Blog

How HR can Improve Corporate Cybersecurity

Sep 14, 2020

Cybercrime is one of the greatest threats to business

Security breaches are becoming more targeted and costly. IBM estimates that the average cost of a data breach in the United States being $8.19 million . In the U.K., the government’s Cyber Security Breaches Survey 2019 shows that one in three businesses (32%) suffered an attack or breach in the previous 12 months.

As businesses adopt emerging technologies to boost their productivity, enhance collaboration and minimize spending, they open themselves to new risks and challenges. The overall business risk has increased because of the expanding threat landscape. Cyber criminals are also leveraging these technologies to launch their malicious actions, which are more sophisticated than ever and harder to detect. As a result, the World Economic Forum, in their annual Global Risks report , have ranked cyber related risks as one of the top ten business risks, second only to environmental ones.

When corporations fail to mitigate and manage these risks, they evolve into security incidents which impact and disrupt businesses severely. Data loss leads to financial penalties, reputational damage and even revenue loss because of customers losing trust. The damage might be so severe that businesses can even go bankrupt.

A holistic approach to security

How HR can Improve Corporate Cybersecurity Cyber security was traditionally considered as a job for IT departments, but as threats change, they are unable to hold the line alone. It has become a company-wide challenge and HR professionals have a key role to play in minimizing it. Malware protection and anti-virus software are vital, but technology will not deter intruders if poor staff awareness effectively leave the door wide open.

Security teams together with HR can fortify businesses against cyber-attacks. They are the “soldiers” of every organization. An army without soldiers is not an army. An army with unskilled soldiers will lose any battle they fight. Cybersecurity is a business battlespace. Every day businesses need to win battles – mitigate threats, prevent vulnerabilities from being exploited, identify malicious actors. And to win these battles they need skilled security practitioners.

HR professionals need to ensure employees’ skills are updated to encompass cyber security. Most have already taken the first steps by increasing data protection measures considering the GDPR and the CCPA, but the focus has largely been on data. Organizations need to follow a holistic approach to cyber security.

HR as Cybersecurity’s partner

HR can play a vital role as cybersecurity’s partner. The HR department can set expectations with all staff, stressing the importance of information security from day one, beginning with the initial recruiting process and continuing throughout an employee’s tenure. HR can be the conduit between the IT security department and staff—clarifying policy, providing resources, and working behind the scenes to recognize and anticipate the potential information security issues that arise in every company. Last but not least, HR can provide the security team with insight into the maturity of employees’ overall security awareness.

To be effective, information security must be emphasized as a standard business practice, well-integrated throughout the organization and reinforced in an ongoing security program that is kept relevant, engaging and fresh.

Maintaining a robust security-awareness program that is mandatory for all staff can help employees feel empowered and involved in a critically important function, while driving home the understanding that everyone in the organization is responsible for protecting the business.

Cybersecurity professionals are usually occupied with many challenges on a varying array of security-related matters: data breaches, virus and malware exploits, vulnerabilities, and social engineering attempts that target everyone, including administrative staff and executive leaders. Although these are crucial for maintaining a robust cybersecurity posture, communication is of equal importance. How can you find new and innovative ways to keep workers motivated and vigilant about security as they try to perform their jobs under the specter of falling victim to a clever phishing e-mail? 

This is where HR is important. Raising awareness and building an enterprise-wide cybersecurity culture, integrated in the corporate DNA is one function that must not be neglected, and Executives must promote team training as part of the overall effort to build a cyber resilient organization.

Staff training on cybersecurity

All staff should have some type of cybersecurity training to make them aware of data protection rules, policies and procedures, plus any particular threats they may encounter. While cyber security training should be part of the onboarding process, all employees need to receive regular updates.

In addition, Executives have a legal responsibility to protect their employees’ and customers’ data, and regulators have made clear that cybersecurity is a board-level issue and directors are to be held liable for any breaches. The U.K.’s National Cyber Security Centre says cyber security should be part of a manager’s skill set and its guidance states that “executive staff should be as aware of the major vulnerabilities in their IT estate as they are of their financial status.”

Security professionals team training

The importance of having a robust cybersecurity posture is highlighted by the fact that organizations from technology and manufacturing to retailers, airlines, and shipping, to financial services and healthcare, government and federal sectors are all seeking skilled security staff. Despite its importance, the cybersecurity industry suffers from a lack of skilled personnel. In fact, it is predicted that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014. However, the skills gap might not be such an unsolved problem .

Besides employing certified security practitioners, corporate security posture can be upgraded by training the organization’s security team. At a time when cybersecurity professionals are scarce, organizations that make certification and training a priority are most likely to attract and retain critical staff.

A skilled professional with broad security knowledge can become an organization’s most valuable asset. Having a broader understanding of security, the practitioner can make accurate and timely impact assessments based on the changing threat and technology environment, assisting the executive board in allocating the resources required to implement proportionate mitigation measures, ensuring a cyber resilient organization. By implementing security controls aligned with the overall business goals, the security professional can help minimize the security risks, benefiting the organization in many ways and helping establish trust with customers and partners.

Team training can be very beneficial to your organization since it can be tailored to your budget and unique cybersecurity requirements. Hence, team training can help keep your team’s cybersecurity skills sharp, prove credibility to partners and clients and maximize your training investment.

What is more, in-house security training is an investment with great ROI. Instead of hiring more personnel and increase your monthly expenditure, it is smart to hire a security professional do the in-house training. The money you will spend will be invested wisely on enhancing your personnel’s foundational and versatile skillset on security which will help them build self-confidence in addressing complex security problems. Building “an army” of highly knowledgeable security professionals can help you mitigate threats, lowering the chances of being breached and having to face huge penalties, liabilities and loss of revenue due to damaged reputation. The cost of a single data breach surmounts by far the cost of an in-house team training.

How (ISC)² can help you

As the field of information security continues to grow and advance, more qualified workers are required to fill many open positions in the marketplace. Investing on training your staff is a strategic decision that will enhance your overall cybersecurity posture and make your organization cyber resilient.

(ISC)² is the leader in security certifications and is acknowledged by companies worldwide. (ISC)² can help you discover the right path and create your plan, to ensure standards throughout your security team now and as they develop into new roles. And the best way to start building a security focused team is by pursuing the (ISC)² Systems Security Certified Practitioner (SSCP) certification.

SSCP is ideal for IT administrators, managers, directors, and network security professionals responsible for the hands-on operational security of their organization’s critical assets. The certification demonstrates that the practitioner has the advanced technical skills and knowledge required to implement, monitor, and administer IT infrastructure using security best practices, policies and procedures. (ISC)² provides in-house training for the SSCP certification, covering everything a security practitioner needs to know about keeping his business safe.

To learn how your business can benefit, access our new white paper or check out our Enterprise Training Solutions .