HR and Cybersecurity

HR’s Role in Cybersecurity

Cybersecurity attacks are on the rise, especially over the last two years as we have worked, learned, and socialized virtually. This increase is giving HR professionals new roles. HR is increasingly called upon to help IT staff in key ways, like creating and enforcing employee data permissions, training and enforcing security policies and procedures, and helping to respond to events involving employees. Here is what HR professionals need to know about the changing threat landscape—and how to protect their organizations.  

Increased cybersecurity threats

Cybersecurity activity has hit all-time highs over the last two years, with research by Accenture detecting a year-over-year surge of 125% in 2021. Cyber events like web shell activities, targeted ransomware, extortion operations, and supply chain intrusions drove the increase. The United States is the leading target, with 36% of all global cybersecurity attacks.

With many big names and agencies making headlines when breaches occur, it can be tempting to think smaller organizations and businesses are not in hackers’ sights. But this is not true. In fact, according to IT experts, smaller companies and governments with lacking or lagging safety protocols are easy targets. Cybersecurity incidents come at a high cost, from reputational brand damage to Google profiles, and ransomware that can cost companies tens of thousands of dollars while paralyzing operations.

What HR professionals should know

With threats on the rise, HR professionals play a crucial role in company security policy in leading or collaborating on:

Creating policies. One of HR’s traditional leadership roles has been in creating and enforcing company policies. This extends to cybersecurity policies. The first step in creating or updating a security policy is to ensure the company policy clearly states what technical safety measures the organization’s IT must take, such as evaluating the website and implementing HTTPS. Policymaking must also document steps to notify employees of cybersecurity threats and help them to understand and identify them. Finally, a security policy should clearly outline procedures for reporting and responding to potential or actual threats.

Educating employees. Writing a security policy is a critical step, but it is not the only one. Take the time to discuss security threats with employees. And while there are differences in sophistication between many older staff and younger, digitally native employees, it is essential to make sure everyone has access to the same information—from phishing to two-factor authentication and much more.

Consider remote workers. Policies, procedures, and training should all incorporate additional security considerations for remote workers and those in a hybrid environment. Accessing company data and systems on personal devices is one example of how security posture can weaken outside the office. Make sure your company policy includes bring-your-own-device policies and spells out how to tighten cybersecurity while working at home or traveling for business.

Do not overlook offboarding. This is an often-overlooked aspect of company cybersecurity. Departing employees might leave on good terms, but make sure they are not taking passwords or access to sensitive information with them. Ensure there is a defined process—with clearly delegated responsibility—in place when employees leave.

Respond quickly to every event. Together with IT, be sure to respond immediately to any potential events or breaches. HR can take the lead on employee-specific and companywide communications. Even if there was not a breach, a potential threat provides an ideal opportunity to remind employees of the importance of being vigilant.

How to be savvier about cybersecurity

Developing, evaluating, and maintaining a strong cybersecurity position is not a one-and-done effort. It is a comprehensive initiative requiring technical solutions to secure websites and devices across work environments, but it is also about policies and education that considers employees. After all, bad actors in cybersecurity know exploitation is about social engineering—seeding attacks through simple scams like phishing that can open the door to your data and systems.

This is why HR’s role in cybersecurity is increasingly important—and why HR professionals should stay on top of trends in cybersecurity and best practice policies. DallasHR is the third-largest SHRM affiliate chapter in the nation. With more than 2,000 engaged HR professionals, the Chapter has been Advancing the Value of HR since 1939 through innovative education, valuable networking events and providing opportunities to share best practices with others in the field of HR. The HRSouthwest Conference powered by DallasHR, is the official Texas SHRM conference and one of the largest regional HR events in the U.S. Visit us at, and follow us at #dallashr, #hrswc.