are portable. So if they're portable they can be carried around. They get carried around, there's a possibility for them to be lost, be stolen. So encryption really protect the data residing on those devices by making sure that unless the right person is logging in, all the data is jumbled up and nobody can view them. And then taking it a step further, we also use removable storage devices, so USB devices. Similar to what Abby has already said earlier about printing out sensitive file, these devices can also store sensitive data. So as IT security, make sure you put in control to protect the devices. If you can, make sure these are also encrypted as well.

Abbey Szentes: Great. So off to our final superpower of the day, we're going to talk about heat vision and cutting off individuals properly through offboarding. So the first recommendation is having the access be disabled at the right time. Another huge collaboration between IT and human resources, especially when it comes to ensuring that everyone's on the same page. You don't ever want a moment to happen where you're having a hard conversation and the individual no longer has access to their Zoom account and they're just gone. So we want to ensure that IT and HR are very in sync as to what is happening and when it is all happening. I'll hand it over to Anh talk a little more about those sub- bullets.

Anh Pham: Yeah, definitely. So SSO comeback here. So not only does SSO help with onboarding and simplify onboarding, employee only have to remember one password not to log into 10 or 15 different system. SSO also provide value when it come to offboarding. So instead of having to go into 10 or 15 separate system and disable access, it's prone to error, it's prone to, you may just forgot this one system after 15. SSO sort of provide value in the offboarding process by allowing you to disable and access one and then have that termination applied to all subsequent system that integrated. So as IT security, my recommendation is turn on SSO, get as many things integrated into your identity system with SSO as possible. If you're an HR person, reach out to your IT security person and ask them about turning on SSO. Something else to consider is active session. So for most software, the way they work is you log in, you obtain an active session, and then there's a lifetime to that active session. So even if you change your password, that session is going to be stay there, it's going to stay there, but you still have access to all the data, all the resources as if you still log in. So where they come into play as offboarding, after you have terminated and disabled an account, that doesn't necessarily mean that those active sessions are effectively terminated. So as IT security, we need to take that into consideration when we desire our offboarding process. So when we go to a turnoff system, we need to make sure, does that mean that the session also get terminated or do we need to take additional steps to make sure that those sessions are terminated? Similarly, if you're an HR employee working with IT security to come up with these offboarding processes, make sure you bring this up and make sure this process is being done properly.

Abbey Szentes: And then for our final recommendation, for our final superpower, we're going to talk about implementing a documented process for offboarding. This really just helps ensure that all the bases are covered. So the first, if it's applicable, having an exit interview with the individual who is leaving the company just to confirm some personal information if you were ever need it for future reference. So their personal email address, their phone number, if you were ever need to get in contact with them later. And then also a overview of a last day document to hand the employee while they're exiting the company is really important just to give them a clear picture on how they can access their information in the systems after they've left the company. A lot of this comes up when it comes to handling W- 2s if they've changed jobs within the year so that they can access the appropriate information they need for their tax documents. And then finally, implementing the straightforward process for returning company equipment or assets is a huge thing that I love to push and ensure that is a part of my offboarding process. So one thing I really recommend is to have an account with a shipping company, whether that be UPS, USPS, or FedEx. This then allows you to create a tracking or a shipping label for the exiting employee to use to return their company information and not only gives them a streamlined process, but also gives you the tracking number of those assets that they're returning to the company, so that if you see that tracking number hasn't been initiated or it says it's still just been dropped off, you can then follow up with the information that you got from the exit interview of their phone number, for example, to ensure that they have indeed shipped the assets in a timely manner. Anything else to add, Anh, before we move on to Q& A?

Anh Pham: No, I don't think so. I'll say if you're going to register for an account with a shipping company, register for all three instead just one. You never know where the closest store is going to be and you don't want to give the sort of the ex- employee any more reason to delay returning equipment.

Abbey Szentes: Absolutely. Great call out there. All right, Jira, I think we're good to move on to our Q& A session if you have anything for us.

Speaker 3: Yeah, fantastic. So we have a few questions here and please feel free to add any more as we go through these. So first question is, do you guys have any specific ATS that you would recommend?

Abbey Szentes: So I think it depends from company to company, depending on how big it is. Here at Trava we do use Greenhouse and they have a lot of security documents that Anh was able to review. So we did really appreciate having that availability and having those resources on hand. But I think it would really depend on how many requisitions you're having in a year, how many individuals are going to be using the platform or the system. So I would recommend definitely Greenhouse because that's what we use here, but outside of that, happy to have and collaborate more with the individual who asked the question to further identify what their needs may be.

Speaker 3: Awesome. So when it comes to-

Anh Pham: Hold on.

Speaker 3: Go ahead.

Anh Pham: I also want to add to that too, is when it comes to sourcing software, usually you have three different options. You can go with the well-known, very established one, probably costs a lot more money. You can go with some new players, a little less mature, a little more affordable, and you can go with the open source option and that's absolutely for you and you have no idea how it works, but it works. And then when it comes to at ATS and RIS system, this sort of system, I always recommend the first option. They may be a little more expensive, but you know that they're more established. The system is going to be working with very, very confidential data classes. These are the things that you want to make sure you absolutely secure and don't ever get stolen or you're going to suffer consequences. And then I don't have a specific recommendation for a system. Greenhouse is what we use, it's great. I work with it as part of my collaboration and partnership with HR and I think it's awesome. But if that's not on your list of options here, the thing you should consider when you source your software is look at their security posture, look at their security program, look at their security documentation. Are they being transparent about how they're securing data, how they're protecting the data that you handed to them? And that's probably one of the most important things to consider when you're looking for these software.

Speaker 3: Well, so when it comes to vetting these other systems, how long does that process typically take? Or does it depend?

Anh Pham: It probably depends on the person doing the vetting and how busy that person is. I think a one or two weeks turnaround time is reasonable, probably applicable to a lot of company. You obviously have a lot of documentation to read through. You probably have a process to go into granting approval and assessing risk and making sure controls are put in place to mitigate risks that arise, a part of putting in those software. So to give an exact timeline is a little harder to do, but I would say aim for a one to two week turnaround.

Abbey Szentes: I will add that it's really helpful if you have a criteria prior to looking at different systems just to make sure you really are aligning what your company's values are, your values, what you're looking for and the systems' values and what their features are as well.

Speaker 3: All right, super helpful. So for remote employees, what is the recommendations on policy surrounding public wifi usage?

Anh Pham: Yep, I can take that. So obviously in this age of teleworking, public wifi usage is probably unavoidable. You can tell your employees to never do it, but at some point they probably have to do it to handle something. So with that mindset in place, then you need to start shifting to thinking about how do we ensure that the users of these wifi network are secure? So one of the first things you can do is deploy a VPN software to all of your portable endpoints, all of you employee laptops. And not only do you need to deploy it, you need to make sure that it's configured in an always on setting. So to a lot of non- technical people, that probably doesn't make sense, but you talk to your IT personnel, they will know what you're talking about. Always on setting basically mean that any time there's a list of approved wifi network and if you are on the wifi network, the VPN software is going to turn itself off. But any time your laptop connect to anything else, that VPN software is going to automatically be enabled. So the employees don't have to worry about it, they get secure automatically as soon as they connect to the wifi network. And then outside of that, there's also this other new technology called Web Proxy. And what it does is, it's a software that you can also deploy on the employee laptop and then it sits there and it intercepts all the web traffic that, all the things that your employees do in browsing the web, accessing file, downloading file, and then it look for security threat and malicious thing and automatically block them. So those are the two recommendations that I have if you're going to allow the user to public wifi. If you want to take it even further, if you have a lot of employees who sort of travel a lot for work, probably have to get connected a lot, then I would say look at getting them a hotspot or a public hotspot that's secure and not, well, a public hotspot is only for them to use. And so don't rely on, ask them to not rely on just public wifi. Anytime they get connected, here's the hotspot to use.

Abbey Szentes: And from the HR perspective, it's communicating everything that Anh just said. You're probably not the only individual at your company, if you are working at a remote company, that has that question. So making sure that that internal communication when it comes to that collaboration between HR and IT is also being said out loud or posted on your company intranet or whatever the case may be.