HR and Cybersecurity: Considering Cybersecurity for HR Professionals

In today’s hyper-connected business world, cybersecurity is no longer solely the domain of IT. As cyber threats escalate in sophistication, driven significantly by advancements in Artificial Intelligence (AI), the Human Resources (HR) function is emerging as a critical partner in building a resilient organizational defense. HR’s unique position as the custodian of employee well-being and organizational culture makes it indispensable in mitigating risks and fostering a security-aware workforce.

There are many ways to mitigate risk in cybersecurity, but at OrgShakers, we believe training and HR’s role in training is vital for cybersecurity risk mitigation.

Recent data underscores the urgency of this collaboration. According to 2024 figures from the Office for National Statistics, cybersecurity is a high priority for senior management in 75% of businesses and 63% of charities. Despite this heightened awareness, the threat remains substantial: half of all businesses (50%) and approximately a third of charities (32%) in the UK reported experiencing a cyber security breach or attack in the 12 months leading up to April 2024. The average cost of a data breach globally reached an all-time high of $4.88 million in 2024, with business disruption and post-breach customer support driving a 10% cost jump from 2023. These figures highlight that technical solutions alone are insufficient; the human element, which accounts for 68% of breaches when excluding malicious privilege misuse, is the most significant vulnerability and the first line of defense.

The Evolving Threat Landscape: AI’s Dual Impact

AI has dramatically altered the cybersecurity landscape, posing both new challenges and opportunities. While AI-powered tools are being leveraged by defenders for threat detection, automated response, and predictive analytics, cybercriminals are also harnessing AI to craft more convincing and scalable attacks. This “AI vs. AI” dynamic is pushing the cybersecurity field towards an arms race.

For HR professionals, the implications are profound. AI-driven attacks have made traditional phishing exercises far more potent. Scammers can now use AI to clone voices from short audio clips or generate “deep fakes” – fake photos and videos – to make social engineering tactics incredibly convincing. This means employees are facing increasingly sophisticated attempts to trick them into revealing sensitive information or installing malware. For instance, fake contracts of employment, complete with company logos and relevant information extracted from public websites, are now being used in highly authentic-looking scams. Social media also presents an added risk, with new hires often targeted by phishing scams as they are perceived as less familiar with internal processes.

Considering Cybersecurity for HR Professionals

HR and Cybersecurity has an opportunity to go hand-in-hand. HR’s involvement in cybersecurity initiatives is not merely beneficial; it is imperative. By integrating cybersecurity into various HR functions, organizations can significantly bolster their defenses:

• Strengthening Recruitment Protocols: Robust recruitment processes should include evaluating a candidate’s understanding of cybersecurity principles, making cyber hygiene as crucial as professional skills. This helps fortify the organization against both internal and external threats from the outset.
• Policy Formulation and Enforcement: HR is key in developing and enforcing clear, comprehensible policies on password management, personal device usage, and data handling. These policies are foundational in reducing the risk of security breaches.
• Encouraging Responsible Digital Behavior: Promoting a culture of accountability regarding digital actions is paramount. This includes regular reviews and updates of cybersecurity protocols, emphasizing adherence to established procedures.
• Employee Exit Management: A meticulous offboarding process is essential when employees leave. HR must ensure timely revocation of access rights and the return of company assets to prevent former employees from misusing sensitive information.
• Collaboration with IT Department: A cooperative relationship between HR and IT is crucial for promptly addressing employee needs and concerns related to cybersecurity, ensuring a secure and resilient digital infrastructure.
• Addressing Insider Threats: Insider threats, whether malicious or unintentional, remain a substantial risk. HR can mitigate this through thorough background checks, strict access controls based on the principle of “least privilege” (each user gets the minimum access necessary), and vigilant monitoring for anomalous employee behavior. The ability to identify behavioral changes or patterns, such as conflicts with colleagues or non-compliance with training, can be crucial early warning signs.
• Confidentiality and Data Protection: As custodians of sensitive employee information, HR must uphold stringent data protection measures. Encrypting HR data, restricting access based on roles, and conducting regular audits are vital in maintaining trust and preventing breaches.
• Fostering a Reporting Culture: Employees must feel empowered to report suspicious activities without fear of reprisal. HR can establish clear reporting mechanisms and assure employees that their concerns will be addressed promptly and discreetly. This proactive approach contributes to a strong security posture.
• Proactive Risk Management: By conducting regular risk assessments and audits, HR contributes to identifying and evaluating potential human-factor risks, thus enhancing organizational resilience.

Building an Engaged and Effective Cybersecurity Training Program

Despite the critical need, a significant gap exists in employee cybersecurity education. A 2024 global poll revealed that 40% of employees have never received cybersecurity training from their organization, and only 27% believe their organization’s security measures are very secure. Even when training is offered, engagement can be low due to a “it won’t happen to me” attitude or a lack of understanding of the seriousness of threats. This oversight can be devastating, as demonstrated by incidents like the 2022 NHS phishing campaign that compromised over 130 email accounts.

To truly “land” cybersecurity training, HR professionals must adopt a continuous, engaging, and relevant approach:

• Move Beyond Generic, Infrequent Training: Training is often too technical, not aligned with specific job roles, or fails to keep pace with evolving threats. Cybersecurity should be a continuous process, not a one-time requirement.
• Embrace Mixed-Media and Interactive Learning: Traditional, passive training methods often lead to low retention. Incorporate interactive and gamified learning, such as phishing testing tools with leaderboards (without “naming and shaming”), and real-life scenarios through videos, case studies, and round-table discussions. Tailoring the approach to different learning styles is crucial.
• Communicate Consequences Clearly: Employees need to understand why cybersecurity is relevant to them, both personally and professionally. Highlighting the potential financial losses, reputational damage, and legal implications of breaches can significantly increase engagement. The average cost of a data breach in the UK was £5,900 in 2024.
• Adapt Training Based on Feedback: Soliciting employee feedback on training tone and content ensures it resonates with the company culture and specific workforce.
• Involve Line Managers: Line managers are instrumental in reinforcing the importance of mandatory training. Devolving responsibility to them, and linking training completion to performance reviews or progression, helps embed a culture of security.
• Offer Flexible and Bite-Sized Learning: Time constraints are a primary barrier to upskilling for nearly half of employees (47%). Providing dynamic, flexible, and bite-sized learning modules, accessible remotely and on the go, can significantly improve completion rates and retention. Adding elements of rewards and interactive competition can further enhance enjoyment and impact.

Conclusion

The convergence of HR and cybersecurity strategies is not just beneficial; it is a strategic imperative for organizations navigating the increasingly complex digital landscape. As AI empowers cybercriminals with more sophisticated attack vectors, the human element becomes simultaneously the greatest vulnerability and the most potent defense. HR professionals, by leveraging their expertise in talent management, policy development, and cultural influence, are uniquely positioned to transform employees from potential weak links into a robust, security-aware human firewall. At OrgShakers, we recognize the critical synergy between HR and cybersecurity. By fostering a collaborative environment, strengthening recruitment protocols, implementing clear policies, championing continuous and engaging training, and proactively addressing insider threats, HR can significantly enhance an organization’s overall cybersecurity posture. We are committed to helping you usher in a new era of collaboration between HR and cybersecurity teams, synergizing your efforts to strengthen defenses and build a future where the security and well-being of your organization are mutually reinforced. If you would like to discuss creating a comprehensive cybersecurity roadmap in conjunction with your HR function, ease get in touch with us today!.