5 Ways HR Teams Can Contribute To Better Cybersecurity

One projection points out that by 2025, over half of all cybersecurity incidents will originate from people, specifically stemming from a lack of talent or human failure. Cyber risk is no longer an IT concern; it's a people concern. As custodians of people, HR teams have an increasingly important role to play in an organization's cybersecurity strategy. Let's explore the top ways in which HR teams can contribute to strengthening a company's security posture.

1. Formulating, Communicating and Enforcing Security Policies

Policies and procedures are fundamental to any organization's cybersecurity efforts. Security policies help explain the business risk (legal, financial, operational, regulatory, supply chain) organizations face each day and the roles, actions, and online behaviors employees must commit to in keeping the business safe from cyber threats. Since HR teams are default stakeholders in any policies that impact people, it would be wise for IT teams to involve them from the start, especially when building policies to govern security awareness training, social media usage, remote working, artificial intelligence, and vendor management.

2. Building Engaging Training Methods

Organizations must train employees regularly to remind them of cybersecurity risks and their susceptibility to phishing and social engineering attacks. Unfortunately, many cybersecurity teams lack soft skills. On the other hand, HR can be more instinctive in understanding employee needs, expectations, and communications. IT can leverage HR expertise to create more engaging content in training materials. Learning cybersecurity best practices and concepts must be included in new-hire orientations, stressing the importance of using password managers, multi-factor authentication, safe browsing, and reporting phishing scams. HR can also help motivate and engage employees by weaving security concepts into company all-hands and events, phishing contests and quizzes, incentives, and bonuses.

3. Promoting and Nurturing a Positive Culture Of Security

Security culture is made up of the attitudes, behaviors, beliefs, habits, norms, and perceptions that employees have around cybersecurity. Unless there's an intentional effort made to target or change these attitudes and beliefs, it's unrealistic to expect employees will suddenly change old habits or comply with new security processes. As a principal stakeholder of the organization's culture, it's incumbent upon HR to partner with leadership teams and security teams to promote a positive security culture and mindset — a culture where cybersecurity isn't perceived as something that's negative or that slows you down, but something that secures the business protects employees, improves alignment with regulators, and increases competitiveness.

4. Boosting Security Governance and Access Control

A lack of security governance coupled with a lack of vigilance and sound judgment is the perfect recipe for a cyber incident. To improve security governance, HR and security teams can jointly implement processes for defining, deploying, and reviewing employee access controls. The idea is to regularly review roles and responsibilities, granting access to systems and data that are only necessary to perform the job. This limits exposure to sensitive data and resources, limits lateral movement of cybercriminals (in case they infiltrate the company) and mitigates insider threats arising from disgruntled or former employees. HR can work with IT to ensure timely provisioning and deprovisioning of resources and access rights, especially during employee onboarding or exit procedures.

5. Implementing and Practicing Incident Response Procedures

Every organization should have a published and well-rehearsed incident response plan outlining the steps key stakeholders and employees must take when responding to a cyber incident. HR too has an important role to play in incident response. For instance, coordinating with IT to communicate with employees about the incident, providing guidance on how to respond, and offering support to affected individuals. In the event of a serious cyber breach, HR must consider the potential impact on employee well-being and morale, along with any legal ramifications.

Getting Aligned with IT and Cyber Is a Prerequisite

HR cannot be successful if it lacks alignment with technology and cybersecurity teams. To achieve better alignment, HR must focus on three things. One, it must improve knowledge on tools and systems and understand how every piece of technology impacts work. Secondly, it should understand IT processes so that it can map out its functions and contribute where necessary. Thirdly, HR must improve coordination with IT teams around access to employee files, systems and data, as well as compliance and regulatory requirements.

Mitigating cyber risks requires organizations to tackle both the people side of things as well as the technology side. Since IT teams oversee technology and HR teams oversee people, the importance of HR in building a security-conscious workforce should not be undervalued. IT teams can leverage HR's knowledge of people, policy, and culture to forge a robust and resilient cybersecurity strategy.