Cybersecurity Threats And HR

3 steps HR can take to build a human firewall against cybersecurity threats

Security of data remains one of the central threats to almost every business, regardless of size, industry, or location. There is, sadly, no company too large or too small to potentially suffer the impacts of a data breach or the disruption of ransomware attacks. Worse, as states begin to tighten controls and penalties around privacy, the pressure to keep data safe is only growing. The costs of a breach can be extremely damaging – according to IBM, the average cost of a breach for a healthcare provider last year was over $10M.

Despite the highly technical nature of many security systems, it is also clear from the analysis of breaches in the past decade or more that HR actually has a strong and central role to play in keeping their business out of the headlines.

The reason is that most attackers do not target technical vulnerabilities (weaknesses in existing systems and the networks that connect them) but rather the far more fallible and available humans who use them.

This is why attacks like “Phishing” (where people are targeted with a bogus message to get them to respond or download dangerous software) or compromising email accounts remain the most common forms of a successful attack.

People, as we all know, make mistakes. Worse, we are trained and motivated in a work environment to be responsive and helpful. Want to sneak into the network? Pretend to be an important executive on the road, who has forgotten their password and send a quick text to their admin asking for help. It works, and attackers ruthlessly exploit both our wish to be helpful and the busy nature of our day.

The best defense, then, is a workforce that can take a moment, recognize a bogus email or a suspicious document, and contact their security team first. And that requires a workforce that has been prepared.

No army goes into battle without training and equipping its troops, and that is exactly how HR professionals must now think of their employees: as troops headed into a battle against an adversary, who may be lurking around the corner or across the globe. Indeed, security experts will tell you that preparing our employees is probably the most important (and most neglected) element of any good security program. Security teams have been talking about building “the human firewall*”, educated and enabled employees who can spot and defeat an attack, for decades.

So how can HR help? There are three essential steps to building a human firewall?

Step one is to make sure there is a commitment from senior stakeholders to implement security training. This is essential because regardless of who gives the training (and there are plenty of external companies with ready-to-go training materials) it will not matter if senior leadership does not believe it is important enough to invest in and enforce. 

Step two is to make sure companies have the right training in place, and it is clearly communicated. While some security awareness is important to every business (for example, how to recognize fake emails asking for information or to click on attachments) other training might be more specialized, such as dealing with personal and protected information for a healthcare company. Leaders can get the training sourced, and in place, and then communicate and enforce participation. This is where step one really pays dividends.  Everyone is busy, so if HR has the backing of senior leadership, it is much easier to ensure busy employees take the time to actually engage with and take the training course.

Step three is the hardest part: stick with it. Security awareness and good habits are like any learned skill – they need regular reinforcement. Many initial security efforts fail because they are not repeated and measured and enforced. So a constant and regular set of evaluations and training is critical to maintaining a good security stance for employees. HR needs to make sure it’s part of every new hire process, and track and measure who attends, who passes, and going back to step one, have the ability to make even the busiest employees pause in the day and take the training. Typically, this would be every six months or so, but for more highly regulated industries it could even be quarterly.

Securing systems and information is not easy. Attackers constantly look for and develop new ways to breach defenses and either insert bad software, such as in a ransomware attack, or steal data to sell or use for other attacks. Nevertheless, the first, and most likely target will be employees themselves. So preparing them to be that “human firewall” is not only the best defense, but it could also save a business a lot of heartache, embarrassment and money.  

Therefore, the role of HR teams has become so critical in keeping their employees informed and ready to do battle out there in the cyber-wilderness, motivated, trained and equipped with the knowledge to make a business a difficult place for attackers to get a foothold.

*If you’re wondering, a firewall is a security technology that often is the first line of defense against an attacker trying to sneak into your network and acts like a gatekeep for any computer trying to connect (and often trying to send information out too.)

Geoff Webb is the VP of Solution Strategy at isolved.