The people profession’s role in handling cybersecurity risks

Rather than just being an IT issue, protecting a business from online attacks requires an organisation-wide approach, says Opemipo Koshemani

The instant switch to remote working because of the global pandemic has increased internet usage as people collaborate across teams and stay connected to colleagues, family, friends and their community. Healthcare and the increased acceleration in the adoption of telehealth, the shift of retail from a bricks and mortar model to an online environment, the delivery of education online and remote working are all examples of changes in how businesses have been operating over the last year.

Consequently, increased online activity has resulted in greater vulnerability creating more opportunities for hackers to exploit and perpetuate cyber attacks such as online phishing, Covid-related frauds, social media attacks and ransomware. For instance, between January and March 2020, Google registered at least a 250 per cent rise in phishing websites. While this is not a new issue, it has been exacerbated by increased internet usage during the pandemic. 

In 2017 we observed the WannaCry ransomware attack, which affected more than 60 NHS trusts within the UK and spread to 150 countries, costing tens of millions of pounds in the process. Such attacks can have a significant impact on an organisation, including loss of data, reputational risks and financial loss. 

In the last year, conversations about how we work have centred on employee wellness and safety. Activities and initiatives that enable people to stay connected to their communities and protect their mental health are examples of how organisations have enabled most of their employees to stay safe during the pandemic. There has been a great deal of emphasis on ensuring people have the right equipment, and workstation assessments are being conducted. These conversations should include consideration for how employees can navigate the digital environment safely. 

Organisations must understand the implications of an increasing threat for a hybrid workforce now and post pandemic and ensure their employees and other stakeholders are aware of cybersecurity risks and how to handle them. This requires cross-functional collaboration, and HR has a role to play in these conversations as a facilitator and enabler. A large number of data breaches are caused by human error, and therefore it is imperative that cybersecurity is seen as everyone’s responsibility, and not just an IT issue. Equally, the approach must be one that supports and empowers employees. 

HR functions as custodians of personal and confidential information are also targets for threats aimed at collecting financial and personally identifiable information. Cyber threat actors see it as an expedient way to collect large amounts of data. An example is the GoldenEye ransomware, which targets HR departments with fake job applications. 

While most organisations have adopted similar approaches such as the zero-trust security model, multi-factor authentication, phishing simulations and the use of virtual private networks, the organisational approach to enabling teams to work safely will vary, and needs to take account of factors such as the firm’s size and stage of digital transformation. 

Here are some examples of how businesses can tackle cyber threats:

Security culture

Incorporate this into the organisation’s culture and its shared values. Organisations have a shared set of values and behavioural frameworks that employees are required to adhere to and these shape the culture. 

Employers can clearly set out guidelines that create a set of shared values, while taking an enabling, non-punitive approach – one that aims to educate and engage so that employees feel comfortable reporting any issues they have without worrying that they will get the blame for an incident or breach. Engage, acknowledge and recognise good security behaviour within the organisation so that individuals know what good looks like. 

Onboarding to offboarding

Incorporate cybersecurity and the importance of security into processes. There are large numbers of staff across businesses who have never worked in the office since their employment began during lockdown. Therefore, as well as educating existing employees, it is also necessary that new starters have access to training content. When people leave the organisation, it is important to have clear processes in place for revoking their credentials and access to systems. 

Security awareness training

Develop a training plan and update it regularly to account for the emergence of new threats and patterns. Give employees clear guidelines and training on how to spot an attack and vary their training methods for different learning styles. 

This is particularly crucial with a multi-generational workforce, as organisations will want to ensure that they offer a wide range of choices for getting up to speed. There could be gains from collaborating with the organisation L&D function as they will be well versed in delivering effective training programmes and can support with training design.   

Plugging the cybersecurity skills gap

Historically, cybersecurity has grown as a sub function of IT and a current challenge in demand for these experts outweighs availability. So organisations can support more people to change careers into this field or have a strategy for how they can attract more people to work in this field while they train up others within the business. 

Distraction, stress, fatigue and burnout impact people’s ability to remain alert and consistently make good cybersecurity decisions. Therefore, it is important for managers and leaders to regularly check-in with their teams and conduct regular one-to-ones. Key to this is how we recruit and develop our people managers and leaders to nurture positive and healthy cultures.