The Increasing Role of Human Resources in Cyber Risk Management

We can safely assume that, like most businesses these days, you rely heavily on internet-based technologies to reach out to customers and achieve your digital marketing objectives. Let us remind you that all digital tools have the potential to expose your company to cyber threats. While digital payment systems have enabled financial inclusion and transparency, they have also resulted in increased security risks and data breaches.

No wonder why most businesses these days add a cyber risk management plan into their operational strategy and the Human Resource (HR) team has to play a stellar role in the effective implementation of this plan. HR is increasingly responsible for determining and enforcing employee data permissions, training employees on cybersecurity policies and procedures, and responding to cyber events. In this blog, we will discuss this in detail.

Why is HR playing a significant role in Cyber Risk Management?

Data and security practices prescribed to employees are critical determinants of an organization's overall security. The evolving regulatory and cyber risk landscape is transforming the role of HR in managing data and technology risk, particularly in remote working environments. Several factors are contributing to HR's increased involvement in cyber security plans in a business. These include a more active regulatory environment, the widespread use of technology and devices in work by employees, and the widespread recognition of the value of a strong cybersecurity culture in an organization. We will discuss some of these factors here -

• Regulatory Compliance

Since GDPR was enacted in May 2016, regulators have demonstrated a willingness to place significant fines on organizations and individuals who fail to protect their personal data. Managing regulatory compliance related to data privacy is increasingly being handled by HR in collaboration with the IT Department. It has traditionally been HR's responsibility to conduct onboarding training for employees on safeguarding sensitive data and the use of technologies and devices securely. Employees as well as third-party vendors who use the organization's data are often trained on privacy regulations as well, in partnership with IT.

Usually, IT, compliance/legal, and third-party investigators are responsible for determining internal accountability for such errors and misdeeds. HR is, however, best positioned to advise employees on appropriate punitive or remedial actions for data handling misconduct and errors, as defined by the company's policies, because it manages employee compliance with organizational policies. To handle events involving employees, it is imperative for HR and IT to work together and develop and implement a robust data incident response plan. An organization can accomplish this by agreeing on how their respective roles overlap in establishing and enforcing data practices and policies, and how it will respond quickly to regulatory data violations.

Get Free Quote in Minutes

Your Company Name *

Your Name *

Your Phone Number *

Your Work Email Address *

Get Quote

Thanks for choosing BimaKavach for Free Get Quote Insurance needs. We are finalising the chosen quote with the insurer. Our relationship manager will call you to guide you along.
In case, you wish to connect with us for any help, feel free to mail us at support@bimakavach.com

• Access and control of employee data

A cyber risk management strategy must include determining appropriate standards for the access and control of sensitive data. Again, HR is well-positioned to assist organizations in determining what employee and corporate data is most critical, who should have access, and how to control it. When an employee is hired and onboarded by HR, this is often elaborated to him.

There are several factors to consider here, such as limiting access to current and former employee information ( related to medical, bank account, and compensation information, social security numbers, phone numbers, home addresses and so on) or removing it from the company's database altogether. HR can also play an important role in supporting sound cybersecurity practices, based on advice from the IT team, when an employee's tenure at a company comes to an end. It has been reported that several malicious insider cases usually occur after employment was terminated. This can be avoided when a mutual agreement was reached between HR and the concerned employee when his tenure comes to an end. Also, termination processes need to be accomplished in coordination with HR and IT. Completing an exit interview, reviewing the NDA, revoking company identifier (ID) badges, returning company keys and any other company assets, disabling user accounts, changing passwords, and escorting the individual off the premises are all part of these processes.

• Data Disclosures

The Human Resources department is responsible for managing data breaches and disclosures, whether accidental or malicious. These events can result in significant financial loss, legal action and loss of consumer trust. In the workplace, sensitive information may be exchanged between employees within the office, or placed remotely, using a secure channel. Therefore, to ensure an organization's safety from threats posed by employees, HR must ensure that new employees sign documents such as non-disclosure agreements (NDAs), ethics agreements, code of conduct policies and conflict of interest policies at the time of joining. These documents ensure that employees follow the expected behaviour and help to protect an organization's information assets.

If information is accidentally disclosed, best practices recommend things such as specifying which department will handle notification of a breach or deletion, which department will respond, and what response will be appropriate in such situations. Communication and direction from IT and other functions are essential as well in this regard.

The primary responsibilities of IT, in conjunction with third-party investigators, in most cyber incident response plans are related to determining the accountability for disclosure events. However, HR is well positioned to offer guidance on appropriate remedial or punitive measures as it assists in establishing and enforcing compliance with company policies. Law enforcement's ability to collect evidence or capture criminals can be adversely affected by data leaks or breaches that become public before the company is ready to reveal or respond and HR can help avoid such situations. Hence, organisations these days have widely acknowledged the importance of HR in governing the treatment of sensitive data, when it comes to implementing the cyber risk management plan.

• Cybersecurity culture

Human resources play an important role in creating and maintaining a robust cybersecurity culture as it is usually the first (and last) point of contact of an organisation with employees. As the importance of cybersecurity training for employees has become clearer, HR is increasingly involved in cybersecurity training sessions.

When new employees are provided with information about how to practice good cybersecurity hygiene, it can help them a great deal. It can boost their confidence when confronted with a scenario that requires them to mitigate cyber risk. It is essential to guide the employees on how to recognize and handle common situations, such as phishing and password security. In addition to digital transformation and new technology implementation, it should also cover best practices for bring-your-own-device, remote access, business continuity, incident response and recovery, and device usage.

It is imperative that all employees are trained to abide by appropriate policies since most of them can access work emails on their phones and sensitive data from their laptops. Work-from-home cyber security protocols and practices are less robust than normal office conditions, but employees should be trained to ensure compliance with these as well.

In a strong cybersecurity culture, there must also be consequences for non-compliant behaviour. Employees should be penalized for failing to follow best practice safety procedures or not completing training and they can be made subject to poor performance reviews and even low compensation. Both HR and IT teams need to work together to detect such violations and communicate the ramifications to the employees beforehand.

HR should be involved in making decisions involving how to respond to employees who lose sensitive equipment repeatedly, how to handle rogue employees who steal sensitive information, but claim it was an accident, and what action to take when employees report a data breach. Managing these scenarios effectively requires HR to stay on top of evolving cybersecurity risks and regulatory requirements.

Undertaking an efficient response testing exercise is another integral part of true enterprise cyber risk management programs. Leaders across all key functions should participate in continuous communication and training to ensure a robust cybersecurity culture. IT, PR, risk management, C-suite, board members, and legal/compliance departments can align their actions and priorities through simulated cyber events that can test a company's response. HR can bring all these people together while implementing such an exercise. The inclusion of HR in event response planning can also help align employee treatment with applicable employment regulations and laws, thus reducing the risk of possible litigation.

Conclusion:

As cyber threats become more sophisticated and prevalent, the role of human resources in cyber risk management is becoming increasingly important. As we have seen from the above discussion, HR professionals are in a unique position to help organisations manage cyber risks by training employees on best practices for data security, implementing effective policies and procedures and fostering a culture of cybersecurity awareness at the workplace.

By working closely with IT teams, HR professionals can identify and address potential vulnerabilities, such as insider threats and social engineering attacks. They can also play a critical role in incident response and remediation efforts, thus, helping to minimize the impact of cyber attacks on the organization and its employees.

Ultimately, the success of any cybersecurity program depends on the people who implement it. HR professionals can help ensure that employees are equipped with the knowledge, skills, and resources they need to protect the organization from cyber threats. By taking a proactive approach to cyber risk management and engaging HR in the process, organizations can enhance their cybersecurity practices and safeguard against increasingly sophisticated cyber attacks.
Click here to read how to design a cyber incident response plan