In today’s hyper-connected business world, cybersecurity is no longer solely the domain of IT. As cyber threats escalate in sophistication, driven significantly by advancements in Artificial Intelligence (AI), the Human Resources (HR) function is emerging as a critical partner in building a resilient organizational defense. HR’s unique position as the custodian of employee well-being and organizational culture makes it indispensable in mitigating risks and fostering a security-aware workforce.

There are many ways to mitigate risk in cybersecurity, but at OrgShakers, we believe training and HR’s role in training is vital for cybersecurity risk mitigation.

Recent data underscores the urgency of this collaboration. According to 2024 figures from the Office for National Statistics, cybersecurity is a high priority for senior management in 75% of businesses and 63% of charities. Despite this heightened awareness, the threat remains substantial: half of all businesses (50%) and approximately a third of charities (32%) in the UK reported experiencing a cyber security breach or attack in the 12 months leading up to April 2024. The average cost of a data breach globally reached an all-time high of $4.88 million in 2024, with business disruption and post-breach customer support driving a 10% cost jump from 2023. These figures highlight that technical solutions alone are insufficient; the human element, which accounts for 68% of breaches when excluding malicious privilege misuse, is the most significant vulnerability and the first line of defense.

The Evolving Threat Landscape: AI’s Dual Impact

AI has dramatically altered the cybersecurity landscape, posing both new challenges and opportunities. While AI-powered tools are being leveraged by defenders for threat detection, automated response, and predictive analytics, cybercriminals are also harnessing AI to craft more convincing and scalable attacks. This “AI vs. AI” dynamic is pushing the cybersecurity field towards an arms race.

For HR professionals, the implications are profound. AI-driven attacks have made traditional phishing exercises far more potent. Scammers can now use AI to clone voices from short audio clips or generate “deep fakes” – fake photos and videos – to make social engineering tactics incredibly convincing. This means employees are facing increasingly sophisticated attempts to trick them into revealing sensitive information or installing malware. For instance, fake contracts of employment, complete with company logos and relevant information extracted from public websites, are now being used in highly authentic-looking scams. Social media also presents an added risk, with new hires often targeted by phishing scams as they are perceived as less familiar with internal processes.

Considering Cybersecurity for HR Professionals

HR and Cybersecurity has an opportunity to go hand-in-hand. HR’s involvement in cybersecurity initiatives is not merely beneficial; it is imperative. By integrating cybersecurity into various HR functions, organizations can significantly bolster their defenses:

• Strengthening Recruitment Protocols: Robust recruitment processes should include evaluating a candidate’s understanding of cybersecurity principles, making cyber hygiene as crucial as professional skills. This helps fortify the organization against both internal and external threats from the outset.
• Policy Formulation and Enforcement: HR is key in developing and enforcing clear, comprehensible policies on password management, personal device usage, and data handling. These policies are foundational in reducing the risk of security breaches.
• Encouraging Responsible Digital Behavior: Promoting a culture of accountability regarding digital actions is paramount. This includes regular reviews and updates of cybersecurity protocols, emphasizing adherence to established procedures.
• Employee Exit Management: A meticulous offboarding process is essential when employees leave. HR must ensure timely revocation of access rights and the return of company assets to prevent former employees from misusing sensitive information.
• Collaboration with IT Department: A cooperative relationship between HR and IT is crucial for promptly addressing employee needs and concerns related to cybersecurity, ensuring a secure and resilient digital infrastructure.
• Addressing Insider Threats: Insider threats, whether malicious or unintentional, remain a substantial risk. HR can mitigate this through thorough background checks, strict access controls based on the principle of “least privilege” (each user gets the minimum access necessary), and vigilant monitoring for anomalous employee behavior. The ability to identify behavioral changes or patterns, such as conflicts with colleagues or non-compliance with training, can be crucial early warning signs.
• Confidentiality and Data Protection: As custodians of sensitive employee information, HR must uphold stringent data protection measures. Encrypting HR data, restricting access based on roles, and conducting regular audits are vital in maintaining trust and preventing breaches.
• Fostering a Reporting Culture: Employees must feel empowered to report suspicious activities without fear of reprisal. HR can establish clear reporting mechanisms and assure employees that their concerns will be addressed promptly and discreetly. This proactive approach contributes to a strong security posture.
• Proactive Risk Management: By conducting regular risk assessments and audits, HR contributes to identifying and evaluating potential human-factor risks, thus enhancing organizational resilience.

Building an Engaged and Effective Cybersecurity Training Program

Despite the critical need, a significant gap exists in employee cybersecurity education. A 2024 global poll revealed that 40% of employees have never received cybersecurity training from their organization, and only 27% believe their organization’s security measures are very secure. Even when training is offered, engagement can be low due to a “it won’t happen to me” attitude or a lack of understanding of the seriousness of threats. This oversight can be devastating, as demonstrated by incidents like the 2022 NHS phishing campaign that compromised over 130 email accounts.

To truly “land” cybersecurity training, HR professionals must adopt a continuous, engaging, and relevant approach:

• Move Beyond Generic, Infrequent Training: Training is often too technical, not aligned with specific job roles, or fails to keep pace with evolving threats. Cybersecurity should be a continuous process, not a one-time requirement.
• Embrace Mixed-Media and Interactive Learning: Traditional, passive training methods often lead to low retention. Incorporate interactive and gamified learning, such as phishing testing tools with leaderboards (without “naming and shaming”), and real-life scenarios through videos, case studies, and round-table discussions. Tailoring the approach to different learning styles is crucial.
• Communicate Consequences Clearly: Employees need to understand why cybersecurity is relevant to them, both personally and professionally. Highlighting the potential financial losses, reputational damage, and legal implications of breaches can significantly increase engagement. The average cost of a data breach in the UK was £5,900 in 2024.
• Adapt Training Based on Feedback: Soliciting employee feedback on training tone and content ensures it resonates with the company culture and specific workforce.
• Involve Line Managers: Line managers are instrumental in reinforcing the importance of mandatory training. Devolving responsibility to them, and linking training completion to performance reviews or progression, helps embed a culture of security.
• Offer Flexible and Bite-Sized Learning: Time constraints are a primary barrier to upskilling for nearly half of employees (47%). Providing dynamic, flexible, and bite-sized learning modules, accessible remotely and on the go, can significantly improve completion rates and retention. Adding elements of rewards and interactive competition can further enhance enjoyment and impact.

Conclusion

The convergence of HR and cybersecurity strategies is not just beneficial; it is a strategic imperative for organizations navigating the increasingly complex digital landscape. As AI empowers cybercriminals with more sophisticated attack vectors, the human element becomes simultaneously the greatest vulnerability and the most potent defense. HR professionals, by leveraging their expertise in talent management, policy development, and cultural influence, are uniquely positioned to transform employees from potential weak links into a robust, security-aware human firewall. At OrgShakers, we recognize the critical synergy between HR and cybersecurity. By fostering a collaborative environment, strengthening recruitment protocols, implementing clear policies, championing continuous and engaging training, and proactively addressing insider threats, HR can significantly enhance an organization’s overall cybersecurity posture. We are committed to helping you usher in a new era of collaboration between HR and cybersecurity teams, synergizing your efforts to strengthen defenses and build a future where the security and well-being of your organization are mutually reinforced. If you would like to discuss creating a comprehensive cybersecurity roadmap in conjunction with your HR function, ease get in touch with us today!.

Research has found that an alarming number of employees are now using their own AI tools at work, without the permission of their organization.

According to a survey by Software AG, half of all knowledge workers – defined as “those who primarily work at a desk or computer” – use personal AI tools.

Most knowledge workers said they use their own AI tools because they prefer their independence (53%). An additional 33% said it’s because their organization does not currently offer the tools they need.

This suggests that if businesses want their employees to use officially issued tools, a different process is needed for determining the ones that are actually made available.

The research goes on to show that personal AI tools are so valuable that half of workers (46%) would refuse to give them up, even if their organization banned them completely.

This is a powerful signal to organizations that they need more robust and comprehensive AI strategies, to prevent inviting significant risk into their business.

In a recent article the BBC spoke to a product manager at a data storage company, which offers its people the Google Gemini AI chatbot.

External AI tools are banned by the company, but the product manager uses ChatGPT through search tool Kagi. He finds the biggest benefit of AI comes from challenging his thinking when he asks the chatbot to respond to his plans from different customer perspectives.

“The AI is not so much giving you answers, as giving you a sparring partner,” he says. “As a product manager, you have a lot of responsibility and don’t have a lot of good outlets to discuss strategy openly. These tools allow that in an unfettered and unlimited capacity.”

He’s not sure why the company has banned external AI. “I think it’s a control thing,” he says. “Companies want to have a say in what tools their employees use. It’s a new frontier of IT and they just want to be conservative.”

It’s an interesting perspective – but Shadow AI comes with significant risks.

Modern AI tools are built by digesting huge amounts of information, in a process called training, with around a third of applications being trained using information entered by the user.

Consequently, the uncontrolled use of Shadow AI can result in company data being stored in AI services that the employer has no control over, no awareness of, and which may be vulnerable to data breaches.

It’s another example which shows cybersecurity isn’t just about firewalls and encryption – it’s about people. And HR holds the key to making every employee a vigilant defender of the company’s digital assets.

If you would like to discuss how we can help we can help build cybersecurity into the culture of your organization, please get in touch with us today!

With Cybersecurity Awareness Month in full swing, it’s the perfect time to examine a critical, yet often overlooked, aspect of an organization’s cybersecurity strategy: culture.

While technical solutions and security protocols are essential, the human element—how people think, act, and interact with technology—can make or break an organization’s defences.

This is where Human Resources comes in.

HR has a unique role in shaping company culture, and when it comes to cybersecurity, fostering a security-conscious mindset among employees is just as crucial as implementing firewalls and encryption.

Here’s how HR can play a pivotal role in building and sustaining a culture of cybersecurity:

1. Embed Cybersecurity in Company Values

Organizational values are more than just words on a website—they define how employees interact, collaborate, and behave within the company. To create a culture of cybersecurity, HR should ensure that data protection and security consciousness are embedded into these values from the start.

When security becomes a part of the company’s DNA, employees are more likely to take personal responsibility for safeguarding both their own information and the company’s digital assets. This can start as early as the onboarding process, where cybersecurity awareness is introduced not as an additional task, but as a core company value that’s integrated into everything employees do.

2. Train Beyond Compliance: Develop a Cyber-Savvy Workforce

Too often, cybersecurity training is treated as a compliance requirement—a once-a-year online module that employees rush through. This checkbox mentality does little to build awareness or change behavior. Instead, HR can advocate for dynamic and continuous cybersecurity training that keeps employees engaged and informed.

Here are a few effective training strategies to consider:

• Regular Training: Move beyond annual training. Implement shorter, more frequent cybersecurity sessions that focus on current threats like phishing, ransomware, and social engineering. These can be paired with real-world examples or recent security breaches to drive home the importance of vigilance.
• Role-Specific Education: Not all employees face the same risks. Tailor cybersecurity training to different departments (for instance, finance and HR staff may require more detailed guidance on handling sensitive personal data, while marketing teams may benefit from training on securing customer information).
• Interactive Learning: Consider gamified learning platforms or interactive cybersecurity workshops. Simulations, such as phishing tests, can challenge employees to spot real-time threats and reward them for successful avoidance.

By transforming cybersecurity training into a dynamic, engaging, and ongoing experience, HR can help employees feel personally invested in protecting both company and personal data.

3. Reward Security-Conscious Behavior

One of the most effective ways to change behavior within an organization is through positive reinforcement. When employees demonstrate strong cybersecurity practices—such as identifying phishing attempts, reporting suspicious activity, or implementing secure password protocols—HR should recognize and reward those behaviors.

Creating a security recognition program or incorporating cybersecurity metrics into performance reviews can incentivize employees to stay vigilant. This positive reinforcement not only motivates employees but also demonstrates that the organization takes cybersecurity seriously at every level. This helps to shift the perception of cybersecurity from a set of rules employees must follow to instead making employees play an active role they play in the company’s success and safety.

4. Make Cybersecurity a Leadership Priority

A strong culture of cybersecurity starts at the top. HR can work closely with leadership to ensure that the importance of cybersecurity is frequently communicated and demonstrated. When executives and managers model good security behaviors—such as using strong, unique passwords or quickly reporting suspicious emails—it sets a standard for the entire organization.

HR can support this by facilitating cybersecurity briefings for leadership, ensuring they are well-versed in the current threat landscape and the impact that a potential breach could have on the organization. When leaders are informed and engaged, it helps to foster a trickle-down effect that influences employees across all levels.

5. Cybersecurity in Offboarding: Don’t Leave a Door Open

While most companies understand the need to secure new hires with proper onboarding training, the offboarding process is equally critical in protecting against cyber threats. Former employees who retain access to company systems, even unintentionally, can become significant security risks.

HR plays a central role in ensuring that cybersecurity protocols are closely followed when employees exit the company. This includes working with IT to:

• Immediately revoke access to all systems and accounts.
• Retrieve company-owned devices, ensuring they are wiped of sensitive data before reuse.
• Remind exiting employees of their ongoing obligations regarding company information security, even after they leave.

A structured, secure offboarding process prevents any gaps that could be exploited by malicious actors or inadvertently lead to data leaks.

6. Foster a Culture of Reporting Without Fear

Many employees hesitate to report cybersecurity concerns, fearing they might face reprimand or be seen as negligent. HR can help address this by fostering an environment where reporting suspected security incidents is encouraged and celebrated.

To do this, HR can work with IT to create a clear, anonymous reporting system that allows employees to easily and safely report suspicious emails, potential breaches, or unusual activity without fear of blame or punishment.

HR are in a unique position to be cybersecurity champions by fostering a culture where security is everyone’s responsibility, not just the IT department’s. Through thoughtful training, positive reinforcement, and secure processes, HR can influence behaviors that make a lasting impact on the company’s overall security posture.

In today’s digital world, an organization’s strength lies not just in its technical defences but in its people. By cultivating a culture of cybersecurity, HR can protect both the organization and the employees who help it thrive.

As we celebrate Cybersecurity Awareness Month, let’s remember that cybersecurity isn’t just about firewalls and encryption—it’s about people. And HR holds the key to making every employee a vigilant defender of the company’s digital assets.

If you would like to discuss how we can help build cybersecurity into the culture of your organization, get in touch with me at sayid@orgshakers.com

In an era of escalating cyber threats, the symbiotic relationship between Human Resources (HR) and cybersecurity has never been more pivotal. Typically seen as the custodians of employee wellbeing and organizational culture, HR professionals are crucial in reinforcing a company’s defence mechanisms against cyberattacks.

By facilitate regular training sessions and workshops, HR can help to ensure employees are well-versed in recognizing and addressing potential cyber threats. Cultivating a security-aware culture is foundational to minimizing vulnerabilities, such as phishing attacks and social engineering tactics.

Below are a list of different ways HR can bolster cybersecurity initiatives and maintain robust enforcement:

1. Strengthening Recruitment Protocols:

By implementing rigorous recruitment processes, HR can ensure that candidates possess a sound understanding of cybersecurity principles. Evaluating a candidate’s cyber hygiene can be as essential as assessing their professional skills, fortifying the organization against internal and external threats.

2. Policy Formulation and Enforcement:

HR is integral in crafting and enforcing policies that delineate acceptable use of organizational resources. Transparent, comprehensible policies related to password management, use of personal devices, and data handling can significantly diminish the risk of security breaches.

3. Encouraging Responsible Digital Behaviour:

Promoting a culture of responsibility and accountability regarding digital actions is paramount. HR can champion this by conducting regular reviews and updates of cybersecurity protocols, emphasizing the importance of adherence to established procedures.

4. Employee Exit Management:

When employees leave an organization, HR should oversee the proper offboarding process, ensuring the revocation of access rights and the return of company assets. This mitigates the risk of former employees misusing sensitive information.

5. Collaboration with IT Department:

By fostering a cooperative relationship with IT departments, HR can promptly address employee needs and concerns related to cybersecurity. This collaborative approach aids in maintaining a secure and resilient digital infrastructure.

6. Addressing Insider Threats:

Insider threats, whether malicious or unintentional, are a substantial risk to organizations. HR can mitigate this by conducting thorough background checks, implementing strict access controls, and maintaining a vigilant approach to anomalous employee behaviour.

7. Confidentiality and Data Protection:

HR is often the custodian of sensitive employee information. Upholding stringent data protection measures and ensuring the confidentiality of employee data is pivotal in maintaining trust and thwarting potential breaches.

8. Fostering a Reporting Culture:

Encouraging employees to report suspicious activities or potential threats without fear of reprisal is essential. HR can develop precise reporting mechanisms and assure employees that their concerns will be addressed promptly and discreetly.

9. Proactive Risk Management:

HR can assist in identifying and assessing potential risks related to human factors. HR contributes to developing a proactive risk management strategy by conducting regular risk assessments and audits, enhancing organizational resilience.

Integrating HR in cybersecurity initiatives is not just beneficial—it’s imperative. HR professionals can significantly enhance an organization’s cybersecurity posture by fostering an environment of awareness, responsibility, and collaboration. The convergence of HR and cybersecurity strategies ensures the alignment of human potential with technological resilience, creating a robust defence against the ever-evolving landscape of cyber threats. In this interconnected age, where the human element is both the first line of defence and the most significant vulnerability, the role of HR in maintaining cybersecurity is undeniably pivotal.

At OrgShakers, we can help you usher in a new era of collaboration between HR and cybersecurity teams by synergizing your efforts, strengthening your defences, and building a future where the security and wellbeing of your organization is mutually reinforced. If you would like to discuss creating a cybersecurity roadmap in conjunction with your HR function, please get in touch with me at sayid@orgshakers.com