Organizations need to recognize that HR is a critical link between employees and the cybersecurity posture of the business. Here are seven ways HR can help boost cybersecurity efforts.
Cybercriminals continue to hone their tactics to stay ahead of security measures and be more successful and effective at what they do. Amongst their craftiest maneuvers in recent years is the utilization of HR-themed phishing emails, a devious strategy that preys on the blind trust employees often put in their HR departments.
Over half of all malicious emails observed in Q2 2023 contained messages that impersonated HR personnel to manipulate recipients into divulging sensitive information, clicking on malicious links, unwittingly sharing credentials, or granting unauthorized access. Email subjects ranged from HR matters like dress codes, policy updates, training notifications, vacation notices, etc.
Studies show that employees are more likely to click on HR-themed phishing emails versus other forms of business communications.
Bogus HR-related emails are not the only tactic cybercriminals have mastered. For the past several years, fraudsters have been running recruitment scams on social media and staffing platforms (like Linkedin) in an attempt to obtain private and financial information from their intended targets. Payroll diversion attacks, a form of fraud similar to Business Email Compromise (BEC), where attackers impersonate employees and convince HR departments to change banking details to divert paychecks, have also become a growing threat.
Should HR Teams Own a Piece of Cybersecurity?
As the custodians of sensitive employee data, gatekeepers of organizational access, and protectors of confidential employee files, HR’s involvement in cybersecurity is not slight. But HR’s role is often overlooked because cybersecurity is typically viewed as an IT issue rather than an HR issue. HR is usually perceived as lacking technical expertise or security knowledge.
However, if we observe the modus operandi of phishing and social engineering attacks, we can see that they have more to do with human psychology, employee behavior, and organizational culture (things that HR specializes in), rather than an absence of cybersecurity controls or lack of technical knowledge. Organizations need to recognize that HR is a critical link between employees and the cybersecurity posture of the business. Cyber incidents can exert a negative impact on talent recruitment and employee retention.
How HR Can Help Boost Cybersecurity Efforts
There are a number of things HR teams can do to help enhance the overall cybersecurity posture, including:
1. Cybersecurity Training, Awareness and Communications
HR can work with security teams to implement cybersecurity awareness training for all employees, with a specific focus on identifying and handling phishing emails. Unlike HR, cybersecurity teams aren’t known for their role as communicators. Employees might find it difficult to comprehend IT jargon, technologies, and concepts. HR can help craft and fine-tune communications to make training content more palatable for everyone.
2. Simulated Phishing Tests
Using phishing simulation exercises, HR can train employees to recognize and report HR-themed phishing emails and gauge their susceptibility to such scams. Employees can be taught to identify common red flags (such as suspicious senders and URLs, crafty subject lines, and urgent or unusual requests) and emphasize the importance of reporting phishing emails to security.
3. Collaborating with Security Teams
HR can collaborate closely with security to share information on emerging threats, phishing campaigns, and risky insiders. They can serve as an important part of the governing body that consists of senior leaders who oversee the cyber program, investigate violations, manage incident response, and respond to data disclosures.
4. Building and Promoting a Culture of Cybersecurity
HR teams can help promote a business culture that is trustworthy, transparent, and accountable. Employees should feel encouraged to seek help, ask questions on security topics, and collaborate to improve organizational defenses. A culture where employee actions and positive security behavior are celebrated and rewarded can make employees feel a sense of pride in upholding security standards.
5. Encouraging Reporting
One of the most potent defenses against phishing is the proactive and timely reporting of phishing emails. HR teams can encourage a culture where employees don’t have the fear of punishment for reporting unusual or suspicious activities. HR can help establish private channels for reporting security incidents (to either IT or HR) so that employees feel comfortable doing so.
6. Developing Incident Response Plans
In case a cybersecurity incident does take place, a well-designed, well-practiced incident response plan can help minimize damage and aid in faster recovery. Working with IT and other stakeholders, HR can help build a coordinated response against such incidents.
7. Continuous Monitoring and Updates
Working with cybersecurity teams, HR can regularly review and update the organization’s cybersecurity policies to stay ahead of evolving phishing tactics, identifying risky insiders (disgruntled workers, employees serving notice, etc.) and reporting sudden or unexpected changes in employee behavior.
By taking the above proactive steps, HR can instill a security-first mindset in the organization, empower employees to act as human firewalls, and foster a robust and resilient cybersecurity culture and organization.
(Except for the headline, this story has not been edited by PostX News and is published from a syndicated feed.)