Remote & Async Work 13 min

The role of HR teams in corporate cybersecurity

February 21, 2022
Preston Wickersham

Share

share to linkedInshare to Twittershare to Facebook
Link copied
to clipboard

In recent years, countless organizations have been blindsided by cyberattacks, including phishing scams and ransomware. Unfortunately, just one attack on a company can impact millions of users — with a price tag to match.

In the late 2010s, breaches were already becoming more commonplace due to the increased use of digital storage and cloud computing. Then, with the increase of remote work due to the pandemic, cybercriminals were given an even greater opportunity to target vulnerable companies. In fact, the average cost of a data breach rose from $3.86M in 2020 to $4.24M in 2021, according to the annual Cost of a Data Breach Report — the highest average total cost in 17 years.

Cybersecurity has never been more critical for global and remote work teams. That is why it is so vital for HR leaders to step up and protect hybrid and remote-first businesses from cybersecurity risks. 95% of cybersecurity breaches are due to human error. When the people in your organization become your weakest link, it's time for HR to help institute the cybersecurity practices needed to protect your valuable data.

By implementing strong onboarding, training, monitoring, and communication around cybersecurity, HR teams can significantly reduce the risk of expensive data breaches.

How HR teams can develop a sustainable culture of cybersecurity safety

With the pandemic generating a number of new cybersecurity challenges, cooperation between teams has never been more important. The first step in developing a culture of corporate cybersecurity safety is for your HR leaders to partner with internal IT teams and data protection specialists.

You should also work to create trust among your employees. Invest in their ongoing cybersecurity education so your team can establish and maintain best practices. Your workforce is the first line of defense against a cybersecurity breach. Integrating cybersecurity into your company culture can develop a solid foundation to grow your globally distributed workforce.

Recruitment

Employee misconduct is a common cause of data breaches. For that reason, recruiting presents a particular area of vulnerability. An organization's recruiting functions are typically the entry point for potential hackers. With the recent influx of resumes and cover letters, it is all too easy for the HR team to open an attachment or click on a link that could prove to be ransomware or a phishing attack.

IT and software measures

HR teams can ensure that they have appropriate network security measures in place when hosting virtual interviews. Where recruitment software is concerned, confirm that the most recent updates have been installed to fix any security vulnerabilities. In addition, opt to use role-based security so you can limit access with a software system based on roles and responsibilities. This ensures that only authorized employees gain access to valuable information.

Pre-employment checks

As part of the interview process, probe potential red flags while being mindful not to violate privacy laws. For example, verify the accuracy of a potential recruit's employment and education information. In addition, screen for a history of criminal activity, past violence, or policy violations through background checks and verification of employment references.

Onboarding

HR can play a critical role in protecting sensitive information and minimizing employer liability during the onboarding phase. When bringing on new workers, you should complete a checklist to record all the equipment each employee receives. Then, the checklist should be consulted at the time of separation to ensure that all equipment is returned and workers don't walk out with sensitive data.

In addition to company data, an employee's personal information is at risk during the onboarding process. When onboarding, HR is flooded with personally identifiable information (PII). This information is typically collected via email or fax, methods which are vulnerable to human error. Ensure that emails and faxes are properly encrypted before PII is collected and stored.

New employees should receive education on corporate cybersecurity best practices and procedures to keep both their own information and company data safe. Don't assume your new hires know how to spot a threat. Focus on training new workers to identify and handle some of the most common scenarios:

  • Spear phishing emails: Spear phishing involves sending a fraudulent email that appears to be from a trusted source. The email may contain an attachment with a virus or ask for confidential information.

  • Public Wi-Fi: Because remote work is so prevalent, more employees than ever use public Wi-Fi. Unfortunately, this leaves your organization's data open to attack.

  • Weak passwords: Weak passwords are another common cybersecurity risk. To prevent breaches, train your employees to create long, complex, unique passwords.

This is also the point at which you should consider partnering with an employer of record (EOR) to grow your global team. An EOR can help you manage compliance with international data protection laws relevant to new cross-border employees so you have more time to focus on managing and growing your business. Having robust data privacy policies and practices also helps avoid costly lawsuits and regulatory investigations involving data security.

Training

Organizations can't achieve their cybersecurity goals through hardware and IT workers alone. All employees must be trained on the skills and policies related to cybersecurity. According to one recent survey, despite knowing the security dangers, 79% of employees still engage in risky behaviors, and only 44% of employees have received any cybersecurity training in the past year. Effective cybersecurity training is difficult to do well.

Having the right tech stack is critical for your global team to maintain data protection and safety. In addition, systems integrations have made it easier to maintain cybersecurity for teams that collaborate in hybrid, remote, or cross-border workstreams. Integrations help you better leverage the platforms needed to support your business and your employees so you can get even more value from your tools and your time. They also allow you to sync employee data across all your systems to streamline the employment process and securely sync key employee information.

Some ways HR leaders can operationalize cybersecurity training include:

  • Utilizing the least privilege principle to segregate system access to essential personnel: The principle of least privilege limits users' access to only what is strictly required to do their jobs. Users are granted permission to read, write, or execute only the files or resources absolutely necessary to perform assigned tasks.

  • Requiring Single Sign On (SSO) for all internal tools and systems: SSO is an authentication method that allows users to securely authenticate with multiple websites and applications by using one set of credentials. In SSO, the identity data takes the form of tokens containing identifying bits of information about the user, like their email address or username.

  • Continuously auditing and monitoring credentials: Auditing credentials involves exercising greater control over who has administrator-level credentials. Standard users should be able to browse the internet, use approved tools, and access applications. Guest users will have less access and will probably be limited to internet usage and basic applications.

  • Regularly training employees on internal security and privacy: Because workers are the top source of security incidents, employee engagement is critical to prevent data breaches. Employees need to know how to recognize threats and should feel comfortable reporting any incidents to HR.

Here are a few helpful resources your team can leverage when developing corporate cybersecurity training:

  • Surveillance Self-Defense: This guide offers tips and tools for safer online communications.

  • Handbook on Two-Factor Authentication: This guide provides an overview of two-factor authentication, including what it is, how to use it and the different forms of it available.

  • Can I Secure: This website includes quick and easy guides to secure devices and websites. It also gives instructions for limiting personal data exposure, setting up two-factor authentication and other topics.

Investigating potential violations

When cybersecurity incidents occur, the HR team is typically responsible for leading the investigation. That's because investigations often start with a tip to the HR department. It is important for HR to get involved to enforce cybersecurity policies and maintain compliance while protecting the company and its employees.

HR leaders create rules around how employees can use their electronic devices and what privacy workers can expect when using them. However, monitoring that invades privacy or risks impacting employees' trust is never recommended. Transparency and accountability are always more effective than micromanaging remote workers.

Ultimately, you want to trust your team to implement and abide by the guidelines you set forth. That means ensuring that any investigations progress with understanding, empathy, and respect.

Here are a few key steps to follow when investigating potential violations:

  1. Gather an investigation team that includes legal, IT staff, and HR professionals.

  2. Confirm what company guidelines the employee may have broken and what privacy the worker can assume to have on their electronic devices.

  3. Determine what information is relevant.

  4. Make a mirror-image copy of the employee's computer. This step is critical in preserving evidence.

  5. Search for what data may have been compromised. Then, set up systems to block sensitive information from being transmitted.

  6. Use tools that can examine stored data to find information and look at the flow of data between computers.

  7. If you find any evidence of criminal behavior, contact law enforcement.

Determining employee permissions

HR teams are often in charge of determining which employees have access to sensitive data using tiered permissions. This is an important corporate cybersecurity measure because it allows users to have different access based on their roles and responsibilities.

You should determine who has access to what data and their permissions for that data. Not only does this approach allow you to restrict documents to certain employees, but it also tracks who accesses each file, when they access it, and what actions they perform. That way, if there is a breach, you can view who had access to the data.

In basic terms, PII is any information that allows someone to infer someone else’s identity directly or indirectly. Some examples of PII include data that is commonly collected from employees and new hires, like social security numbers, credit card numbers, and home addresses. However, sharing PII must be avoided, with permissions to access this data given only in exceptional circumstances where the need can be demonstrated and documented.

That's where an Employer of Record (EOR) comes in. An EOR like Remote can simplify the management of PII for global employers. That's because we protect your business and your employees' sensitive data with industry-leading security and compliance. Not only do we offer built-in security you can trust, but we also provide a dedicated security team and deploy comprehensive security practices to ensure your business is safe.

In addition, Remote can help you safeguard your intellectual property (IP) no matter where your team works, with Remote IP Guard. We own legal entities in all our covered countries, eliminating opportunities for IP risk and ensuring you maintain ownership of what’s yours. Our international expertise allows us to provide the most comprehensive IP protection services in every country, guaranteeing you always receive the full rights to your company’s IP under the laws of the countries where your employees work.

Responding to data disclosures

Suppose you just learned that your company experienced a cybersecurity breach. Whether hackers took personal information from your corporate server, an insider stole customer information, or data was inadvertently exposed on your company’s website, you may wonder what to do next. When sensitive data is accidentally disclosed, it often falls on HR to pass on the news and respond to employee concerns.

Secure your systems

The first step is to secure your systems. Next, find out where the breach occurred. After that, change your access codes and passwords. It's a good idea to temporarily shut down remote access to your systems out of an abundance of caution. Assemble a team of experts to conduct a comprehensive breach response.

Fix vulnerabilities

The next step is to ensure the violation has been contained and assess the damage. Check your network to ensure that a breach on one server will not lead to a breach on another. Analyze any backup data and review logs to determine who had access to data at the time of the breach. Also, analyze who currently has access and restrict access if possible. Then undertake some forensics to trace how your data was accessed and the impact of it being released to the general public.

Notify employees and clients

In the event of a breach, you need to notify employees and clients using a response template that covers the following questions:

  • When did the breach occur?

  • How did the breach happen?

  • When was the breach resolved?

  • What types of data were compromised?

  • What actions is the company taking?

In addition, provide employees with a list of frequently asked questions that can be easily accessed and updated with new information as it becomes available. Hosting a question and answer session may also be a good idea.

Notify other parties

When your company experiences a data breach, you will also need to notify additional parties. First, call your local police department. If they aren't familiar with investigating these scenarios, contact the national office. In the United States, that may be your local FBI office or the U.S. Secret Service. If the breach involved electronic personal health records, you might need to notify the FTC and, in some cases, the media. If you are covered by the HIPAA Breach Notification Rule, you must inform the U.S. Department of Health and Human Services.

Test your new cybersecurity procedures

Once you address what happened, make sure any cybersecurity procedures or patches are working. Next, do a test to ensure the breach can't happen again and consider streamlining your tech stack. You should also make sure all your servers and virtual machines are tested as part of this process.

Consider cyber liability insurance

To further protect yourself, look into cyber liability insurance policies that can cover any data losses. In addition to legal fees, cyber liability insurance helps with notifying customers of a breach, recovering compromised data, and repairing damaged computer systems. Losing data may mean significant financial losses over time, including paying settlements to those whose data was compromised. Fully protecting your company and your IP should become a priority.

If you went through one data breach, it might not be the last one during the life of your business. A data breach can damage more than just your systems; it can also put your company's reputation at risk.

In the years ahead, HR will continue to play a significant role in managing corporate cybersecurity. Reasons for this include stricter regulations, greater ubiquity of technology, and the use of integrated systems by more businesses. It's never been more important to take preventative cybersecurity measures by implementing secure recruitment, onboarding, and training practices to minimize the risk of a breach. While excessive monitoring of employees is not sustainable, transparency and accountability combined with the right tools can build a platform for success.

Subscribe to receive the latest
Remote blog posts and updates in your inbox.