HR Strategies to Drive Cybersecurity Culture in the New Normal

The COVID-19 pandemic has forced businesses across all industries to revise their working processes and requirements. From shifting overnight to a remote working model, furloughing staff and operating in a challenging economic climate, many businesses were unprepared for these transitions. However, these changes highlight the important role of Human Resource departments in communicating, supporting and responding to the necessary adjustments and helping employees through the process. 

HR's role in enforcing a strong cyber aware culture in the new normal

As HR departments rethink and reconsider how they foster talent and strengthen their organisations, front and centre to that shift needs to be IT security, underpinned by digital tools and a cyber-aware culture. With a 31% increase in cyberattacks during the height of the pandemic, reinforcing cybersecurity should be at the top of HR’s agenda. Andrea Babbs, UK General Manager, VIPRE SafeSend, discusses what this new way of working means long-term for HR departments and the importance of innovating their cybersecurity approach.

Managing Dispersed Teams
With social distancing measures in place and decentralised workforces, there is extra pressure for HR teams to effectively manage and monitor their employees. As the ‘Bring Your Own Device’ (BYOD) phenomenon creates a security concern due to the lack of consistent security and antivirus software, as well as the heightened pressure of staff feeling the need to work harder, faster and for longer, it’s no surprise that mistakes will be made.

Recent research has found that more than half of businesses believe working from home has made employees more likely to circumvent security protocols, such as using personal devices and failing to change passwords. Inappropriate use of business equipment might also be an issue that could arise, including the circulation of improper imagery or browsing unsuitable websites, which must be managed with caution and appropriate controls, such as blocking access to websites that could drain productivity.

With the combination of untrained employees and creative hackers, the challenges of maintaining security are evident. However, by implementing the correct software and security solutions across all employees’ devices, these risks can be mitigated.

Protecting Employee Data
As well as managing their employees, Human Resource departments have a vital role to play in keeping information safe and secure. HR managers deal with sensitive information on a daily basis, including health records, financial information, redundancies and CVs for potential and existing employees – a gold mine for cyber hackers.

Additionally, the personal information stored within HR must comply with General Data Protection Regulation (GDPR), meaning that if this data was to be stolen or revealed by cyber hackers, the consequences could be devastating. Results from the latest GDPR data breach survey found there was a 19% increase in the number of breach notifications, from 287 to 331 breach notifications per day. And it’s not just SMBs getting it wrong, but also big tech giants like Twitter, which was fined €450,000 after violating GDPR, because it failed to notify the regulator within 72 hours of discovering the breach.

Email is a key communication channel for HR managers to share this personal and sensitive information – which is a risk in itself. The repetitive and familiar nature of email usage means that users can often forget that without the right protocols in place, email can be a window to serious cybersecurity breaches. But, luckily there are digital tools available which offer that critical second check.

Heightened Email Security
Throughout the pandemic, there has been an increase in the number of attacks using COVID-19 and remote working as a lure to vulnerable employees. Also, email addresses of those in HR are typically made publicly available for job applications, which is also an open opportunity for spoofing or malicious attachments, disguised as CVs perhaps, to be sent. For example, phishing emails were previously sent to employees asking them to attend a Zoom call with their HR department regarding the potential termination of their contract.

HR teams can support employees to avoid not only making mistakes but also be wary of potential email attacks, by deploying innovative technology. Digital tools, such as VIPRE’s SafeSend, provide a simple safety check, prompting the user prior to sending an email to confirm it is correct – going to who it should, with the right information. Parameters can also be set to add certain domains to an allow list, or using a DLP add-on to flag sensitive information. Such tools can also help in the event of a phishing attack by highlighting external email addresses which try to look like they have come from someone internally, and most modern email security solutions also include the ability to prevent domain spoofing.

Email encryption can play a critical role in ensuring that sensitive and confidential email is sent both internally and externally securely. The data within the email can be encrypted so that it is not intercepted in transit. Tamper-proof email archiving solutions can also help HR Teams easily find old email communications for use in employee disciplinary procedures or internal enquiries. Being tamper-proof, the communications are locked away, safe from deletion or editing. Even if an employee deletes the offending email from their inbox, it stays in the archive for later retrieval.

SAT Programmes
Despite the creativity and advancements of hackers, the employees themselves are often the number one gateway for cyber attacks, and according to CISOs, human error has been the biggest cybersecurity challenge during the COVID-19 pandemic. It’s even more crucial than ever for Human Resources to reinforce and emphasise the need for a strong cyber aware culture within the workforce, and this can be done through Security Awareness Training programmes.

HR teams are often involved in choosing and implementing the right programme to suit the needs of their workforce. Key considerations here should be around the frequency of training, how engaging the training is for your workforce and the reports available to management to show improvement over time.

With many employees being the middleman between a cyber attacker and a hack, it’s vital that workforces understand their role in keeping business information safe. As well as implementing training for their employees, HR departments should also receive their own continuous training, which focuses on mitigating the legal, financial and reputational risks that come with cyber attacks. Not only will training mean employees are aware of how personal data should be handled, but it will also increase responsibility and accountability.

Conclusion
COVID-19 has not only presented new challenges to Human Resources teams but has also changed the future of the workplace, with many employees now having to adapt to remote or hybrid working. However, among these many transitions, cybersecurity must remain a priority. As threats continue to become more advanced and target those who are vulnerable during challenging times, it is the job of HR to act now and deploy a layered approach to cybersecurity in order to highlight and resolve any weaknesses in the workforce and to keep sensitive data safe. However, above all, in order for this secure infrastructure to be effective, employees must understand their responsibility and value when it comes to cybersecurity by taking a proactive role in keeping business information safe.