Skip to main content
Opens in a new tab External site

February 2023 / 10 Min Read

Why HR Leaders Must Help Drive Cyber Security Agenda

 

Recent events have helped unite security and technology professionals in the fight to thwart cyber criminals. Read why HR leaders also play a major role.

 

Key Takeaways

  1. The increasing reliance on remote and hybrid work over the last few years has created numerous challenges for businesses and their employees, including a significantly heightened cyber security risk.
  2. Events of the last few years have clarified that at its core, cyber security is a people issue.
  3. HR leaders need to take an important seat at the cyber security table as strategic thinkers who can help mitigate the risk facing the organization.

Since 2020, COVID-19 has helped unite security and technology professionals in the fight to thwart cyber criminals seeking quick gains from a global crisis. However, human resources leaders can also help turn the tide on the digital battlefield.

While firewalls, data encryption, and other security controls are compulsory, a robust IT infrastructure may not be enough to protect an organization against one of its most critical vulnerabilities: its people.

It is estimated in 2021, 82 percent of all breaches resulted from human error.1 80 percent of cyber security teams believe that hybrid or remote working has increased their organizations’ vulnerability to cyber attacks.2

 

The increasing reliance on remote and hybrid work over the last few years has created numerous challenges for businesses and their employees, including a significantly heightened cyber security risk. A Chief Human Resources Officer (CHRO) plays a critical cyber security role by keeping remote or hybrid employees engaged with work and colleagues and attentive to security concerns. Further, the CHRO works with internal teams to develop relevant security training and appropriate onboarding and offboarding processes.

Cyber security is a people issue

While the oft-prevailing assumption is that cyber security is an information technology (IT) and a risk management issue, the events of the last few years have clarified that at its core, cyber security is a people issue.3 The need for a coordinated team effort is more critical than ever, as the risk of cyber attacks are at an all-time high. One study has reported that there was a 70 percent increase in breached accounts as compared to Q3 2021.4 Not only are cyber criminals more active, but the changes in the workplace make businesses and people more vulnerable. HR leaders need to take an important seat at the cyber security table as strategic thinkers who can help mitigate the risk facing the organization. What follows is a guide for human resources leaders across three emerging cyber threat vectors:

1. Remote Work: Employee Training and Accountability

The number of Americans primarily working from home tripled between 2019 and 2021, from approximately 5.7 percent to 17.9 percent.5 A hybrid work environment intensifies the risk of a cyber attack driven by remote connectivity. Organizations must narrow their cyber risk exposure without restricting their operational flexibility and productivity. While this might seem like just an issue for the IT team, it is also very much an issue for the HR team. As HR leaders navigate a new working environment, you can:

  • Collaborate with IT on funding and implementing robust education programs on relevant cyber security risks and how employees can safeguard themselves based on their remote or hybrid work environments. Consider quarterly training modules with real-time threat intelligence updates, incorporate descriptions of actual attacks, and bring in outside experts as speakers. Be creative, perhaps developing an office ambassador program to deliver trainings. Shift from simply delivering off-the-shelf training prepared by IT or a third-party vendor, to strategically contributing to the training strategy, curriculum and delivery, and increasing employee knowledge and sophistication regarding cyber risks each year.
  • Ensure people are aware of the BYOD (bring your own device) policies associated with using personal devices – especially mobile devices, where there has been a 50 percent increase in attacks in 2022.6 Employees who fully understand relevant organizational security controls are more likely to be active participants in these critical practices.
  • Educate people on responsibilities and expectations relative to handling confidential data, customer information and any other information that could compromise the organization or adversely impact customers or shareholder value. Create and enforce disciplinary consequences for non-compliance to standards.

2. A Hybrid Workplace: Retraining and Crisis Preparation

Some portion of the workforce will likely remain virtual or in a hybrid schedule for the foreseeable future. Hybrid employees bring with them hardware and devices used at home including laptops, mobile devices, USB drives and other miscellaneous equipment. Recent hires may need to be re-onboarded with proper training, and all people will need to be familiarized with security best practices for both working in the office and remotely. As HR leaders face an increasing reliance on a hybrid work environment you can:

  • Work with security teams to protect the physical and digital security of the organization ensuring that security evolves equally alongside other business changes, as well as with future growth or contraction. For example, ensure that employees are aware and prepared to have devices scanned and tested before being directly reconnected to company systems and networks.
  • Execute cyber security awareness training with all recent hires as part of an additional onboarding process. Learn about the varied remote work environments and help new and current employees navigate hybrid work policies, procedures and expectations.
  • Ensure that internal teams prepare for a potential adverse event. Implement incident response (IR) readiness planning for a cyber attack, as well as readiness planning for any future disruptions that may necessitate a rapid return to total remote working. Building this culture of cyber readiness is no different than running fire drills and disaster recovery training.

3. Employee Separation and Compensation Changes: Insider Risk is Paramount

In the fight to remain economically viable, many firms have been forced to downsize their workforces, reduce compensation, and limit other employee benefits.

Insider-related incidents, both inadvertent and malicious, have risen more than 44 percent over two years, and cost companies up to $15.45 million a year in 2021, with an average of 85 days to containment.7

In the current climate of layoffs, reduced compensation and benefits, and widespread economic uncertainty, otherwise well-meaning employees may be more likely to act maliciously in response to their new working arrangements. Current circumstances may lead to disgruntled or resentful workers who may find their current precarious situation a rationalization for activities such as theft of intellectual property or other fraudulent acts.

As HR leaders facing this wave of employee separation, compensation, and benefit changes you can:

  • Actively work to identify insider threats that represent a significant portion of data breaches, IP losses and cyber attacks. For instance, 56 percent of insider incidents are caused by negligence,8 reinforcing the importance of periodic training. In addition, to help counter the fears and frustrations of employees, frequent, clear communication can be an effective way to help reassure employees, reducing the risk of mistakes or rash actions. For malicious insiders, HR leaders can educate managers to spot warning signs, employ behavioral and communications technologies, and engage firms to deploy talent assessment tools that can identify at-risk populations. Also consider the creation of an independent and autonomous whistleblower hotline to improve the detection of internal fraud.
  • Mitigate the impact of potential “bad leavers” whose goal is to compromise the data and security of an organization upon exit. Increase visibility and logging on devices, accounts and the corporate network as a means to block or minimize attempts to steal intellectual property, go-to-market plans or client lists, as well as thwart attempts to plant viruses or take the organizations’ network hostage. Review current off-boarding procedures to ensure employee access to all systems are completely deactivated.
  • Create a top-down culture of compliance throughout the organization, inclusive of cyber security, working across all human resources specialties including onboarding, learning and development, and change management. Make sure it is known that the organization takes security seriously and has a zero-tolerance policy on breaches of compliance and security protocols.

Human resources leaders are called upon to think more broadly and become confident in the vital role they can play in combating cyber risk.

Helping to build cross functional senior leadership teams that balance technical cyber security, financial risk, risk management, legal, and internal communications is essential.

The cyber-savvy CHRO is thus tasked with creating a culture where compliance to and understanding of privacy, information security and regulatory responsibility thrive. While the Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) are, and will always be, central players in identifying and mitigating cyber risk, HR leaders need to enlist as well. When the entire organization prioritizes and coordinates an approach to reduce cyber risk, it creates a level of “collaborative resilience” more powerful than single, stand-alone solutions. The CHRO is needed to move beyond the tactical to the strategic, prescribing and implementing cyber security regimens to meet 21st-century demands.

Cyber Solutions Contacts

Christian Hoffman
Global Cyber Leader
christian.hoffman@aon.com

Katharine Hall
Canada Cyber Leader
katharine.hall@aon.ca

Richard Hanlon
U.K. Cyber Leader
richard.hanlon@aon.ie

David Molony
EMEA Cyber Leader
david.molony@aon.com

Adam Peckman
APAC Cyber Leader
adam.peckman@aon.com

Sergio Torres
LATAM Specialty Leader Financial and Professional Services and Cyber
sergio.i.torres@aon.com

 

About Cyber Solutions
Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets and recover from cyber incidents.

Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.

Stroz Friedberg, LLC, an Aon company, has provided the information contained in this paper in good faith and for general informational purposes only. The information provided does not replace the advice of legal counsel or a cyber security expert and should not be relied upon for any such purpose.

Visit aon.com/cyber-resilience for more information.

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.