Cybersecurity: The growing partnership between HR and risk management

Cybersecurity continues to prompt government action. Whether it's the proposed federal backstop to help insurers stay solvent after a catastrophic cyberattack, or the new cybersecurity disclosure rules adopted by the Securities and Exchange Commission that require public companies to disclose cybersecurity incidents within four days of deeming them material.

Perhaps less well known are the critical actions that HR professionals can exert to mitigate cyber breaches within their organizations. Today, 85% of all cyber incidents include a human element. In fact, some experts estimate that 78% of all work-related cyber claims start with phishing exercises, i.e., the fraudulent practice of sending emails, invitations or texts to employees purporting to be from reputable sources. By working with IT on awareness building, training, policies and pre-breach planning, HR has a significant role to play in stopping bad actors from breaching organizations. 

Given the mass amount of data provided to HR professionals, it is critical that HR professionals assist with education of their company as well as implement the strongest controls within their own departments to mitigate the risk of cyber-crime.

Read more:  In these 10 states, being a working parent comes with perks

Growth in risk factors
Since 2020, the number and sophistication of bad actors has increased, largely sparked by the transformation in office culture brought on by the COVID-19 pandemic. First, work from home exposed workers to different levels of network security. Employees logged on from multiple sites — versus one main building or complex — creating new vulnerabilities for bad actors. As the use of private video conferencing tools such as Zoom and Teams increased, new opportunities arose for bad actors to send fraudulent emails asking employees to "click to join" team meetings.

Hackers are continuing to evolve, using new and more complex tactics every day. Previously, organizations have trained employees to detect phishing by looking for spam email addresses. But now, many hackers can generate phishing emails from inside an organization's email database, creating fully recognizable addresses. 

Given the increasing complexity and frequency of cyber-attacks over the past three years, the human element within a company, i.e., employees, has become a main risk factor for data security. Workers are now a first line of attack, and companies must give their employees the necessary tools to stave off ever more sophisticated and expensive breaches.

Read more:  A new Visa apprenticeship program aims to grow cybersecurity talent

How HR can help
Since more than three-quarters of data breaches begin as phishing emails to employees, workforce awareness and training are key for company-wide protection. Once cyber criminals gain code activation to an employee device or general network access, they can steal data and/or deploy malware that make an organization vulnerable to ransom threats.

HR has an important role to play in workplace training and should consider cyber education as part of onboarding and continuing education. Because cyber criminals' techniques evolve quickly, becoming more sophisticated by the day, employers should offer continuous training to ensure employees have the latest information to protect the organization.

Given the enterprise-wide importance of this training, modules need to be engaging — even fun. Some companies give prizes to employees who detect and report phishing schemes. Others follow up training with field work by sending employees phishing "test" emails to see how they behave. Forward-thinking HR leaders understand cyber security is now a key HR responsibility — and human behavior will only be as good and vigilant as the training and policies behind it.

Read more:  U.S. cyber official urges Microsoft, Twitter to boost security

A gateway to sensitive data
HR professionals themselves can also be attractive targets to bad actors. The access they have to sensitive employee and company data can be a goldmine for hackers, putting a target on the back of those within the HR organization. As such, HR leaders should put proactive, pre-breach policies in place for their own functional colleagues. 

Policies might include contacting internal and external parties who ask for changes to sensitive information, such as invoice numbers, email passwords, direct deposit details, and software updates. They should also include policies for remote workers and incidence response. 

Optimal levels of cyber protection
Identifying and putting such policies in place is a key element of cyber insurance. When you purchase cyber insurance, you get access to pre-breach planning and policy templates, which for many organizations, is just as important as the breach coverage. While the optimal amount of insurance depends on many factors — including size, revenues, number of employees and access to confidential information — HR organizations of all sizes and structures benefit from pre-breach planning and policymaking.

Take, for example, industries considered to be relatively low-risk for breaches three years ago, e.g., construction and manufacturing. Companies in these sectors collected relatively little personal data or credit card information compared to organizations in healthcare, retail and financial services. Perhaps because of this, they made fewer investments in pre-breach planning. Today, construction has the highest cyber insurance claim frequency, followed by manufacturing and professional services. This is largely because construction sector leaders didn't see themselves as targets, creating new opportunities for bad actors.

Regulatory trends
Over the next few years, expect to see an increase in cyber regulation. Currently, certain industries such as higher education and healthcare have cyber regulations in place about how data is handled and protected. States are also becoming involved in cyber protection, with California becoming the first state to pass a cybersecurity law that requires a business or state agency to notify residents when their unencrypted personal information has been acquired by bad actors. Over time, more states are likely to follow suit.

Cyber regulations sometimes create both too little and too much protection, as bad actors can adapt to them at a dynamic pace. Regulations can't take the place of organizational planning and preparation but play an important role in raising awareness about the importance of cyber security. New regulations remind HR organizations about the frequency and consequences of cyber breaches, building the opportunity for HR to communicate awareness and urgency for solutions across its workforce.

The exposure gap
For the foreseeable future, the best defense for HR professionals remains proactive preparation. At the beginning of the pandemic, roughly four in ten U.S. companies had cyber-insurance protection. As breaches and regulations increase, the percentage will likely continue to climb. Still, there is a significant exposure gap — not only in insurance protection but also in the pre-breach planning, which is an integral part of the insurance process. 

In the year ahead, we can expect to see more HR leaders seek out more proactive planning and protection solutions, which can be a valuable opportunity for brokers who are cyber-specialists to provide best-practices and risk mitigation strategies. We can also expect more C-suite executives to seek guidance from HR, with the understanding that, when it comes to enterprise-level cyber, reaching every employee is a critical risk factor and valuable source of cyber-prevention.