Employers overlook a key ally in preventing cyberattacks: HR departments
Everyone gets them — an email message that looks exactly like it came from a co-worker or a supervisor. It may come with a link that asks an employee to log in with a company username and password. To the untrained eye it seems harmless.
But employees need to think twice before they click, warns Monica Minkel, senior vice president and regional director of insurance brokerage and consulting firm USI Insurance Services. These are the kinds of scams, she says, that lead to major cybersecurity breaches — and major headaches for employers.
“These claims are like spider webs,” she says. “It’s one thing that happens that leads to about 10 other things that happen.”
The number of attacks on company computer systems is on the rise. The average number of security breaches per year increased by 27.4% in 2017, according to a report from Accenture. But by the time an attack occurs, it may be too late. Discussion on preventing a cyberattack should happen before the breach even occurs, experts say, and human resource departments need to play a key role in preventing these attacks.
Traditionally, new hires are required to complete an HR-facilitated cybersecurity training during their first few weeks in the office. But a single onboarding training session is not enough anymore, experts say.
A small mistake by an unsuspecting employee is often at the center of a major security breach, says Jon Gossels, president and CEO of IT compliance and security consulting services company SystemExperts.
But Gossels says the “fundamental problem” is that many employers still don’t view cybersecurity as a HR issue, and too many place most of the burden on IT. But in reality, cybersecurity is a business-wide problem, he says, and shouldn’t just be concentrated in IT.
“It’s the human side of things that inevitably breaks down,” he says.
Having a solid employee training program in place can help prevent a cyberattack, Gossels says. Employees may not understand why, for example, you shouldn’t take important company data home, he says, and these kinds of things should be thoroughly demonstrated in training.
“It’s important not to just tell people the rules, but to explain why,” he says.
It’s also not enough to be training once a year, and HR should make it a priority to teach employees about cybersecurity year round, says Ray Hutchins and Mitch Tanenbaum of consulting firm CyberCecurity. There are some methods that can help HR provide continuous training to employees on security breaches, they say.
For example, some companies send out fake phishing emails to employees once every few months. If an employee clicks on the link in the fake email, they will be guided through a training with information on why they should not open links from unknown addresses.
There also is security awareness training platforms available, like Wombat Security, KnowBe4 and PhishMe, that are designed to specifically help train employees on cybersecurity. Companies should look to outside platforms to help them train employees, they say, these solutions may be more up-to-date than something an employer develops themselves.
“Any organization that is not using one of those online products is really making a mistake, there’s no way that any internal organization has the ability to develop the kind of content that those products can offer you,” Hutchins says.
Kristie Evans, president of HR consulting firm HRPMO, says there are small things that HR leaders can do on a regular basis to help mitigate the risk of cyberattacks. Sometimes, she says, it can be as small as reminding employees to change their passwords. It’s important that HR leaders have continuous communication with employees.
HR executives “need to not only pay attention to what is being said to an employee during orientation, they need to have some type of interaction with employees on a regular basis,” says Evans.
HR departments are also vulnerable to attacks because of the type of sensitive personal information they collect from employees, she says. This treasure trove of information includes employees’ names, address, family members and their Social Security numbers and even bank account numbers for their direct deposited paychecks. The fewer people that have access to personal employee information, the better. It also may be useful for HR departments to automate their processes so it is easier to grant and revoke access to confidential company systems, Evans says. This will reduce access to fewer people inside the company overall.
“HR departments are vulnerable because of the data that they have,” she says.
Although it’s relatively new, it may be a good idea for companies to invest in cyber liability insurance, experts say, to help protect themselves from an attack. But Minkel says that many employers don’t even really know what cyber liability insurance entails.
Cyber liability insurance is meant to protect companies from cyberattacks, Minkel says. It can include multiple things, depending on what the company selects, but general it covers money for external IT staff to help with a breach, credit monitoring and notification expenses and ransomware cases. It may also cover public relations or media expenses if a hack were to go public. In the last couple of years, Minkel says, there have been extra elements added to cyber liability insurance like business income interruption and legal liability. But it really depends on the type of coverage an employer selects, she says.
“You really have to understand what you’re buying,” she says.
But one of your main lines of defense against a cyberattack is education, Minkel says, where HR can really shine.
“You’ve got to go through and remind your people every once in a while that there’s these spam emails that go out,” she says. “Last thing you can do that really reduces the claims we’re seeing right now is education.”