Hybrid and remote working more prevalent, more and more businesses are re-evaluating how much focus cyber security should have. In today’s blog we explore just how much focus HR should have. Is it HR’s top priority and should it be? Evan from our team explores this.
Is cyber security top of the agenda?
Cybersecurity has been ranked, by over 1,300 HR and risk management professionals, as one of the top people-related risks facing UK organisations today. New government research shows that 39% of UK businesses have been victims of cybersecurity breaches or attacks in the past year. This has cost small firms and average of £8,460 and medium to large firms an average of £13,400. Not only is there a financial risk associated with cybersecurity breaches, but there is also a significant reputational risk. Furthermore, 50% of these UK businesses lack the basic skills needed to tackle cybersecurity risks. Given this research, cybersecurity is something organisations need to think about and act on. Thankfully, a survey carried out by Insights UK found that 91% of organisations are going to increase their cybersecurity budgets in 2021. Although this is a 5% decrease in the number of organisations that increased cybersecurity spending in 2020, it is still a significant amount. This will inevitably increase further in 2022 and it will be interesting to see whether the 2022 research demonstrates that.
The last of the COVID restrictions are being dropped, at least in the UK, with many countries to follow suit shortly no doubt. While the road out of rolling and partial lockdowns will vary somewhat by country, we are now entering a new phase, a phase candidly called “living with the virus”, or somewhat more scientifically “heard immunity”. Parts of the world are rapidly lowering their restrictions, with countries as far afield from the UK as Australia and New Zealand now opening their boarders.
In the modern world of work, there are a number of security issues that organisations commonly face. For example, the pandemic has resulted in many of us working from home on a long-term basis. Given that people are enjoying the flexibility of being able to work from home, and the possibility of going into further lockdowns, it is unlikely that the work from home trend is going to stop anytime soon. This is a concern for organisations as the increased number of remote workers could put them at greater risk of cyber-attacks, with many organisations not having cybersecurity policies covering home working.
Is it HR’s problem?
Other common breaches or attacks can occur unintentionally, such as falling for a phishing scam or opening an email which includes a virus or other malware including ransomware, or intentionally, such as an individual impersonating someone from your organisation online, or a disgruntled employee that decides they want to maliciously attack their current or former employer. Although there are several ways a breach or attack can occur, human error is the most common. According to research conducted by the CIPD, 96% of cybersecurity breaches are as a direct result of human, rather than technical error. Historically, cybersecurity would have been seen as an IT issue. However, given the large number of data breaches caused by human error, it is clear that HR has an important role to play in protecting organisations against cybersecurity breaches and attacks. HR departments should be leading the way on cybersecurity.
So, what is HR’s role in cybersecurity? Here are some of the areas that HR need to focus on to ensure good cybersecurity within their organisation:
Organisations need to have a clear set of policies and procedures that focus on cybersecurity. For example, organisations could set out best practices and rules regarding remote work or using a personal device for work. These policies and procedures could be included in the employee handbook, and distributed to all new employees, prior to their first day.
The application process
When hiring new employees, HR need to conduct thorough background checks to ensure that potentially new employees are not, or have previously, not been involved in fraudulent behaviour. Furthermore, asking questions with regards to cybersecurity in the selection process will allow organisations to identify if applicants are a good fit for the business.
Organisations need to develop an in-depth onboarding programme. The importance of cybersecurity needs to be communicated to new hires from their very first day. The policies and procedures previously mentioned need to be emphasised during new-hire orientation, or during the first week of the new employee’s tenure. Also, to ensure new hires do not have access to data that is not relevant to their roles, they need to be set up correctly on the systems and apps in use at the business.
New employees need to be provided with cybersecurity training at the beginning of their tenure with the organisation. This can, and should, come in several forms to accommodate for varying learning styles, such as pre-recorded videos, or synchronous online or in-person training, conducted by a subject matter expert. Furthermore, ongoing training needs to be implemented to ensure that all employees are made aware of changes to legislation, company policies and procedures, or the emergence of new threats or attacks.
Organisations must have policies and procedures related to offboarding. Employees that are leaving the business need to have their access and passwords to specific company systems and apps revoked. This will ensure that employees do not leave the organisation with sensitive data. This is particularly important for employees that may have been made redundant and could be more likely to engage in a malicious attack on their former employer.
Cybersecurity needs to be incorporated into the culture of the organisation. It is important that employees feel psychologically safe to speak up about issues they have, or a breach that may have occurred, without the fear of being punished. Furthermore, organisations need to ensure that employees are not being overworked as this is when individuals are at a high risk of making a mistake, causing a date breach. Proactive security behaviour should be acknowledged and rewarded. This type of culture is the foundation for effective cybersecurity.
Protecting employees wherever they work
In this new world of hybrid working, where we rely so heavily on technology to allow us to collaborate to share information and data, and to feel connected to one another, how do we help people feel safe and secure online? A recent study found 57% of employees believe they are more vulnerable to cyberattacks. Documents, information and data are now not just in the office, but at home, and in the local café or workspace at the gym. The lines of where you can work, who overhears you, and who can see a carelessly left screen or document have been significantly blurred.
This post was written by LACE Partners. They are an exhibitor on the HRTech247 Consulting & Advisory Partners floor in the Partners Hall here.