As an HR professional, you may believe your time is best spent working on salary and benefit issues, developing training programs, or recruiting job candidates.
That is, until your organization is the victim of a massive cyberattack.
In the wake of several high-profile data breaches, cybersecurity is of growing concern at many firms. And security and legal experts say it’s no longer solely the responsibility of information technology pros to prevent and respond to cyber intrusions.
“We’re trying to teach HR to say ‘it’s not benefits, it’s not compensation, but it’s arguably more important,’” says Louis Lessig, SPHR, a partner at the New Jersey law firm Brown and Connery.
Lessig will present “Understanding Cybersecurity: The New Role of HR in Protecting Your Organization” on June 20 at the SHRM Annual Conference and Expo.
Lessig says HR leaders should understand how to protect a company against cyber threats, know how to respond when they happen and know when to hire outside help. This is especially true in an age when employees heavily rely on computers and devices to do their jobs.
“You need to ask yourself: What if the bottom fell out. What would we do?” he says. ““The [Chief Information Officer] is, day to day, going to be preventing the massive stuff. But HR has to have an intimate knowledge of what the response plan is. If the network goes down and all those devices we issue [to workers] crap out, who are people going to call?”
Changing Culture
If you think HR doesn’t need to be involved in cybersecurity issues, ask yourself this: Which department maintains all of an organization’s personnel files? Imagine the horror if all of that personal employee data ending up in the wrong hands.
“If we’re going to talk about all that personal information, you have to think about whether there is a heightened responsibility for HR,” Lessig says.
HR pros, of course, should not be expected to understand complex computer systems, anti-virus software or how to respond to a network attack. That’s left to the employees with computer science skills.
That said, it’s important to know that data breaches and cyberattacks aren’t always highly sophisticated or carried out by hackers with extraordinary technical skill. Rather, many breaches are simply the result of employees being careless.
Cyberattacks frequently come via “phishing” methods, in which an employee receives a request for information via email that appears to come from a trusted person or organization. All it takes is one worker to respond without carefully checking the source.
“These hackers are banking statistically on people making a mistake,” Lessig says.
Organizations can protect against these errors by fostering a culture in which employees understand their own potential as weak links. And IT experts want HR colleagues on board to help implement that culture.
“It is not about pointing out that you’re the failure or you’re the issue,” Michael Gianarkis, director of Trustwave SpiderLabs, tells Human Resources Director magazine. “It’s more about saying these are the behaviors that we are trying to instill. Being able to reinforce and positively reward those behaviors and really embracing that culture holistically top down is how you do it.”
Lessig goes so far as to say that basic cybersecurity training may be more important than training to prevent sexual harassment. This is particularly true, he says, in offices where employees will bring computers and devices home.
“If you have employees, you have to train them on this,” he says. “Before you hit send, before you open an email and really dive into a Google search into particular area or hit a website, you have to think. We don’t take the time to stop and think.”