The role of HR in cybersecurity awareness programs

At many organizations, implementing a cybersecurity awareness program comes from the information technology (IT) department or the team responsible for corporate security. But teaching best security practices and keeping employees informed about threats is ultimately a human issue – and that means Human Resources has a lot to contribute.

Research suggests that more than 90% of cyberattacks are a result of human error – such as an inadvertent click or interaction with an attacker. Despite the overwhelming prominence of the human factor in cyber risk, there are some issues that make it difficult to understand the problem.

One is that the risks posed by technology are rarely as intuitive as other occupational risks. Most people understand the risk of a fall, really loud noises, or a poor electrical installation. But there isn't always the same level of understanding about the intangible risk of opening an attachment or clicking on a link. Because many risks in the online world are caused by cybercriminals, the danger only becomes evident when we know the mindset of the attacker.

The better the understanding there is on these types of attacks, the more obvious how relevant the human factor is in cybersecurity and the importance of  the HR department's involvement, which monitors the employee's entire career.

How can HR contribute?

One of the primary goals of the safety awareness program is to influence the company culture. When employees are aware that they will be appreciated for acting responsibly while they work, they are more likely to be concerned about the risks or damages that their actions may initiate.

Culture

HR is an employee's first point of contact with the company, and also usually the last. That's why HR's stance when communicating with candidates and new employees reflects aspects of the organization's culture. 

It is important to point out that HR also stores employees' personal data. Demonstrating awareness of this responsibility is one way to express the value of security and privacy.

All the benefits granted by the company – health insurance, clubs, food vouchers, and others – are often linked to digital platforms and are targeted by scammers, which means that employees should be instructed on how to use them securely. The reverse situation occurs when the employee leaves the company – in this case, the company needs to make sure that they're not taking sensitive data with them.

The regulation requires security precautions. The General Data Protection Law (LGPD) and other Brazilian and international rules prescribe penalties for companies that violate personal data. If the employee's job involves protected data, it's important that they become familiar with the applicable rules – such as the code of ethics – from day one.

If the company has not yet adapted its codes of conduct, it is crucial that HR play a role in updating these documents and working alongside the security department to ensure that everyone is aware of their responsibilities.

Scope and integration

HR can help reinforce the continuity of security awareness.  The HR department can cooperate with the IT department to include security training, activities or discussions within other HR meetings and campaigns to make sure the awareness program is not isolated and restricted to a single initiative. 

HR is more experienced than the IT department in interacting with people. There are employees who work from home or are often away from the office and do not have frequent access to the channel used by the awareness program. HR has found ways of keeping in touch with these employees and can share this experience to expand the reach of this initiative.

The human vision in cybersecurity

Each company or organization has its own challenges. Establishing an ongoing cooperation channel between human resources and digital security or IT is an important way of having them understand each other's needs.

Just as HR professionals are gradually becoming more aware of the human factor in cybersecurity, IT and security departments don't always have all the answers, especially when the specific characteristics of each company enter the equation.

As long as we understand the importance of looking at the employee as an ally in the task of protecting the company, HR has a lot to contribute to making awareness programs more humane.