By Simon Kent
Recent history has shown that despite living with technology for many years, organisations are as vulnerable to cyberattacks as ever. Indeed, the increasing sophistication of attacks may be mirroring the increasing sophistication of systems. As organisations trust more of their business and data to technology, they also increase the associated risk. However, there are still steps which organisations and HR in particular should make to protect their businesses and thereby their people and reputations.
Earlier this year, U.K. law firm Nockolds analysed reports to the country’s Information Commissioner’s Office (ICO) and found that data protection breaches involving employee data have reached their highest level since 2019. Powered perhaps by the increase in hybrid and home working, the firm found a 40.76% increase in such breaches during 2023, with reports to the ICO increasing by nearly 1,000 over the previous year. Ransomware attacks rose from 352 in 2022 to 554 in 2023, an increase of 57.39%. Phishing attacks targeting employee data jumped by 56%. While security tools no doubt have a part to play in organisational security, they are only ever going to be as strong as the culture that surrounds them. And that’s where HR comes in.
“The best thing HR can do to help prevent personal data from falling into the wrong hands is foster a work culture that keeps data security top of mind,” agrees Joy Burkholder Meier, general counsel and chief human resources officer at application security business Black Duck. “Data security training, as well as phishing tests are critical to keeping an organisation safe, particularly because bad actors often impersonate HR or payroll team members to lure unsuspecting employees into sharing sensitive information.”
However, the risk to businesses is not always straight forward. Kristian Torode, director and co-founder of Crystaline, a Vodafone secure device manager provider, suggests the platforms HR’s using aren’t designed with security front of mind. “At a time when hybrid work and cross-functional systems demand data sharing, HR teams need secure, traceable communication tools that don’t rely on personal messaging apps or unmanaged cloud services,” he says. “One essential step is to implement a unified communications (UC) platform with business-grade encryption, access controls, and audit trails. This ensures HR data isn’t scattered across multiple channels like email, text or WhatsApp, where it's hard to control or retrieve. UC platforms help HR teams share sensitive updates securely with managers, legal or payroll, while maintaining a clear record for compliance.”
Torode extends consideration to mobile device management (MDM) as many HR professionals work on the go. “MDM allows organisations to enforce essential protections such as strong passwords, data encryption, app usage controls, and the ability to remotely lock or wipe a device if it’s lost or stolen,” he says.
“Any AI tools being utilized must be continuously monitored and refined to ensure proper alignment with regulations and company values. Without human oversight, AI-generated insights can deteriorate over time, leading to unintended consequences. Regular updates and ethical consideration must therefore remain central.”
It should be noted that the risks HR is dealing with are not always straight-forward either. AJ Lindner, a solutions architect at One Identity, recounts the case of a disgruntled tech staffer in America who activated computer crashing and file deleting code when his employment was terminated. The attack was clearly pre-meditated, triggered by a company restructure that reduced the employee’s responsibilities. As such the danger could have been on HR’s radar and the business could have spotted what was happening before it did.
“A mature cybersecurity programme monitors the internal environment in great detail, from firewall and network activity to application behaviour,” explains Lindner. “One of the critical signals should be the identity and access management suite. Login events, access requests, and user behaviour across the environment could point to an imminent attack, or a breach.”