HR’s Role in Cybersecurity Awareness and Training
Introduction
Cybersecurity is now a key element of organizational risk management in today’s highly interconnected business environment. Even though the IT department is often the custodian of digital infrastructure, cybersecurity is now more of a non-technical concern. Human behavior is increasingly recognized as a proper protection measure and a significant weakness.
Human resources (HR) is also an essential and strategic element in forming a security-conscious culture within a business. HR professionals can help shape the behavior and alignment of any workforce with cybersecurity objectives, including recruiting people with cybersecurity perceptions and implementing security awareness training (Llorens, 2023). To enhance the organization’s overall cyber resilience, this article discusses how HR departments can drive and support cybersecurity awareness and training.
The human factor in cyber security
According to the 2023 Data Breach Investigation Report produced by Verizon, 74% of breaches were due to human error, misuse, or social engineering (Verizon, 2023). This fact reveals the significance of allowing personnel to recognize and prevent cybersecurity risks in addition to knowing them. The workers are still the weakest part of the cybersecurity chain, or the first line of defense. HR departments aim to influence employees’ behaviors, values, and awareness within the management structure, but not as technical experts.
HR’s Primary Roles in Cybersecurity Awareness
Integrating Organizational Culture with Cyber security
Organizational culture is affected by many things, such as leadership, values, and employee behavior, all of which human resources plays the lead role. One of the most viable measures companies can use to heighten preparations regarding cybersecurity is to incorporate the culture into their system, such that employees will think about it daily.
HR can do that by:
⦁ Enhancing mission and values statements with cybersecurity
⦁ Promoting coordinated security in internal communication
⦁ Award programs through which compliance and best practices are recognized
⦁ Encouraging role modeling behavior among leaders
By making cybersecurity a part of company culture, organizations can ensure that secure behaviors are not optional but are considered basic standards of professional behavior.
Policy making and enforcement
The HR collaborates with the IT and legal departments to develop, enhance, and institutionalize a wide array of cybersecurity regulations. They include:
⦁ Acceptable Use Policies (AUP): Specify how business systems can be utilized.
⦁ BYOD/Remote Work Policies: To mitigate the dangers of remote access and BYOD, remote access policies can be used.
⦁ Data Handling Policies: How to guide the staff members on handling sensitive information.
⦁ MFA and password requirements: Establish processes for secure authentication.
However, the existence of policies requires employees to understand and follow them to become effective. HR is responsible for explicit agreement in policy communication, accessibility of documents, and getting acknowledgment and consent during onboarding. HR could also do performance reviews or conduct audits on policies being followed.
Cybersecurity Training: The HR-Led Approach
⦁ Creating training forums
HR is a specialist in creating learning experiences appropriate to the different types of roles and the levels of risks within an organization. Any cybersecurity awareness program should not have a single module (Nica et al., 2024). Instead, deep-seated efforts between HR and IT should be used to come up with training programs that match each role:
⦁ The staff in charge of finance is trained to identify invoices that are not genuine and wire fraud.
⦁ The staff handling customer care are trained to deal with PII accordingly.
⦁ Executives are taught about reputation risks and spear-phishing.
⦁ Developers are being trained on data privacy laws and secure code.
Training methods have to be fascinating and within reach:
⦁ Microlearning modules that are given via email or LMS
⦁ Tutorial videos showing examples of phishing
⦁ Scenario-based simulations and tests
⦁ Applying gamification to raise the rate of involvement
Preparing training materials by HR ensures that it is easy to decode, relevant, and applicable, increasing awareness, application, and retention.
⦁ Onboarding Training
Awareness of cybersecurity needs to start on the first day. No matter their department or seniority, HR needs to have a cybersecurity education component as part of the onboarding process for all new employees.
Such an onboarding meeting should have:
⦁ The company’s policies and expectations concerning cybersecurity
⦁ Incident reporting protocols.
⦁ Common risks in their respective profession or job titles
⦁ The use of the company systems safely
Enhancing cybersecurity in the onboarding process reduces the likelihood of novice errors being committed early by helping new employees establish good practices in the first steps of their careers.
⦁ Continuous Learning and Recurrent Training
Cyber threats constantly change; new malware variants, social engineering methods, and phishing schemes are frequently introduced. Due to this, cybersecurity education should be ongoing and dynamic instead of an annual requirement.
HR should plan frequent training programs, including:
⦁ Re-review and refreshments every quarter
⦁ Simulations about the phishing campaigns
⦁ Mandatory certifications every year
HR can also use the analytics and input from these efforts to improve training and employees or departments that may be interested in additional support.
Behavior change and continuous learning to improve Cyber Hygiene
A good cybersecurity training is not only about providing knowledge but also about shifting behavior. HR can employ behavioral science concepts to influence safer practices that employees should follow daily.
Some of those examples are:
⦁ Password-changers and pushes to get off of WiFi in a public place
⦁ Visual clues about safe behavior, such as desktop wallpaper or posters
⦁ Positive reinforcement for safe practices, such as gift cards or acknowledgment
⦁ Noncompliance punishment that is transparent and not so arbitrary
HR contributes to developing a workplace where practicing good cyber hygiene is second nature by changing habits at scale.
The Role of HR in Incident Response
HR is crucial to reaction and recovery during a cybersecurity incident. It may include the following;
⦁ Ensure that employees report incidents on time without the thought of victimization.
⦁ Liaise with the management and IT to isolate affected users or systems.
⦁ Speak to employees, clients, or partners comfortably and clearly.
⦁ Check whether any policy violation or an insider threat accompanied the incident.
HR can help conduct post-incident and training updates, and ensure that mistakes are applied as lessons learned and that training material or policies reflect this. In case the actions of an employee cause the breach, it is the role of HR to organize disciplinary action following the company’s policy and labor law.
⦁ Legal and Compliance Elements
Compliance is also an issue of cybersecurity awareness. Most of the organizations are regulated through the following frameworks:
⦁ General Data Protection Regulation (GDPR)
⦁ HIPAA (Health Insurance Portability and Accountability Act)
⦁ Payment Card Industry Data Security Standard- PCI-DSS
⦁ Waterfront Security (Information Security Management)
HR has to ensure that there are training programs that comply with the regulations, document and track their completion. It is essential when an audit or an investigation has to be done, and the regulators want a record showing that the employees were educated and are aware of the policies.
⦁ Promoting Interdepartmental Collaboration
Cybersecurity is a team effort, and HR is the primary departmental coordinator responsible for creating collaboration among the departments. Below are some of the department’s collaborations;
⦁ With Executives: To ensure budgets and top-down assistance
⦁ With the IT department, outlines technical material and the priority of threats
⦁ With Legal departments, as part of compliance with the law of privacy and data protection
⦁ With the communication department, develops messages that are consistent and unambiguous.
HR would ensure that all persons, including interns and executives, are aware of the role they play in preserving the organization’s data and that training programs follow the organization’s general long-term aims regarding risk management.
⦁ Utilizing KPIs and Metrics
HR should track significant indicators such as KPIs and Metrics to evaluate and modify cybersecurity training as shown in the table below.
HR-Driven Cybersecurity Awareness Metrics (Annually)
Metric 2021 2022 2023 2024
Staff trained in cybersecurity 400 520 600 650
Staff completed training on time (%) 60 75 82 90
Phishing Simulation Click Rate (%) 25 18 10 7
Suspicious emails reported 150 210 345 570
Internal incidents reported 15 9 6 3
Annual training forums have been done 3 7 9 11
Here, the HR could use these KPIs to:
⦁ Identify the effectiveness of training
⦁ Make recommendations on areas that should be improved.
⦁ Justify the budget requests for new tools or systems.
⦁ Report to the authorities or the authority concerned.
Using data-driven decisions raises the level of support for an organization and program excellence.
⦁ Responding to the Insider Threats
Insider threats can be very harmful to an organization, regardless of whether it was intentional or not. According to estimates made by the Ponemon Institute (2020), the average expenditure associated with incidents related to insiders exceeds 15 million dollars. HR should be willing to go the extra mile to deal with such risk by:
⦁ Access controls and permission handling during the switch of positions
⦁ Using Exit procedures to block employees who are leaving the organization
⦁ Monitoring of behavior in search of suspicious actions, violation of policy rules, or dissatisfaction
⦁ Employees’ initiatives to lessen the strain or stress that may result in malicious performance
Case Example: The Recovery of Maersk
In 2017, the shipping giant Maersk was the victim of an attack that involved NotPetya malware, which was so destructive. The hack affected 49,000 computers at 600 sites in 130 countries, making them inoperable. After that, Maersk understood the necessity of increasing internal resilience.
HR led a company-wide campaign to update its reporting of incident procedures, employee retraining, and cybersecurity requirements in all job descriptions (Greenberg, 2018). Thanks to the awareness campaigns conducted by HR, Maersk is now considered the leader in operational resilience.
Future Trends in HR-Led Cyber security
⦁ Training into AI: Smart systems that change training based on employee-defining risk profiles
⦁ Immersion Learning: The simulation of real cyberthreats with the help of virtual reality
⦁ Cybersecurity Recruiting: Recruitment in the area of cybersecurity, even when the job is not technical
Such trends indicate that the future of IT and HR collaboration will be seen as a way of developing a stronger workforce via data and technologies.
Conclusion
In a business world where the network is connecting everything, HR is an important cybersecurity collaborator, as they empower the human firewall of the organization in terms of setting up innovative policies, creating awareness in the culture, and offering specialized training. The risks are also associated with a shift in cross-functional collaboration, leadership, and training. It can transform the employees of an organization into its most significant beneficial factors by making HR the forefront of such initiative
Reference
Greenberg, A. (2018). The untold story of NotPetya is the most devastating cyberattack in history. Wired, August 22. The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED
Llorens, J. J. (2023). The Role of Human Resource Management in Cybersecurity. In Public Personnel Management (pp. 175-184). Routledge. https://www.taylorfrancis.com/chapters/edit/10.4324/9781003403401-13/role-human-resource-management-cybersecurity-jared-llorens
Nica, E., Burcea, Ș. G., & Sabie, O. M. (2024). The Critical Role of Human Resources in Mitigating and Managing Cybersecurity Risks in Modern Organizations: A Strategic Approach. Psychosociological Issues in Human Resource Management, 12(2). https://www.ceeol.com/search/article-detail?id=1331752
Ponemon, L. (2020). 2022 Cost of Insider Threats: Global Report.
Verizon, B. (2023). 2023 Data Breach Investigations Report
