The Importance of HR’s Role in Cybersecurity
It’s not common for companies to assign any ownership of cyber risk management to HR departments, but there’s a strong argument this needs to change. Considering the type of data HR manages and its strong links to virtually every other business department, a better link between HR and IT can drive stronger cyber defenses. This article describes the importance of HR’s role in cybersecurity by discussing the data it manages, the security risks it faces, and strategies that HR personnel can use to safeguard employees and the broader organization.
Types of Data Managed by HR
HR-managed data is often sensitive in nature and regarded as lucrative from the perspectives of cybercriminals, who try to exfiltrate or access it to commit identity fraud or extort ransoms from companies. Looking at the types of data managed by HR clarifies why this department has a potentially vital and overlooked role in cybersecurity.
- Personal Identifiable Information (PII) about current and former employees, including names, addresses, social security numbers, dates of birth and more. If mishandled or accessed by threat actors, this information is a treasure trove for those committing fraud or identity theft.
- Employment records that include each employee’s employment history, performance evaluations, training and development records, and disciplinary actions. In the wrong hands, someone could use this to blackmail or defame employees.
- Compensation and benefit details, such as salary, bonuses, benefits and retirement plans. Dissatisfaction can quickly spread among a workforce if this data gets made public and employees subjectively perceive unfairness in what others at the company earn.
- HR systems may store login details and employee permissions for other internal company systems and platforms. In the wrong hands, these credentials can provide unauthorized access to broader organizational data.
- HR departments also store legal and compliance documents, including contracts, nondisclosure agreements, health and safety compliance records, training and certification records, and more.
- Employee medical records, including medical history, health insurance details, disability records and other health-related data, are incredibly sensitive, and HR must give this data the highest protection and security or risk serious privacy breaches.
From this extensive list of data managed by human resources, it’s clear that HR’s role in cybersecurity is more important than you might assume.
Key HR Cybersecurity Risks
One of the most significant cybersecurity risks HR departments face is social engineering. Given the amount of information HR departments manage, they are prime targets for phishing campaigns. Threat actors might pose as job applicants or even internal staff to trick HR professionals into disclosing sensitive information or clicking malicious links.
Another facet of this phishing risk is that employees are more likely to get duped by HR-related phishing attacks. One study found that 60% of failed phishing tests in the workplace purported to come from HR. Emails about pay, vacation, dress codes, tax forms, etc., are enticing, and employees are more likely to click their associated links or attachments without second-guessing the email’s legitimacy.
Another risk to consider is the onboarding and offboarding processes at a company. HR personnel might get lax about these processes if HR isn’t regarded as a driver of cybersecurity defenses. Example scenarios might include delays in revoking access from former employees to systems or data or giving new employees broader access than their role demands.
There are also third-party risks to consider. Many HR departments rely on third-party platforms for recruitment, benefits management, payroll or employee training. If these third parties are insecure, they can become a backdoor into a company’s infrastructure or sensitive data.
When HR doesn’t contribute to and communicate clear policies to employees, various cybersecurity risks are heightened. One example is establishing clear policies regarding the use of personal devices for work; without this type of policy (drawn up together with IT), insecure devices may be able to access company documents and systems. HR also has a key role in establishing clear channels to report suspicious activities so employees don’t fail to report suspicious activities or cyber threats.
Security Strategies for HR to Safeguard Employees and the Organization
Given the responsibility of HR departments to manage sensitive employee data and ensure compliance, it’s essential they adopt robust security strategies.
From the outset, HR should lead training on safeguarding sensitive data and the secure use of devices and technologies by employees. It’s important this training is an integral part of the employee onboarding process to foster a culture of cybersecurity among new hires.
HR personnel should also thoroughly understand how to handle and store sensitive data correctly, including hard copies. Encrypting sensitive employee data and other company documents that HR manages is crucial to protect this information from prying eyes.
When HR departments understand their role in cybersecurity, they can also help to bolster your company’s security culture with posters, emails or internal communication platforms that put cybersecurity at the forefront of employees’ minds.
Lastly, HR personnel are strongly positioned to help determine which employee and corporate data is most critical and who needs access to that data. HR and IT teams should collaborate to ensure access rights are revoked when employees change roles or leave the company.
An Increasingly Important Role
In the coming years, HR’s role in cybersecurity will continue to grow in prominence. From dealing with regulations to addressing the human element of cybersecurity to navigating complex modern workforce dynamics, your HR department can contribute to the strength of your company’s cybersecurity posture in many ways. To learn more, you can hear directly from our HR, IT and security experts on how they safeguard employee and company data by viewing our recent on-demand webinar.
