When it comes to data breaches and cybersecurity, one of the weakest fronts is the human element. More than 50 percent of cybersecurity incidents are caused by partners or internal employees, making this an important focus area for HR leaders.
The situation has been exacerbated by the growth in remote work, as the chance of human error due to low cyber awareness has gone up manifold. HR professionals need to take note of more people working on the cloud, given how, for instance, ransomware attacks in Singapore cost an average of USD 832,423 per attack, and most misconfigurations leveraged by attackers came about from accidental exposure.
Is cybersecurity just an IT concern?
In the digital era, cybersecurity should be a top organizational concern. However, shortcomings in company policies remain a concern, particularly their implementation in small and medium enterprises (SMEs). Given how 53 percent of cyber incidents came from employees through either losing company devices or making administrative errors, companies need to step up their efforts. Clearly, IT by itself cannot protect the organization.
Why must HR be involved?
To build a culture of cybersecurity and minimize attendant risks, HR leaders need to be involved to take care of the weakest link. It is important to make cybersecurity the responsibility of every employee and ensure awareness of the consequence of not complying with company policies on the matter. In advanced markets, for instance, it is not uncommon for companies to dismiss employees on the grounds of poor cyber practices that could compromise the company systems.
What positions HR in such a position of importance for cybersecurity?
What makes the role of HR even more important is that they maintain sensitive employee data, which is highly attractive for hackers. From the point of hiring through the tenure of employees, the HR department receives valuable personal information of different kinds. It is important to ensure that HR technology incorporates adequate protection for this data and that such protection is part of the standard operating procedure for every HR professional, as such information includes dates of birth, addresses with full names, and social security numbers. If just one person chooses to access such information via an unsecured public WiFi network, the consequences could be severe for the company.
HR must be consulted when it comes to building awareness about cybersecurity and securing a buy-in from all employees and executives on the importance of cybersecurity being a universal responsibility. HR is uniquely positioned to promote and humanize cybersecurity in an organization, suggesting how best to incorporate new technologies such that adoption and participation by the workforce are maximized. Leaving it to IT misses out on HR insights and skills to mitigate the risk.
How can HR and IT work together on cybersecurity?
Start with an initial meeting. IT teams could explain the current cybersecurity plans, with HR leaders sharing the employee perspectives on security pain points and how the plans could be modified accordingly. Regular meetings could cover the right training methods, emergency response plans with clearly delineated roles and responsibilities in the event of an incident or attack, and key learnings from relevant initiatives.
What particular measures should companies take?
A variety of actions are required, as detailed below:
• Clarify the responsibility for cybersecurity: It is not feasible or right to put it all on the IT personnel, as they already are tasked with other IT initiatives. Cybersecurity must be treated as a role in itself, and HR professionals must work with IT personnel to understand the skill requirements therein.
• Fill the skill gap: As discussed above, HR must facilitate a strong security position for the organization by filling the talent gap in cybersecurity. The lack of cybersecurity awareness and the gap in skills is a massive concern for most organizations.
• Educate employees: This is one of the best ways to manage risks and mitigate cyber threats, to support the role of endpoint protection, firewalls, and other IT and HR technologies looking to keep organizations safe. HR leaders must be involved to ensure the right culture of cybersecurity awareness, education, and training to keep employees and systems up to pace with dynamic security threats. This will include basic cyber hygiene for every employee to practice as a critical safeguard, including something as seemingly simple as proper password management.
• Boost awareness: Stay aware of the latest developments in the cyber world to know how cybersecurity protocols must change and evolve so that the newest, most sophisticated threats can be mitigated.
• Improve training: HR professionals must use creative measures to make cybersecurity training and awareness more interesting, including learning management systems (LMS) and gamification, along with mock testing. For instance, a company often sends a fake phishing link that encourages employees to click and share information, and if they do, they are prompted to be more aware as that could be an actual phishing attempt someday.