One of the weightiest responsibilities for any HR department is the protection of employees’ personal data. Consider the amount of sensitive employee information companies possess: tax documents, Social Security numbers, insurance information, bank account numbers, and candidate data. The major breaches we see in the headlines are typically focused on the theft of customer data, but companies have to take the integrity of employees’ information just as seriously.
There are many elements of an effective cybersecurity program it should earn buy-in at every level of the company, maintain full compliance with all relevant laws and regulations, ensure the security of third-party partners, deploy the latest digital security tools (while preventing the use of unsanctioned devices and software), and provide engaging security training for all employees. HR and security teams ultimately need to build a company culture in which cybersecurity is fully integrated into their operations and second nature for employees.
As cyberattacks become increasingly frequent, costly, and disruptive, robust cybersecurity is a necessity. Cyberattacks don’t just have the potential to be financially crippling in the short term – they can also have severe long-term reputational consequences. When sensitive employee data is exposed in a breach, it can end up for sale on the dark web and pose a threat for years to come. These alarming outcomes should galvanize HR teams around the protection of employee data across the entire organization.
Build Your Cybersecurity Strategy Around People
The vast majority of successful cyberattacks target employees. According to Verizon’s 2022 Data Breach Investigations Report, 82 percent of breaches over the preceding year involved a human element. One of the most common mistakes companies make in the development of their cybersecurity strategies is overlooking this element and failing to prioritize employee education. HR teams have an integral role to play in changing this status quo.
To generate stakeholder support for cybersecurity training, HR teams should always remember that hard data is compelling. According to the 2022 IBM Cost of a Data Breach Report, the average cost spiked from $3.86 million in 2020 to $4.35 million last year (2022) – a record high. The breaches that caused the most financial damage were the ones that targeted human beings directly with tactics like phishing, social engineering, and compromised business email. Employees need to be capable of identifying these attacks in progress, and cybersecurity training can show them which red flags to look for and how to respond when necessary. By focusing on training, HR teams will also help employees protect themselves when they’re at home or traveling for work.
At a time when three-quarters of workers say they’re ready to learn new skills and organizations cite learning opportunities as the top method for improving retention, cybersecurity education can even meet the demand for professional development and training. HR teams should keep all these considerations in mind as they develop a people-centric data security strategy.
Data Security Requires the Right Tools
There are many useful cybersecurity resources that can quickly and drastically reduce the risk of a cyberattack. Even a well-trained workforce needs access to these resources to keep company data secure – many cybersecurity tasks can be automated, and there’s no reason to rely on employee diligence and memory when it comes to managing these tasks.
Take credential security, for instance. IBM reports that it takes an average of 277 days to identify and contain a data breach, but this number surges to 327 days in the event of stolen or compromised credentials (more than any other attack vector). Similarly, Verizon reports that the use of stolen credentials is the top action variety in breaches. HR, partnering with IT teams, should ensure that all employees are using a password manager and multi-factor authentication – proven methods of significantly decreasing the likelihood of compromised credentials. It’s also important to make sure employees aren’t using unsanctioned devices for work, which may not have effective security protocols in place and could be operated on unsecured networks.
HR teams may want to consider the deployment of other tools as well, such as tools that encrypt internet traffic (which are especially valuable in an era of remote work, as many employees are using unsecured public WiFi in airport terminals, hotel lobbies, etc.). Cybersecurity is difficult enough as it is, and HR professionals should take all the digital help they can get.
Stakeholder Support Across the Board
Effective cybersecurity requires engagement and buy-in across the entire organization – as well as the broader ecosystem in which companies operate. HR leaders should work alongside the CTO, CISO, and IT/cybersecurity teams to instill healthy cybersecurity habits across departments and enshrine some of these practices into company policies and handbooks.
This means providing the right incentives to company leaders and employees alike. The former should understand how much damage cyberattacks can cause and potential liabilities under ever-stricter laws such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Employees should be rewarded for demonstrating cybersecurity awareness, whether they’re actively reporting cyber incidents or performing well on phishing tests and other assessments. HR professionals can cooperate with security teams to conduct regular audits that include evaluations of employee cybersecurity readiness.
Companies also must hold their third-party partners to high cybersecurity standards. When Uber was hacked in the fall of last year, the incident was traced to the breach of a contractor’s account credentials. This is a reminder that cybercriminals can use many entry points to infiltrate companies, which is why it’s critical to work with partners that take cybersecurity seriously. There are several ways companies can ensure third-party cybersecurity: work with ISO-certified companies, extend audits to their full network of partners, and establish consistent security policies and guidelines for the full partner ecosystem.
As companies develop their cybersecurity strategies, HR professionals have a vital role to play at every stage. HR teams are responsible for emphasizing the role of behavior in successful cyberattacks (and helping companies address this vulnerability); providing leaders, employees, and partners with cybersecurity resources; and bringing all stakeholders together around the importance of cybersecurity. A cybersecurity strategy simply won’t work if it isn’t people-focused, which gives HR teams a crucial responsibility to keep the company safe.
Chris Daden is CTO at Criteria.