Why HR Leaders Must Help Drive Cyber Security Agenda

Why HR Leaders Must Help Drive Cyber Security Agenda
Cyber Resilience

10 of 11

This insight is part 10 of 11 in this Collection.

Insights for HR

04 of 10

This insight is part 04 of 10 in this Collection.

Technology

10 of 12

This insight is part 10 of 12 in this Collection.

February 10, 2023 9 mins

Why HR Leaders Must Help Drive Cyber Security Agenda

Why HR Leaders Must Help Drive Cyber Security Agenda Hero Image

Recent events have helped unite security and technology professionals in the fight to thwart cyber criminals. Here's why HR leaders also play a major role.

Key Takeaways
  1. The increasing reliance on remote and hybrid work over the last few years has created numerous challenges for businesses and their employees, including a significantly heightened cyber security risk.
  2. Events of the last few years have clarified that at its core, cyber security is a people issue.
  3. HR leaders need to take an important seat at the cyber security table as strategic thinkers who can help mitigate the risk facing the organization.

Since 2020, COVID-19 has helped unite security and technology professionals in the fight to thwart cyber criminals seeking quick gains from a global crisis. However, human resources leaders can also help turn the tide on the digital battlefield.

While firewalls, data encryption, and other security controls are compulsory, a robust IT infrastructure may not be enough to protect an organization against one of its most critical vulnerabilities: its people.

It is estimated in 2021, 82 percent of all breaches resulted from human error.1 80 percent of cyber security teams believe that hybrid or remote working has increased their organizations’ vulnerability to cyber attacks.2

The increasing reliance on remote and hybrid work over the last few years has created numerous challenges for businesses and their employees, including a significantly heightened cyber security risk. A Chief Human Resources Officer (CHRO) plays a critical cyber security role by keeping remote or hybrid employees engaged with work and colleagues and attentive to security concerns. Further, the CHRO works with internal teams to develop relevant security training and appropriate onboarding and offboarding processes.

Cyber Security is a People Issue

While the oft-prevailing assumption is that cyber security is an information technology (IT) and a risk management issue, the events of the last few years have clarified that at its core, cyber security is a people issue.3 The need for a coordinated team effort is more critical than ever, as the risk of cyber attacks are at an all-time high. One study has reported that there was a 70 percent increase in breached accounts as compared to Q3 2021.4 Not only are cyber criminals more active, but the changes in the workplace make businesses and people more vulnerable. HR leaders need to take an important seat at the cyber security table as strategic thinkers who can help mitigate the risk facing the organization. What follows is a guide for human resources leaders across three emerging cyber threat vectors:

1. Remote Work: Employee Training and Accountability

The number of Americans primarily working from home tripled between 2019 and 2021, from approximately 5.7 percent to 17.9 percent.5 A hybrid work environment intensifies the risk of a cyber attack driven by remote connectivity. Organizations must narrow their cyber risk exposure without restricting their operational flexibility and productivity. While this might seem like just an issue for the IT team, it is also very much an issue for the HR team. As HR leaders navigate a new working environment, you can:

  • Collaborate with IT on funding and implementing robust education programs on relevant cyber security risks and how employees can safeguard themselves based on their remote or hybrid work environments. Consider quarterly training modules with real-time threat intelligence updates, incorporate descriptions of actual attacks, and bring in outside experts as speakers. Be creative, perhaps developing an office ambassador program to deliver trainings. Shift from simply delivering off-the-shelf training prepared by IT or a third-party vendor, to strategically contributing to the training strategy, curriculum and delivery, and increasing employee knowledge and sophistication regarding cyber risks each year.
  • To protect buyers from unanticipated pre-closing tax liabilities on positions inherited from sellers in an M&A transaction. It has also been popular among renewable energy investments involving tax credits to protect anticipated tax benefits.
  • Ensure people are aware of the BYOD (bring your own device) policies associated with using personal devices – especially mobile devices, where there has been a 50 percent increase in attacks in 2022.6 Employees who fully understand relevant organizational security controls are more likely to be active participants in these critical practices.
  • Educate people on responsibilities and expectations relative to handling confidential data, customer information and any other information that could compromise the organization or adversely impact customers or shareholder value. Create and enforce disciplinary consequences for non-compliance to standards.
2. A Hybrid Workplace: Retraining and Crisis Preparation

Some portion of the workforce will likely remain virtual or in a hybrid schedule for the foreseeable future. Hybrid employees bring with them hardware and devices used at home including laptops, mobile devices, USB drives and other miscellaneous equipment. Recent hires may need to be re-onboarded with proper training, and all people will need to be familiarized with security best practices for both working in the office and remotely. As HR leaders face an increasing reliance on a hybrid work environment you can:

  • Work with security teams to protect the physical and digital security of the organization ensuring that security evolves equally alongside other business changes, as well as with future growth or contraction. For example, ensure that employees are aware and prepared to have devices scanned and tested before being directly reconnected to company systems and networks.
  • Execute cyber security awareness training with all recent hires as part of an additional onboarding process. Learn about the varied remote work environments and help new and current employees navigate hybrid work policies, procedures and expectations.
  • Ensure that internal teams prepare for a potential adverse event. Implement incident response (IR) readiness planning for a cyber attack, as well as readiness planning for any future disruptions that may necessitate a rapid return to total remote working. Building this culture of cyber readiness is no different than running fire drills and disaster recovery training.
3. Employee Separation and Compensation Changes: Insider Risk is Paramount

In the fight to remain economically viable, many firms have been forced to downsize their workforces, reduce compensation, and limit other employee benefits.

Insider-related incidents, both inadvertent and malicious, have risen more than 44 percent over two years, and cost companies up to $15.45 million a year in 2021, with an average of 85 days to containment.7

In the current climate of layoffs, reduced compensation and benefits, and widespread economic uncertainty, otherwise well-meaning employees may be more likely to act maliciously in response to their new working arrangements. Current circumstances may lead to disgruntled or resentful workers who may find their current precarious situation a rationalization for activities such as theft of intellectual property or other fraudulent acts.

As HR leaders facing this wave of employee separation, compensation, and benefit changes you can:

  • Actively work to identify insider threats that represent a significant portion of data breaches, IP losses and cyber attacks. For instance, 56 percent of insider incidents are caused by negligence,8 reinforcing the importance of periodic training. In addition, to help counter the fears and frustrations of employees, frequent, clear communication can be an effective way to help reassure employees, reducing the risk of mistakes or rash actions. For malicious insiders, HR leaders can educate managers to spot warning signs, employ behavioral and communications technologies, and engage firms to deploy talent assessment tools that can identify at-risk populations. Also consider the creation of an independent and autonomous whistleblower hotline to improve the detection of internal fraud.
  • Mitigate the impact of potential “bad leavers” whose goal is to compromise the data and security of an organization upon exit. Increase visibility and logging on devices, accounts and the corporate network as a means to block or minimize attempts to steal intellectual property, go-to-market plans or client lists, as well as thwart attempts to plant viruses or take the organizations’ network hostage. Review current off-boarding procedures to ensure employee access to all systems are completely deactivated.
  • Create a top-down culture of compliance throughout the organization, inclusive of cyber security, working across all human resources specialties including onboarding, learning and development, and change management. Make sure it is known that the organization takes security seriously and has a zero-tolerance policy on breaches of compliance and security protocols.

Human resources leaders are called upon to think more broadly and become confident in the vital role they can play in combating cyber risk.

Helping to build cross functional senior leadership teams that balance technical cyber security, financial risk, risk management, legal, and internal communications is essential.

The cyber-savvy CHRO is thus tasked with creating a culture where compliance to and understanding of privacy, information security and regulatory responsibility thrive. While the Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) are, and will always be, central players in identifying and mitigating cyber risk, HR leaders need to enlist as well. When the entire organization prioritizes and coordinates an approach to reduce cyber risk, it creates a level of “collaborative resilience” more powerful than single, stand-alone solutions. The CHRO is needed to move beyond the tactical to the strategic, prescribing and implementing cyber security regimens to meet 21st-century demands.

Why HR Leaders Must Help Drive Cyber Security Agenda Image Divider

56%

Of insider threats are caused by negligence.

Source: 2022 Cost of Insider Threats Global Report, Ponemon Institute

Cyber Solutions Contacts
  • Christian Hoffman
    Global Cyber Leader
  • Katharine Hall
    Canada Cyber Leader, Aon
  • Richard Hanlon
    U.K. Cyber Leader, Aon
  • David Molony
    Head of Cyber Solutions, EMEA
  • Adam Peckman
    Head of Cyber Solutions, Asia-Pacific
  • Sergio Torres
    Specialty Leader, Financial & Professional Services & Cyber, Latin America

Cyber Disclaimer

The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.