As well as playing an integral role protecting organisations from cyberattacks, the HR function is also one of the most targeted functions by cybercriminals.
While the IT department can put cybersecurity technology controls in place to protect the organisation, the HR function can play a primary role ensuring that cybersecurity education is woven into the culture of the organisation.
Ensuring cybersecurity awareness programmes fit with an organisation's specific cybersecurity needs is vital to providing the right training for staff.
To be effective, employee cybersecurity training programmes need to be interactive and engaging.
Amid a rapidly evolving cybersecurity threat landscape, when it comes to protecting an organisation from cyberattacks, the HR function has a vital role to play, notes Arktos Lam, Cyber Security Manager with the Hong Kong Internet Registration Corporation Limited (HKIRC). For example, as the business function with a wide range of inflection points to external sources, the HR function is both a target for cybersecurity attacks as well as an “access gateway” for cybercriminals.
Lam emphasises that the risk of a cyberattack is always present. There are no holidays or days off, he says. While cybercriminals use advanced technology to probe network inflection points for weakness and vulnerabilities, they also seek to exploit human weaknesses to gain access to data, devices, systems and networks. “The HR function holds sensitive employee information such as personal data, addresses, phone numbers and bank account details, which are valuable targets for cybersecurity criminals,” Lam says. Since HR practitioners need to open emails and attachments from unknown sources as part of their work, the HR function is often targeted by cybercriminals in phishing attacks.
Lam explains that phishing attacks can come in many different forms; common examples include emails from fake job applicants which include malware attachments, which could be in the form of a CV. Malware attachments within malicious emails can be disguised as documents, PDFs, e-files and voicemails, which are not only capable of stealing information, but also provide unauthorised access to an organisation’s sensitive data, destroy data or extort ransom from the victim. Phishing emails sent to the HR function can also take the form of an employee pretending to be a member of staff requesting changes to be made to his or her employment records. Noting how cybercriminals have become more emboldened and resourceful, Lam points out that “bad actors” are using smarter techniques to trick employees into leaking sensitive data or downloading malicious attachments. An increasingly frequent ploy involves conducting research on a specific individual — such as an organisation’s senior executive — in order to create an attack that can be difficult to distinguish from a real email.
"As AI tools become increasingly ubiquitous, cybercriminals are leveraging generative artificial intelligence to craft highly convincing phishing campaigns tailored to the language of the intended recipients. Instead of prohibiting staff from using AI tools, establishing clear protocols outlining which tools can be used and how they can be utilized is recommended. "
- Arktos Lam, Cyber Security Manager, Hong Kong Internet Registration Corporation Limited
|
The cyber threat landscape has become more complex
As the world of work continues to evolve in the aftermath of the COVID-19 outbreak, Lam notes how the the pivot to work from home (WFH) and remote working has made it more of a challenge for organisations to protect themselves from cybersecurity threats. “The attack surface has increased,” he says. While previously, organisations had the majority of their staff working from an office where cybersecurity efforts could be focused on a contained corporate network, staff now log-in from home or other remote locations using different devices and network connections. This requires organisations to establish WFH cybersecurity protocols to prevent sensitive data from being compromised. Lam recommends that cybersecurity protocols should include the use of software tools such as two-factor authentication, VPN (virtual private networks) and tools to manage passwords. To create a secure environment, even when staff are using their own home Wi-Fi network, it is important for the HR function to train users to only use work-related tools and accounts for messaging, emailing, video calls or any other form of communication.
Meanwhile, as AI tools become more prevalent, cybercriminals are using generative artificial intelligence (GPT) — the language model that underlies AI applications such as ChatGPT, to create convincing phishing campaigns in the language of the targeted audience. Consequently, tell-tale signs of fraudulent messages such as bad grammar and spelling become less obvious. While AI tools can be used to intercept or help to detect cybersecurity threats, Lam cautions that AI tools must be regularly updated to keep up with the latest cybersecurity threats. Furthermore, instead of prohibiting staff from using AI tools, Lam recommends establishing clear protocols outlining which tools can be used and how they can be utilised. Access should correspond to necessity, Lam advises.
Cybersecurity is everyone’s responsibility
To build preparedness and strengthen resilience to phishing and other forms of cybersecurity attacks, Lam proposes increasing user awareness and personnel education. This requires close collaboration between the HR function, the IT function and the organisational buy-in. Regardless of role or seniority, Lam believes by educating staff across the organisation makes it easier for individuals to be aware of cybersecurity risks, and therefore, be aware of the importance of adhering to security controls and data privacy processes.
When developing employee cybersecurity training programmes, Lam recommends focusing on a people-centric approach rather than a one-size-fits-all approach. “A people-centric approach focuses on what matters most—motivating employees to care about cybersecurity,” Lam says. This can be achieved by tailoring training with bite-sized, interactive, digital or video programmes which are suited to different job roles. For example, setting up a fake phishing attack relevant to the role of the employee. To offer a realistic scenario, a salesperson might get different phishing emails than a back-office customer support employee. “Providing training that looks and feels like the content they consume every day engages people,” Lam says. Incorporating competitive challenges into training programmes can also help to motivate employees and build team spirit. For instance, teams from different business functions may compete against each other on identifying passwords by using techniques similar to the techniques cybercriminals use. “Role-based content helps to improve learning through customisation,” Lam notes. Quizzes can also be used to monitor the effectiveness of the learning experiences.
Build a clear cybersecurity culture
As the business department responsible for maintaining recruitment and retention programmes, the HR function is often the first point of contact for current and future employees. Engaging with employees at the start of employment is a good opportunity to establish the foundation for a culture of cybersecurity risk awareness, Lam says. The on-boarding stage is an ideal time to highlight how cybersecurity awareness is part of the key performance indicator (KPI) measures included in the staff performance review. “This reinforces the fact the company takes cybersecurity seriously,” Lam says. While every organisation is different, it is important to establish cybersecurity best practices, such as guidelines to never reuse passwords and transfer work data to personal devices, as well as incident handling and data backup policies.
Lam also stresses the importance of maintaining the privacy settings on their social media accounts and refraining from using the same passwords for personal and professional accounts. As such, personal devices staff use for work should be password-protected and equipped with biometric authentication in case the device is lost or stolen.
To keep cybersecurity top-of-mind for employees, Lam recommends that awareness and training programmes need to be periodically updated and offered to employees at regular intervals, just as the same way the cybersecurity threat landscape continuous to evolve. “Employees should complete specific cybersecurity training at least one a year,” Lam advises.
For HR practitioners interested improving their organisation’s cybersecurity awareness, the HKIRC’s free training platform provides cybersecurity e-training at anytime and anywhere. The HKIHRM also arranges cybersecurity seminars and workshops for its members.