Why HR leaders are critical to a cyber security culture

Quite apart from HR leaders being the custodians of valuable employee information that would delight any would-be hacker to get their hands on, HR leaders have an even more critical function in a company’s cyber security policies and processes. One could argue HR leaders are central to the success or failure of cyber security.

In the last few months, there have been almost a dozen high-profile cyber security breaches. The most alarming statistics are not in the number of breaches but rather in the relative simplicity of gaining access to sensitive data. In most cases, the breaches were not due to complex criminal masterminds, but omissions or mistakes on the part of the companies breached. The hacks could easily have been avoided, and in at least eight cases, the breaches were caused by human error.

I don't for a second think HR leaders suddenly need to get a degree in cyber security, but it is clear they need to be across it and work to develop a culture of cyber security for their organisations. While getting the tech team to train everyone is tempting, it will not work. Only HR leaders are entirely across the way their people learn. People learn differently, and HR is a team that understands L&D and how to embed cyber security into the culture of the business.

These days, everyone in the business is an integral member of your cyber security team, and they should be from the day they commence their onboarding through to their last day in the business.

Company policies and compliance

As the creators and guardians of company policies, and the team responsible for disseminating them to employees, HR is perfectly positioned to become one of the leading advocates of a cyber security culture.

Cyber security is also a compliance issue that boards must report on – being compliant means keeping your team up to speed. Hosting a morning tea and handing out a brochure on cyber issues is no longer acceptable. Hackers are getting smarter and moving faster, and companies must keep up.

The measure of success: benchmarking

Everything in business needs to be measurable, but unfortunately, the best yardstick of success for cyber security is when nothing at all happens.

A good measure for HR (and tech teams) is to run an exercise testing how many employees click on a dodgy email or link before you undertake training to set your benchmark. Measure frequently post-training to understand how the team stays on top of security issues.

Get the HR team across the issues first

HR is expected to be across every issue and rapidly become the experts in any given topic. Cyber security is yet another feather to add to your cap.

With human error being such a significant contributor to breaches and HR being the team responsible for humans, it suddenly becomes your problem, too.

Take the time to understand the issues (by all means, speak to the tech team first) and speak with an external cyber security consultant about training and development for your business.

Bespoke training

Training needs to be bespoke. This is where HR’s knowledge of what motivates each team can help to drive best-in-class training. Tech teams will feel patronised by the same style of cyber security training as sales teams and accounts because invariably, they are already up to speed with the issues and risks, but no team must be left behind.

Create training that will resonate with each of your internal stakeholder teams. Make cyber security part of your induction process, and ensure it’s embedded, updated and frequently revisited in your L&D offering.

‘No-blame’ culture

Humans are fallible. We won’t ever eradicate cyber security threats, so it’s essential to create a culture where your teams feel comfortable reporting possible threats and their mistakes without reprisal. When concerned about disciplinary action, they are less likely to alert senior leaders early if they have made a mistake. The earlier companies are aware of a cyber security breach, the faster they can act; every minute counts.

Some companies are now using a “phishing” button on their email servers, where employees can immediately report anything suspicious that may have been missed by security software. The emails are quarantined and detonated (that means opened in a safe “sandbox” environment) and checked whether the “payload” is legitimate. In other words, the IT team will assess if any links or attachments are genuine or malicious.

These days, scams can be convincing. It’s social engineering. Hackers have a lot of data. It’s not hard to create personalised emails that will fool an employee into taking action that unleashes destruction. They might look like an attachment from the boss or an invoice from a supplier. It’s little wonder so many people fall for it.

HR is key to the success of a cyber security culture

Cyber security cannot remain solely the responsibility of the chief information officer or chief technology officer and their team. It must become an integrated component of every business.

There are compliance issues to consider, as well as protecting the company’s good name, customers, and other sensitive data. While ever, human error remains one of the key causes of breaches, so cyber security must become a whole-of-company priority. To achieve a company-wide culture shift, it’s evident that HR must play a key role.

Ben Jones is the MD at Continuum Cyber.