Cybersecurity is a battle fought on two fronts: technical and behavioral. Organizations tend to focus an enormous amount of resources on the technical front while seeming to ignore the behavioral side. On the technical front, there are three simple precautions to guard against threats: keeping third party software updated, rolling out antivirus software, and implementing corporate firewalls. These technical safeguards can be likened to building a heavily fortified castle with the most durable material. However, the reality is that more than 90% of cybersecurity attacks happen as a result of a behavioral problem, not a technical one, for example, an employee clicking on an unknown link. This is like taking a heavily fortified castle and opening the front door to the enemy knocking. No amount of technology will eliminate erroneous behaviors.
An emphasis must be placed on changing behavior for effective cybersecurity. The Human Resources department has traditionally been tasked with establishing and enforcing policies governing behavior in the workplace. Why, then, is HR not given the same role when it comes to cybersecurity?
Here's why HR could be the right department for the job:
The HR department is the expert in protecting both employees and the company through the creation, communication, and enforcement of personnel policies. When we think HR, we typically think policies concerning payroll, benefits, harassment, discrimination, etc. Similarly, cybersecurity directly affects the well-being of the employees and company and therefore should warrant HR’s attention.
An HR department’s competencies include effective company-wide communications. HR knows how to use straightforward terminology to express otherwise complex technical jargon. Think of the last time you received a communication from IT. Was it clear? HR is equipped to create and enforce cybersecurity policies, arguably more effectively than IT. Employees within the IT department are hired for their technical expertise. Many technologists may not appreciate the need to create policies for things that seem to be common sense in their own minds. The HR department has a better understanding of the way the typical employee will respond to various cybersecurity scams and may have insight into behavioral weaknesses IT wouldn't have considered. HR can leverage this knowledge to create effective, preventative policies. While cybersecurity policies would certainly require collaboration with the IT department, they can be effectively spearheaded by HR.
HR oversees employee relations and benefits administration within most organizations. In many cases, HR holds the keys to job growth and employee well-being. When HR sends a communication, it often directly impacts everyone in the organization. HR is the employee advocate, and most employees do not want to lose their advocate, so they tend to be more receptive to HR than IT. In addition, HR has been the champion tackling issues including diversity, harassment, discipline, health, safety, discrimination, and compliance. Therefore, HR is well equipped to tackle cybersecurity.
HR is engaged in just about every part of every job in a company, including interviews, hiring, promotions, transferring, and retirement. Therefore, HR has the opportunity to educate employees on the importance of cybersecurity at various touch points.
In the hands of HR, the importance of cybersecurity can be stressed even before employment. HR can ask questions in interviews to gauge a candidate’s understanding of cybersafety and willingness to comply with cybersecurity policies. During onboarding, cybersecurity can be included alongside other company policies and granted a similar importance. Employees should be adequately trained on the company’s cybersecurity policies as well as strategies to avoid falling for internet scams. As HR conducts periodic trainings on harassment, benefits, etc., HR can take the lead on conducting reinforcement trainings on cybersecurity policies (with technical input from IT).
Finally, HR can weave cybersecurity training and compliance into the performance feedback process. Including cybersecurity considerations in this feedback process through the use of incentive compensation ensures managers and employees take cybersecurity seriously.
Though non-traditional to propose HR own cybersecurity, at a minimum, HR needs to play a role in cybersecurity since IT is not equipped to do it alone. One thing is for sure: with the amount of information on our devices and the prevalence of cybersecurity attacks, we cannot afford to be negligent when it comes to fighting the behavioral front of the cybersecurity battle.
Trenegy helps companies develop effective cybersecurity practices. Find out more about Trenegy’s expertise by contacting us at info@trenegy.com.
