In February 2023, two high-profile incidents brought attention to companies’ susceptibility to cyber-attacks. Atlassian experienced a data leak when an employee mistakenly uploaded credentials to a public repository, while Activision suffered a data breach that targeted an HR employee through a phishing attack. In the former case, thousands of employees’ data were available to the public. The latter incident involved the attackers gaining access to employee data, including full names, email addresses, phone numbers, salaries, and locations.
The incidents underscore the importance of cyber security awareness for employees throughout their tenure at an organisation.
Providing employees with cyber security awareness training at the right time is crucial, but who is responsible for ensuring that happens?
The Human Resources Department.
Yes, you heard it right. The Human Resources Department of an organisation is the point of contact for every employee from the beginning until they are off the board. From recruitment to off-boarding, there are various stages where employees and their sensitive information are vulnerable to cyber-attacks. As a result, HR departments must take responsibility for educating their employees about cybersecurity best practices.
However, before providing training to the employees, there are specific points an HR should keep in mind to maintain cyber security throughout the HR team’s roles.
Let’s take a closer look at each step and outline what HR professionals should know to protect their organisations against cyber attacks.
In hires, recruitment occurs at the beginning of the process. HR screens the resume identifies eligible candidates, and conducts the first round of interviews.
First checkpoint: As the first round mostly involves phone calls and email conversations, an HR cannot always be sure if the phone call is phishing. While with the case of emails, the candidates may unknowingly use unencrypted email services to communicate. Moreover, there’s also a chance of fake resumes coming in. These are threat actors’ initial steps in gaining access to an organisation.
Therefore, verifying the authenticity of the applicant’s email address through either software implementation or manual checks is recommended to ensure candidate legitimacy and minimise cybersecurity risks. Regarding fake resumes and phone calls, HR may want to conduct a background check before hiring the candidate.
Second checkpoint: Limiting data collection during the recruitment process is essential to minimise the impact of a data breach. A role-based access control system ensures that only specific users can access the HR database, increasing security and reducing public exposure.
Onboarding integrates a new employee into a team. Onboarding could take place through a remote interview or an on-site interview. In either case, a thorough background check is necessary.
There have been instances where threat actors tried to impersonate highly qualified candidates during remote interviews, thus gaining privileged access to the target organisation.
What are the other onboarding processes?
HR collects and stores additional sensitive information, which includes PAN card details and banking information.
First checkpoint: The HR department must ensure this data is stored in an encrypted HR database to ensure confidentiality.
HR must ensure every new employee completes the mandatory cyber security awareness training session.
Second checkpoint: Promoting safe work practices and reducing the risk of human error that can lead to cyber-attacks.
The HR department should oversee every process throughout an employee’s journey. HR departments should continue to implement cybersecurity best practices.
First Checkpoint: Ensure only authorised personnel have access to sensitive data and systems.
Second Checkpoint: Regularly review and update employee access privileges.
Third Checkpoint: Employees must undergo continuous cyber security training to stay up-to-date on digital security threats.
An off-boarding process occurs when a candidate leaves an organisation.
How should HR handle off-boarding?
First Checkpoint: Revoke all the employee’s permission over data control.
Second Checkpoint: User accounts should be removed or suspended immediately after they leave.
Third Checkpoint: Ensure that the exiting employee collects no intellectual property.
Several instances of intellectual property theft have been reported before an employee leaves a company. The organisation could suffer a massive loss as a result.
Additional tips on HR cyber security best practices
It should be possible for employees to change or delete their data if they change their minds.
Access to HR databases should not be provided via remote access.
The organisation’s intranet should never be accessed via an unauthorised WiFi or hotspot, as threat attackers can quickly locate and penetrate them.
Ensure regular risk assessments are conducted to evaluate the level of risk exposure and to identify any potentially risky employee behavior.
Organisations must consider cyber security a crucial part of their HR processes. It is, therefore, important for HR professionals to be aware of potential cyber risks. This will enable them to protect sensitive information and data. In addition, it helps them guide their employees towards secure cyberculture.