Why HR Leaders Must Help Drive Cyber Security Agenda
Recent events have helped unite security and technology professionals in the fight to thwart cyber criminals. Here's why HR leaders also play a major role.
The increasing reliance on remote and hybrid work over the last few years has created numerous challenges for businesses and their employees, including a significantly heightened cyber security risk.
Events of the last few years have clarified that at its core, cyber security is a people issue.
HR leaders need to take an important seat at the cyber security table as strategic thinkers who can help mitigate the risk facing the organization.
Since 2020, COVID-19 has helped unite security and technology professionals in the fight to thwart cyber criminals seeking quick gains from a global crisis. However, human resources leaders can also help turn the tide on the digital battlefield.
While firewalls, data encryption, and other security controls are compulsory, a robust IT infrastructure may not be enough to protect an organization against one of its most critical vulnerabilities: its people.
It is estimated in 2021, 82 percent of all breaches resulted from human error.1 80 percent of cyber security teams believe that hybrid or remote working has increased their organizations’ vulnerability to cyber attacks.2
The increasing reliance on remote and hybrid work over the last few years has created numerous challenges for businesses and their employees, including a significantly heightened cyber security risk. A Chief Human Resources Officer (CHRO) plays a critical cyber security role by keeping remote or hybrid employees engaged with work and colleagues and attentive to security concerns. Further, the CHRO works with internal teams to develop relevant security training and appropriate onboarding and offboarding processes.
Cyber Security is a People Issue
While the oft-prevailing assumption is that cyber security is an information technology (IT) and a risk management issue, the events of the last few years have clarified that at its core, cyber security is a people issue.3 The need for a coordinated team effort is more critical than ever, as the risk of cyber attacks are at an all-time high. One study has reported that there was a 70 percent increase in breached accounts as compared to Q3 2021.4 Not only are cyber criminals more active, but the changes in the workplace make businesses and people more vulnerable. HR leaders need to take an important seat at the cyber security table as strategic thinkers who can help mitigate the risk facing the organization. What follows is a guide for human resources leaders across three emerging cyber threat vectors:
1. Remote Work: Employee Training and Accountability
The number of Americans primarily working from home tripled between 2019 and 2021, from approximately 5.7 percent to 17.9 percent.5 A hybrid work environment intensifies the risk of a cyber attack driven by remote connectivity. Organizations must narrow their cyber risk exposure without restricting their operational flexibility and productivity. While this might seem like just an issue for the IT team, it is also very much an issue for the HR team. As HR leaders navigate a new working environment, you can:
- Collaborate with IT on funding and implementing robust education programs on relevant cyber security risks and how employees can safeguard themselves based on their remote or hybrid work environments. Consider quarterly training modules with real-time threat intelligence updates, incorporate descriptions of actual attacks, and bring in outside experts as speakers. Be creative, perhaps developing an office ambassador program to deliver trainings. Shift from simply delivering off-the-shelf training prepared by IT or a third-party vendor, to strategically contributing to the training strategy, curriculum and delivery, and increasing employee knowledge and sophistication regarding cyber risks each year.
- To protect buyers from unanticipated pre-closing tax liabilities on positions inherited from sellers in an M&A transaction. It has also been popular among renewable energy investments involving tax credits to protect anticipated tax benefits.
- Ensure people are aware of the BYOD (bring your own device) policies associated with using personal devices – especially mobile devices, where there has been a 50 percent increase in attacks in 2022.6 Employees who fully understand relevant organizational security controls are more likely to be active participants in these critical practices.
- Educate people on responsibilities and expectations relative to handling confidential data, customer information and any other information that could compromise the organization or adversely impact customers or shareholder value. Create and enforce disciplinary consequences for non-compliance to standards.
2. A Hybrid Workplace: Retraining and Crisis Preparation
Some portion of the workforce will likely remain virtual or in a hybrid schedule for the foreseeable future. Hybrid employees bring with them hardware and devices used at home including laptops, mobile devices, USB drives and other miscellaneous equipment. Recent hires may need to be re-onboarded with proper training, and all people will need to be familiarized with security best practices for both working in the office and remotely. As HR leaders face an increasing reliance on a hybrid work environment you can:
- Work with security teams to protect the physical and digital security of the organization ensuring that security evolves equally alongside other business changes, as well as with future growth or contraction. For example, ensure that employees are aware and prepared to have devices scanned and tested before being directly reconnected to company systems and networks.
- Execute cyber security awareness training with all recent hires as part of an additional onboarding process. Learn about the varied remote work environments and help new and current employees navigate hybrid work policies, procedures and expectations.
- Ensure that internal teams prepare for a potential adverse event. Implement incident response (IR) readiness planning for a cyber attack, as well as readiness planning for any future disruptions that may necessitate a rapid return to total remote working. Building this culture of cyber readiness is no different than running fire drills and disaster recovery training.
3. Employee Separation and Compensation Changes: Insider Risk is Paramount
In the fight to remain economically viable, many firms have been forced to downsize their workforces, reduce compensation, and limit other employee benefits.
Insider-related incidents, both inadvertent and malicious, have risen more than 44 percent over two years, and cost companies up to $15.45 million a year in 2021, with an average of 85 days to containment.7
In the current climate of layoffs, reduced compensation and benefits, and widespread economic uncertainty, otherwise well-meaning employees may be more likely to act maliciously in response to their new working arrangements. Current circumstances may lead to disgruntled or resentful workers who may find their current precarious situation a rationalization for activities such as theft of intellectual property or other fraudulent acts.
As HR leaders facing this wave of employee separation, compensation, and benefit changes you can:
- Actively work to identify insider threats that represent a significant portion of data breaches, IP losses and cyber attacks. For instance, 56 percent of insider incidents are caused by negligence,8 reinforcing the importance of periodic training. In addition, to help counter the fears and frustrations of employees, frequent, clear communication can be an effective way to help reassure employees, reducing the risk of mistakes or rash actions. For malicious insiders, HR leaders can educate managers to spot warning signs, employ behavioral and communications technologies, and engage firms to deploy talent assessment tools that can identify at-risk populations. Also consider the creation of an independent and autonomous whistleblower hotline to improve the detection of internal fraud.
- Mitigate the impact of potential “bad leavers” whose goal is to compromise the data and security of an organization upon exit. Increase visibility and logging on devices, accounts and the corporate network as a means to block or minimize attempts to steal intellectual property, go-to-market plans or client lists, as well as thwart attempts to plant viruses or take the organizations’ network hostage. Review current off-boarding procedures to ensure employee access to all systems are completely deactivated.
- Create a top-down culture of compliance throughout the organization, inclusive of cyber security, working across all human resources specialties including onboarding, learning and development, and change management. Make sure it is known that the organization takes security seriously and has a zero-tolerance policy on breaches of compliance and security protocols.
Human resources leaders are called upon to think more broadly and become confident in the vital role they can play in combating cyber risk.
Helping to build cross functional senior leadership teams that balance technical cyber security, financial risk, risk management, legal, and internal communications is essential.
The cyber-savvy CHRO is thus tasked with creating a culture where compliance to and understanding of privacy, information security and regulatory responsibility thrive. While the Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) are, and will always be, central players in identifying and mitigating cyber risk, HR leaders need to enlist as well. When the entire organization prioritizes and coordinates an approach to reduce cyber risk, it creates a level of “collaborative resilience” more powerful than single, stand-alone solutions. The CHRO is needed to move beyond the tactical to the strategic, prescribing and implementing cyber security regimens to meet 21st-century demands.
Of insider threats are caused by negligence.
Source: 2022 Cost of Insider Threats Global Report, Ponemon Institute
1 2022 Data Breach Investigations Report, Verizon
2 “Shift to remote work sees major rise in cyber crime,” 3 August 2022.
3 See, e.g., “Everything HR Needs to Know About Cybersecurity in 2022,” 17 December 2021.
3 “HR Departments Play a Key Role in Cybersecurity,” 25 October 2022.
4 “Data Breaches Rise by 70% Globally in Q3 2022,” 25 October 2022.
5 U.S. Census Bureau releases new 2021 American Community Survey 1-year estimates for all geographic areas with populations of 65,000 or more, 17 September 2022
6 The State of Phishing 2022, SlashNext. 14 November 2022
7 2022 Cost of Insider Threats Global Report, Ponemon Institute
8 2022 Cost of Insider Threats Global Report, Ponemon Institute
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Stay in the loop on today's most pressing cyber security matters.
Article 8 Min ReadManaging Cyber Risk through Return on Security Investment
Article 27 Min ReadTop 5 Cyber Threats To Mergers and Acquisitions
Article 12 Min ReadMitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside
Article 17 Min ReadWhy HR Leaders Must Help Drive Cyber Security Agenda
Article 14 Min ReadResisting Cyber Attacks Through Layered Security Systems
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Article 9 Min ReadESG Data: How Businesses Can Use Data to Gain an Edge
Article 12 Min ReadWhy ESG Is Even More Important In A Crisis Like COVID-19
Insights for HR
Explore our hand-picked insights for human resources professionals.
Article 9 Min ReadCOVID-19 has Permanently Changed the Way We Think About Wellbeing
Article 11 Min ReadDE&I in Benefits Plans: A Global Perspective
Article 13 Min ReadHow Data and Analytics Can Optimize HR Programs
Article 17 Min ReadWhy HR Leaders Must Help Drive Cyber Security Agenda
Article 10 Min ReadCase Study: The LPGA Unlocks Talent Potential with Data
Article 16 Min ReadNavigating the New EU Directive on Pay Transparency
Article 14 Min ReadHow to Design Better Talent Assessment to Promote DE&I
Article 9 Min ReadTraining and Transforming Managers for the Future of Work
Article 10 Min ReadRethinking Your Total Rewards Programs During Mergers and Acquisitions
Article 21 Min ReadBuilding a Resilient Workforce That Steers Organizational Success | An Outlook Across Industries
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
More Like This
Article 11 Min Read
Belonging at Work: How Employers can Strengthen DE&I
Companies can enhance their DE&I efforts — and gain better returns — by creating a culture that enables their employees to feel a sense of belonging at work.
Article 7 Min Read
5 Tips to Evaluate Future Skills Using Talent Assessments
In a constantly evolving business landscape, talent assessments can help organizations understand current and future skills gaps in their workforces.
Article 10 Min Read
Litigation and Contingent Risks: Unlocking the Value in M&A
Without the proper insurance, litigation and contingent risks can lock up capital and prevent a deal from closing.