Human Resources

HR’s role in promoting cyber security culture

Last day, while having a conversation with my colleague from the IT department he showed me some screenshots of the spam messages he has been receiving daily.

Screenshot 1
Screenshot 2

Social engineering attacks are still the pioneer of cyber attacks. Do you know why?

Due to the ease of execution, the social engineering technique is the best friend of every threat actor. Most threat actors use this technique to gain access to an organisation by exploiting employees who lack cyber security awareness.

So what is this to do with the HR?

Let me explain.

The Human Resources department is the common point of contact for every employee of an organisation. So the HR department is responsible for spreading a positive cyber security culture among the employees to protect the employee and the organisation from cyber-attacks.

Phishing messages like the one above will only increase and will have more recipients in the coming days. Fortunately, my colleague could identify and handle the message since he is cyber-aware. For the same reason, he didn’t react to that message. However, if cyber awareness is not spread across the organisation, other employees may fall victim to similar attacks. Since humans are considered the weakest links in cyber security, attackers tend to target them to gain access to the organisation.

Let us take a look at how HR professionals could tackle this.

Cyber security requirements in employment contracts  

While preparing the security policies and code of conduct, HR should emphasise the importance of cyber security in the employee contract. It should explicitly outline the consequences for employees whose credentials or data are compromised due to negligence or carelessness. The contract should also include regular cyber security awareness training, which is mandatory for every employee. Incorporating these requirements into employment contracts will help employees understand their responsibilities and the implications of not meeting them.

Cyber security-related performance criterion   

HR must implement a metrics system to assess the cybersecurity-related performance of the employees. This performance system will analyse how well the employee maintains and enhances the organisation’s overall cyber security posture.

The metrics must define criteria aligned with the company’s cyber security goals and objectives. In addition, this analysis could also be used to evaluate employee performance in general.

An example of evaluation criteria would be checking the response time an employee takes to report security incidents such as phishing or malicious code injection.

Another criterion could be completing the mandatory security awareness course on time and the marks scored at the end of the assessment. In this way, it is possible to cultivate a cyber security culture within an organisation to enhance its overall cyber security stance.

Rewarding incident reporting  

Create an incentive program that rewards employees for promptly reporting incidents such as phishing and malware. Rewarding employees will motivate them to report incidents immediately, ensuring they are addressed immediately.

The disciplinary process for security violations  

HR should enforce appropriate disciplinary measures if employees violate data security or privacy regulations. Every employee of an organisation should be aware of the consequence they will face in case of any data mishandling or misconduct, as outlined in the company policies.

Ensuring that remote workers get adequate cyber security support  

Remote employees are highly vulnerable to cyber attacks, and without sufficient cybersecurity support, they could jeopardise the company’s security. For example, it is recommended to use a VPN to connect to the organisation’s network for remote work because attackers easily intercept public networks. The failure to communicate these guidelines effectively could lead to a cyber attack.

HR is responsible for ensuring that the IT team performs regular software checkups for remote workers, which can help reduce vulnerabilities.

Collaborate with the IT and Legal teams 

To address the increasing risk of cyber attacks caused by employee negligence, HR needs to work closely with IT and legal departments.

Earlier HR may not have been knowledgeable about cybersecurity or technology. Nonetheless, in this day and age of cyber attacks, they must become thoroughly acquainted with the digital environment and company policies. Partnering with IT and legal is the best way to achieve this. This enables HR to enhance cyber security awareness training and even provide training to employees based on their understanding.

Additionally, HR, in collaboration with IT, must conduct privacy regulation training for employees and third-party vendors who handle organisation data.


The threat of cyber attacks never ceases. Viruses and vulnerabilities will only become more prevalent in the coming years. It is now time for HR to go from being just a conduit for employees’ concerns to becoming a key player in ensuring compliance and cyber security at work. By being adequately informed about cyber security, HR can play a vital role in educating and training employees on avoiding cyber attacks. By doing so, HR can build a strong line of defence against cyber attacks.