Many people assume HR professionals don’t need to worry about cyberattacks, data and identity theft, ransomware, or social engineering scams. However, since HR handles a lot of privacy and business data, employee files, social security and payroll details, they can be seen as fair game to threat actors. Conversely, HR can also be proactive in lowering the likelihood of a successful cyber heist.
The current threat environment requires HR to play a significant role in securing the enterprise. Beyond prescreening job candidates via consensual background checks, HR needs to be more aware about promoting cyber hygiene and risk mitigation. For example, offboarding employees requires the immediate removal of access to various enterprise systems, accounts, and devices, which necessitates close coordination between HR and IT.
Role-Based Access To Data
HR can take an active role in helping security teams inventory a list of unsecured workstations and identify employees who may be using unauthorized devices (a.k.a. “shadow IT”) as part of the ubiquitous wave behind ‘bring your own device’ (BYOD). A lack of corporate governance, combined with employee misjudgment can swing the barndoors wide to threat actors. Once inside the network, a breach allows for long-term encampment of cybercriminals and lateral movement, which usually entails a highly active study of corporate reporting structures such as understanding the direct links to Board members and the C-suite, enabling further infiltration and potential business email compromise (BEC) attacks.
HR can help protect sensitive or proprietary information by implementing a data management strategy that assigns employee access to company resources depending on the employee’s job function. Even as part of the onboarding process, HR can work with management to define the data an employee needs to access to do their jobs. To goal is to limit exposure via role-based access controls and avoid insider attacks by disgruntled or former employees.
Leadership is Culture by Example
Creating company culture is everyone’s responsibility, and the HR team has an especially important role when it comes to promoting a cybersecurity culture. Business guru John R. Childress said, “You get the culture you ignore.” HR can advocate for a security culture by making security awareness training mandatory; the purpose being to educate staff on the elusive phishing and social engineering tactics foisted by adversaries.
HR needs to inform employees why the organization’s cybersecurity policies are necessary for ensuring the company’s intellectual property – and employee privacy and identity – are protected. Create a mindset in new hires that cyberattacks are very real and how their daily actions can impact that risk.
To begin with, HR can conduct regular risk assessments to identify potential security threats, including risky employee behavior that can expose the organization to data breaches. This information can then inform the creation of customized employee training modules to address these threats effectively.
A continuous training process is vital for information security, and every organization needs to train employees on security best practices. This ensures that employees recognize that cybersecurity is central to the company’s success; that the cost of a breach or ransomware attack can lead to loss of business reputation and customers, government fines and penalties, disruption and even closure.
Learning security basics should be part of new-hire orientations, emphasizing all the threats the organization may be subject to. Training should entail following good security hygiene such as use of password managers, activating multi-factor authentication, educating safe browsing habits, reporting of phishing scams or other suspicious activities.
Collaboration with IT Teams
Despite being designed to prioritize human needs in an organization, HR often falls short in coordinating with their IT counterparts and technology systems. This lack of coordination creates security gaps, making the company vulnerable to cyber threats. To improve cybersecurity posture, it’s important to bridge the gap between HR and IT through better alignment and visibility.
HR professionals must be more aware of the impact their processes have on other parts of the organization, while IT must involve HR in access management and security protocols.
To achieve better alignment and visibility, three priorities need to be addressed. Firstly, HR professionals need to increase their data literacy to better understand the technology implications of their work. Secondly, HR should be fully integrated into the IT estate to ensure alignment of business processes and the application of HR-specific compliance frameworks to all cyber assets. Lastly, coordination with IT on employee access to systems, files, and data should be clear.
HR Can Pivot on Cybersecurity
The expanding threat surface caused by technologies such as generative AI, remote working, deepfake videos, text and voice phishing, the proliferation of IoT devices and more, has made cybersecurity defenses too critical to ignore.
HR professionals can contribute significantly to enhancing an organization’s cybersecurity posture by monitoring for risky behavior among employees, working with IT to implement data access controls, curb free-wheeling shadow IT issues, and monitor remote workers and systems that pose more vulnerabilities to the organization. Finally, HR can assist in promoting a cybersecurity culture by educating employees on security awareness and documenting procedures for reporting and responding to threats like phishing.
About the Author
Ani Banerjee is Chief Human Resources Officer for KnowBe4. Banerjee oversees HR operations across 11 countries, and is responsible for developing new initiatives to enhance the company’s organizational culture, recruitment channels, and diversity, inclusion, and equity (DIE) strategies. He has 30 years’ experience in global HR leadership roles working for VMware, Dell, Yahoo, and AOL.