How HR Leaders Can Promote Cybersecurity Among Their Distributed Workforce

4 steps to follow

One in four Americans will work remotely in 2021, according to Upwork’s Future Workforce Pulse Report. The report also forecasts that by 2025, 36.2 million Americans will be working remotely, an 87% increase from pre-pandemic levels. The Covid-19 pandemic has dramatically shifted the way we work today, a trend that many are predicting will continue. So, whose job is it to ensure employees are following security protocols while working from home and, in turn, keeping the organization safe from malicious cybercriminals?
 

The security and IT teams are responsible for putting in place the right security strategies and technologies, but they are not the only ones responsible for cybersecurity. HR leaders also have a critical role to play in securing the remote workforce.

Breaches are more common than you would think. They are an inevitable reality for most organizations. According to a recent report, in 2020 there were 3,932 publicly disclosed data breaches that compromised a record-breaking 37 billion records, globally. That’s 10 breaches each day.

On the surface, cybersecurity appears to be a technical issue. But, at its core, it is a human issue. Humans are the ones that hack into a system and steal sensitive data, but they are also the first line of defense against cybercrime. Educating all employees – and keeping them accountable - on cyber security best practices is one of the most important security strategies to implement. Here are four ways HR leaders can help promote security in their organizations as employees continue to work remotely.

4 Steps HR Pros Can Take to Improve Security

1. Establish trust between the security team and other employees
First and foremost, employees should know who on the security team to contact when they see something suspicious and how they would prefer to be contacted in a remote setting. Just as HR contact information is widely known and communicated, so should security contact information. Additionally, encourage security teams to incentivize employees who take security seriously. Every time a person flags something potentially malicious or asks a question to the security team, reward them in hopes that behavior continues. Creating a trusting, transparent relationship between the security team and other departments, who often work in silos, will prove invaluable.

2. Work with your security team to help manage access to sensitive data
HR professionals are attuned to employee roles and responsibilities. There is a concept in security where this information is beneficial: the principle of least privilege. The least privilege is the practice of limiting access for users to the bare minimum permissions they need to do their job. Under least privilege, users are granted permission to read, edit, or execute only the files or resources necessary. For example, the marketing team should not have access to customer billing information. Given the increased risks brought on by remote work, limiting access to sensitive data is non-negotiable today. HR teams can work closely with security to determine who requires access to what, based on their role.

3. Collaborate on security awareness training
Because a large component of HR is employee training and onboarding, they have unique insights into what training methods work – or not – for a particular workforce. HR should collaborate with security to come up with creative ways to make security training more engaging. Many organizations have deployed ‘check the box’ security awareness training modules that fail to engage employees or change behaviors. There is a divide between what security teams are promoting and what non-security employees are hearing, and HR can play a pivotal role in bridging that divide. Start by collaborating with security leaders on top risks for the organization from a security perspective and find ways to come up with actionable and measurable initiatives that can really make an impact – and continuously improve upon the results. 

4. Develop and enforce security policies
HR professionals and security professionals are similar in that policies govern much of what they do. In March 2020, policies had to be rewritten or reimagined as many employees left the office behind. HR should be a prominent voice at the table during policy reviews and development conversations. Given HR’s people-first mindset, it can better communicate the importance of new policies and ensure proper compliance. Virtual meetings are a great example of this opportunity for collaboration on cyber security policies. During the pandemic, there was a spike in the usage of Zoom, and with it a rise in the number of security concerns. Understanding the security concerns is the role of security, while communicating how to securely use the platform is where HR steps in. Are passwords required for all meetings? What are the guidelines for sensitive, confidential video meetings? 

In each of these steps, there is a common theme: a relationship between HR and security. As the trend of remote work shows no signs of stopping, HR plays a vital role in securing the remote workforce. Security is a human issue, and it requires the collaboration between a people-first mindset and a technical mindset to limit the impact of, or prevent a breach. There is much to be done, and the partnership between HR and security teams can be transformative.  

Charles Horton is Chief Operating Officer at NetSPI. He has over 20 years of experience in building high performing teams in cybersecurity, technology, and healthcare that aim to solve complex challenges. As COO, Charles is focused on driving excellence in both client and employee experience and helping expand NetSPI’s services to meet growing demand. Prior to NetSPI, Charles was a Vice President at Optiv Security, where he drove key initiatives and growth programs across large scale services teams, through a blend of organic, inorganic, and partner programs.   Connect Charles Horton