Cyberattacks have been a risk for businesses since the dawn of computer technology. As hackers have become more advanced, however, their ability to reach and potentially misuse employee data has created an unprecedented risk in today’s workplaces. As of Q2 2018, on report showed a 47% increase in cyberattack incidents over Q2 2017.
Historically, most businesses have combated this looming risk by engaging their IT departments to advise on software and employee procedures. This is an important step in creating a cybersecure workforce, but it leaves out one department that can be instrumental in communicating and executing this plan: human resources.
Despite its technical nature, cybersecurity is really a human issue at its core: It’s about creating trust with employees and investing in their ongoing education to establish best practices. And that’s where HR comes in. HR leaders understand that when any new policy is introduced to an organization, it’s the individual employees who must be energized and empowered to put it into place throughout the workday. No matter the level of technical sophistication in a given solution, without this crucial human element, an investment in defensive software and procedures may not make an impact.
The following approaches are the first line of defense for your human resources department to integrate cybersecurity into your company culture and make your workplace even safer.
1. Start a strategic conversation with IT.
In the cross-departmental conversation about fostering a cybersecure workforce, IT and HR are especially important players: IT has the technical expertise to protect employees, and HR has the engagement expertise to ensure that information is shared effectively. Setting up a series of quarterly checkpoints between the two departments can guide the creation of an emergency response plan should an attack occur. Both departments usually hold responsibility for crafting a message to employees in the case of a breach and when they work together, the result helps give employees both the technical transparency and empathy they need to continue feeling safe at work.
Human resources is also the department to whom employees hand valuable personal data starting when they’re hired, from a home address to their social security number to their birthdate. This information is just what bad actors are seeking in order to break into bank accounts, web accounts and personal devices. As the department responsible for maintaining detailed employee databases, it’s important that HR communicates with IT about what employee data is being collected and how it is protected. IT may be able to offer HR-specific solutions that safeguard both employee data and the reputation of the company’s security. The consequences of not doing so can have ramifications for years after any kind of employee data breach occurs.
2. Revisit your employee training and testing procedures.
It’s not a pleasant statistic, but the majority of over 1,000 senior executives asked in one survey said that employee negligence is one of their biggest security risks. With the average cost of recovering from a data breach reaching nearly $4 million in 2018, properly training employees about how to navigate technology securely just makes good business sense.
HR professionals are vital in ensuring that new employees understand an organization’s commitment to cybersecurity. Training can begin from day one on the job and by no means does it need to be a dry, dull program. Learning management systems (LMS) offer interactive, “gamified” software that allows employees to virtually experience exactly how a data breach might look and learn the techniques to avoid one.
Training shouldn’t stop after onboarding, either. Encourage your IT department to get creative to keep staff on their toes by sending out the occasional mock phishing email. Those who click any malicious links will be directed to a message about the importance of staying vigilant over email. This can be a lighthearted way of keeping employees aware and ensuring that their cybersecurity knowledge is up-to-date.
3. Reevaluate your HR technology and consider starting the RFP process.
Do you know the right questions to ask to evaluate whether your HR software is cybersecure? If not, you’re not alone. Understanding the rapidly changing world of tech security is hard enough for IT professionals, let alone for others who aren’t in the tech field.
However, even if an HR professional isn’t an expert at cybersecurity, that perspective can actually lead them to seek the right answers. Empower your HR team to ask questions, even ones they feel are too simplistic or not “technical” enough. If a vendor can’t answer non-expert questions with clear, compelling responses, that should be a red flag. After all, some of the world’s biggest companies, from Equifax to Yahoo, can be victims of data breaches, so your HR professionals shouldn’t assume that their systems are inherently safe. If you’re in a place to consider new HR software, it’s important to ask a potential provider to demonstrate how they would protect your data, rather than simply tell you. Above all, a strong request for proposal (RFP) can help HR professionals define the needs of their organization and find the solutions that meet those needs.
When advocating for cybersecurity at any organization, remember that it’s all about people: how well employees understand the systems they rely on to do their jobs and how empowered they feel to face potential threats. In other words, it’s about empathy. Addressing the pain points your employees face when it comes to navigating technology can turn them into partners in the pursuit of a secure workplace. And in a world where so many of us carry devices everywhere we go, effective cybersecurity training can keep your business safe even after your employees leave the office each day.