From SolarWinds to the Colonial Pipeline, countless organizations have been blindsided by recent cyberattacks like phishing and ransomware. In fact, the U.S. is the worst-affected country in the world by data breaches, with the U.K. slightly trailing. And now that cybersecurity threats are becoming more prominent, the U.S. is planning to give ransomware hacks similar priority as terrorism, according to the Department of Justice.
So, what should employers be doing? HR and IT leaders need to collaborate in fostering a culture of cybersecurity, ensuring employees across departments understand how they can help avoid a costly data breach, according to Beth Klehr, CHRO at Entrust, a Minneapolis-based provider of identity, payments and data protection.
“Employers need to take specific steps to start building a culture of cybersecurity,” Klehr says, including:
- take an existing annual employee security awareness training a step further by building a partnership between the HR team and the Information Security team to create practical, hands-on learning opportunities, such as regular phishing email simulations across the organization;
- conduct at least one robust security assessment each year to better understand areas in which security protocols are lacking, allowing them to identify areas to focus on for annual training; and
- maintain an active, ongoing internal forum to help employees understand what trends are happening in the marketplace (based on industry news and analyst reports).
John Sumser, principal analyst, CEO and founder at HRExaminer and a speaker at the upcoming HR Tech Conference, says to be effective in boosting cybersecurity across the enterprise, every HR professional must understand the fundamentals of safety, security and privacy.
“These three things form an interlocking idea,” he says. “The reason we care about them is that we are charged with making the workplace safe and secure for employees.”
Sumser says HR pros need to be comfortably familiar with the basics of security and privacy and, in particular, should:
- practice good security procedures (including regularly changing your passwords) in everything you do;
- have every member of the HR team take a “Fundamentals of Information Security” course online;
- evaluate your vetting and screening processes; and
- examine your processes to see that they don’t injure/inconvenience employees. Insiders can be the biggest security problem.
At Entrust, Klehr adds, the company’s “Security in our DNA” forum is a collaborative initiative between HR and Analyst Relations teams to raise employee awareness on what’s happening in the cybersecurity industry, and why it all matters to Entrust.
Related: Work-from-home mandates create cybersecurity concerns
“Colleagues can share news they’ve found and ask questions and converse about security-related topics,” she says.
Also, Entrust annually requires all global employees to complete Security Awareness training.
“Our approach to security training is to make it personal for employees with examples they can envision happening at work and in their home environment,” she says, noting that everything they learn helps them address the cyber threats to their company, their family and themselves, including identity theft.
“We work hard every year to ensure that the training program is robust and engaging,” she says, noting this includes practical email simulations to help employees learn to identify red flags in suspicious emails. “We are focused on increasing our people-centered security posture because it’s up to us to defend our organization against cybercrime.”
Admittedly, cybersecurity is part of the “DNA” at Entrust, which may give its HR team a leg up over non-tech companies (or even tech companies that may not be in the data protection industry).
Klehr explains that non-tech employers should look at cybersecurity training the same way they would other business continuity and compliance threats. To her, it means building a culture around security awareness and enablement into policy training from day one when a new hire begins, refreshing expectations and processes at least annually.
“You should also enlist help from your IT department and your legal expertise,” she says. “From an HR standpoint, leaning on human-centered design training can give real use-case applications that are easy to understand from a consumer mindset.”
That type of approach helps build expectations about safeguarding the company and strengthens the overall technical knowledge around the use of new digital tools, Klehr says.
Sumser adds that central to the cybersecurity strategy should be the protection of HR data and employee personal identifying information.
“That data is, by far, the sweetest prize and the easiest to access for a hacker,” he says, explaining that the techniques used to gain access to this material are always a combination of “smooth-talking and technology.”
Click here to register for HR Tech to learn about the latest tools employers can use to advance cybersecurity.