Cyber security is a people issue
While the oft-prevailing assumption is that cyber security is an information technology (IT) and a risk management issue, the events of the last few years have clarified that at its core, cyber security is a people issue.3 The need for a coordinated team effort is more critical than ever, as the risk of cyber attacks are at an all-time high. One study has reported that there was a 70 percent increase in breached accounts as compared to Q3 2021.4 Not only are cyber criminals more active, but the changes in the workplace make businesses and people more vulnerable. HR leaders need to take an important seat at the cyber security table as strategic thinkers who can help mitigate the risk facing the organization. What follows is a guide for human resources leaders across three emerging cyber threat vectors:
1. Remote Work: Employee Training and Accountability
The number of Americans primarily working from home tripled between 2019 and 2021, from approximately 5.7 percent to 17.9 percent.5 A hybrid work environment intensifies the risk of a cyber attack driven by remote connectivity. Organizations must narrow their cyber risk exposure without restricting their operational flexibility and productivity. While this might seem like just an issue for the IT team, it is also very much an issue for the HR team. As HR leaders navigate a new working environment, you can:
- Collaborate with IT on funding and implementing robust education programs on relevant cyber security risks and how employees can safeguard themselves based on their remote or hybrid work environments. Consider quarterly training modules with real-time threat intelligence updates, incorporate descriptions of actual attacks, and bring in outside experts as speakers. Be creative, perhaps developing an office ambassador program to deliver trainings. Shift from simply delivering off-the-shelf training prepared by IT or a third-party vendor, to strategically contributing to the training strategy, curriculum and delivery, and increasing employee knowledge and sophistication regarding cyber risks each year.
- Ensure people are aware of the BYOD (bring your own device) policies associated with using personal devices – especially mobile devices, where there has been a 50 percent increase in attacks in 2022.6 Employees who fully understand relevant organizational security controls are more likely to be active participants in these critical practices.
- Educate people on responsibilities and expectations relative to handling confidential data, customer information and any other information that could compromise the organization or adversely impact customers or shareholder value. Create and enforce disciplinary consequences for non-compliance to standards.
2. A Hybrid Workplace: Retraining and Crisis Preparation
Some portion of the workforce will likely remain virtual or in a hybrid schedule for the foreseeable future. Hybrid employees bring with them hardware and devices used at home including laptops, mobile devices, USB drives and other miscellaneous equipment. Recent hires may need to be re-onboarded with proper training, and all people will need to be familiarized with security best practices for both working in the office and remotely. As HR leaders face an increasing reliance on a hybrid work environment you can:
- Work with security teams to protect the physical and digital security of the organization ensuring that security evolves equally alongside other business changes, as well as with future growth or contraction. For example, ensure that employees are aware and prepared to have devices scanned and tested before being directly reconnected to company systems and networks.
- Execute cyber security awareness training with all recent hires as part of an additional onboarding process. Learn about the varied remote work environments and help new and current employees navigate hybrid work policies, procedures and expectations.
- Ensure that internal teams prepare for a potential adverse event. Implement incident response (IR) readiness planning for a cyber attack, as well as readiness planning for any future disruptions that may necessitate a rapid return to total remote working. Building this culture of cyber readiness is no different than running fire drills and disaster recovery training.
3. Employee Separation and Compensation Changes: Insider Risk is Paramount
In the fight to remain economically viable, many firms have been forced to downsize their workforces, reduce compensation, and limit other employee benefits.
Insider-related incidents, both inadvertent and malicious, have risen more than 44 percent over two years, and cost companies up to $15.45 million a year in 2021, with an average of 85 days to containment.7
In the current climate of layoffs, reduced compensation and benefits, and widespread economic uncertainty, otherwise well-meaning employees may be more likely to act maliciously in response to their new working arrangements. Current circumstances may lead to disgruntled or resentful workers who may find their current precarious situation a rationalization for activities such as theft of intellectual property or other fraudulent acts.
As HR leaders facing this wave of employee separation, compensation, and benefit changes you can:
- Actively work to identify insider threats that represent a significant portion of data breaches, IP losses and cyber attacks. For instance, 56 percent of insider incidents are caused by negligence,8 reinforcing the importance of periodic training. In addition, to help counter the fears and frustrations of employees, frequent, clear communication can be an effective way to help reassure employees, reducing the risk of mistakes or rash actions. For malicious insiders, HR leaders can educate managers to spot warning signs, employ behavioral and communications technologies, and engage firms to deploy talent assessment tools that can identify at-risk populations. Also consider the creation of an independent and autonomous whistleblower hotline to improve the detection of internal fraud.
- Mitigate the impact of potential “bad leavers” whose goal is to compromise the data and security of an organization upon exit. Increase visibility and logging on devices, accounts and the corporate network as a means to block or minimize attempts to steal intellectual property, go-to-market plans or client lists, as well as thwart attempts to plant viruses or take the organizations’ network hostage. Review current off-boarding procedures to ensure employee access to all systems are completely deactivated.
- Create a top-down culture of compliance throughout the organization, inclusive of cyber security, working across all human resources specialties including onboarding, learning and development, and change management. Make sure it is known that the organization takes security seriously and has a zero-tolerance policy on breaches of compliance and security protocols.
Human resources leaders are called upon to think more broadly and become confident in the vital role they can play in combating cyber risk.
Helping to build cross functional senior leadership teams that balance technical cyber security, financial risk, risk management, legal, and internal communications is essential.
The cyber-savvy CHRO is thus tasked with creating a culture where compliance to and understanding of privacy, information security and regulatory responsibility thrive. While the Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) are, and will always be, central players in identifying and mitigating cyber risk, HR leaders need to enlist as well. When the entire organization prioritizes and coordinates an approach to reduce cyber risk, it creates a level of “collaborative resilience” more powerful than single, stand-alone solutions. The CHRO is needed to move beyond the tactical to the strategic, prescribing and implementing cyber security regimens to meet 21st-century demands.