Why HR needs to be responsible for cyber security


In the past, cyber security was the concern of the company IT department. But because of how pervasive digital technology has now become inside our organisations, it’s no longer feasible to compartmentalise it in this way.

Managing cyber security threats is now a business-wide issue.

According to Christos Dimitriadis, the chairman of the board of directors at the global IT cyber security organisation ISACA,, cyber security is now an organisational issue at the enterprise-level. Part of a great digital security strategy involves actually choosing people in such a way to maximise business resilience to digital threats – something which Dimitriadis says is a role for HR. Thus, like it or not, HR strategy is now firmly intertwined with cyber security, and needs to be redesigned to address this new role.

Combating cyber threats is no longer about choosing the right software package; it’s about training people on a massive scale to be concerned with the security of their own business devices. The HR department must now adopt strategies which enable it to find people with the requisite to mitigate threats.

Data from the UK suggests that more than 96 percent of all cybercrime could be prevented through basic adherence to simple procedures and policies. In short, the data suggests that it’s the people within a business who determine the security of its digital assets, not the quality of its software, the stability of its networks, or the business’ ability to root out and eliminate zero-day exploits. But for any people-oriented strategy to be effective, HR has to take a decisive role, constantly pushing people to behave in a way that is consistent with the company’s security objectives.

In short, HR needs to be at the centre of company cyber security efforts. Here’s why.

To Identify At-Risk Employees

Gaining access to the relevant systems often isn’t possible in a vacuum. More often than not, criminals need inside help to get the information they need to carry out an effective attack. Though a breach may occur in a matter of minutes, most cybercriminals go through months of planning to make sure that their plans succeed.

A common criminal tactic is trawling social media, looking for individual employees who have the potential to be disloyal. They deliberately seek out those who express disillusionment with their employers, or those with a dislike of authority, and try to break their psychological connection with the company, getting them to do things which they wouldn’t ordinarily do.

The job of HR, therefore, is to find ways to identify people within the organisation who may be susceptible to outside influence and who could potentially put the digital security of the company in jeopardy. This is by no means an easy challenge, but thanks to the amount of digital data generated by every individual in your organisation, it’s now possible.

HR can start by more closely monitoring employees going through so-called “trigger events” – things like demotion, dismissal or disciplining – which could provide incentive enough for them to take action against their employer. HR departments need to be aware that most employees will do something malicious within 30 days of an event, providing a window of time where the department can be on a heightened state of alert. Especially regarding matters of exit, HR departments need to put relevant measures in place to prevent employee digital sabotage before they are told they will be leaving the company.

To Contain Security Breaches

If a breach does occur, it’s no longer the sole responsibility of the IT department to solve the problem. It’s also an HR issue, especially if employees are involved. The first lesson for HR professionals is that they need to be responsible for the actions of their workers. In many organisations, human resources will attempt to sidestep blame, saying that it was the employees themselves who were responsible for the data breach. However, simply passing the buck is counterproductive and leaves organisations vulnerable to cybercrime.

The second lesson is that HR needs to deploy an incident management team. This team should contain people who are able to conduct in-depth evaluations of any breach and report back to relevant managers and the C-suite. It’s the job of HR to find the appropriate talent – often from outside the company – organise the response team, and develop their protocols. The aim of the response team should be threefold: to identify what went wrong, to communicate with the relevant authorities, and to make sure that any breach is sealed as quickly as possible. HR departments should develop service delivery objectives consistent with the business continuity plan and write down an incident report.

To Ensure That Security Practices Are Ethical

Companies often face a legal requirement to protect customer data. As a result, many have instituted rigorous employee monitoring and strict codes of discipline. However, this approach has both costs and benefits. The benefit is that the risk of a security breach is reduced. But the cost is a loss of social capital: employees just don’t like being watched all the time by their superiors.

This is where HR needs to intervene. HR professionals are required to make sure that any monitoring of employees is ethical. Employees shouldn’t, for instance, be subject to surveillance while they’re out of the office or using their home computers and private personal devices. What’s more, IT professionals may not understand some of the more delicate issues surrounding employee surveillance: this is something that HR will be able to advise on.

To Take Responsibility

As discussed, taking responsibility for cyber security is an issue. In many companies, HR departments shirk their role in preventing data breaches claiming erroneously that they are the sole liability of the IT department. But a lack of accountability can become a serious issue in organisations where human resources don’t take the blame. Company managers and executives, therefore, need to be clear with their HR departments that they are responsible for any human element in security breaches, incentivising them to take corrective action.

To Identify Threats

HR needs to be more than an administrative arm of the business: it needs to be constantly vigilant for new threats that the firm may face and developing strategies to convey this information to employees.

The vast majority of companies deploy sophisticated software to prevent breaches – software which makes it incredibly difficult to gain access to critical systems without an element of human error. But while one opportunity is closed off, another is opened. Criminals are now choosing to target employees using strategies, like phishing, which are designed to get them to surrender critical information that can be used to access company systems.

HR departments need to know what kinds of threats the company is likely to face, and then educate their employees about those threats. Some businesses, for instance, will be at risk of email phishing, where hackers will attempt to steal information by posing as somebody that the employee trusts. Emails can also contain malware in downloads, and so HR may need to educate employees about the risks of email attachments too.

Then there are genuine employee mistakes which hackers can take advantage of. Simple mistakes, such as emailing sensitive information to the wrong address, leaving devices unlocked in public places, losing a smartphone or connecting via unsecured networks can all leave organisations vulnerable. Again, it’s the job of the HR department to identify the particular risks that the company faces, and then educate employees to mitigate those risks. HR needs to develop an alliance with staff, and get them working hard towards the shared goal of greater security.