Opinions expressed by Entrepreneur contributors are their own.
If your company was hit by ransomware today, who would you call? Or perhaps a better question: How would you call them? It sounds absurd, but as a cybersecurity expert, I’ve seen organizations paralyzed in the first hours after an incident simply because nobody knows anyone’s cell number anymore. Without access to email or messaging systems, communication grinds to a halt and workers, customers and suppliers are all left wondering what is going on. Panic rapidly escalates into a crisis.
There’s a tendency to think about cybersecurity as being the responsibility of the IT or security department. But protecting your company comes down to two things: organizational culture and planning. That’s why some of the most important people on cyber defense aren’t in the IT team — they’re in human resources.
The HR team is uniquely placed to embed cybersecurity preparedness into the everyday working of an organization. It’s responsible for building the policies and processes to mitigate risks and ensure the business has the competencies to be resilient to foreseeable challenges — and those include cyberattacks. And as the custodians of employees’ sensitive personal information, HR teams are themselves prime targets for hackers.
Unfortunately, this vital role is often overlooked. So here are five ways HR can help make your business a tough target for cybercriminals.
Build a cybersecurity culture
Eternal vigilance is the price of our liberty to roam the internet. The number of threats is mind-blowing — a recent report found the average education institution faces more than 2,300 attempts to breach its systems in a week, while healthcare organizations fend off more than 1,600 attacks. With so many digital grenades being lobbed, it’s incredibly hard to catch them all. However, a strong cybersecurity culture helps an organization defend against attacks and limits the blast radius when one does get through. The tough part: Everyone has to be on the same page when it comes to online behaviors.
Step one is to ensure you have the training tools so that employees know what they should and should not be doing. Most organizations are reasonably good at this. Whereas, many fall short by not putting that information into practice every day.
The best way to ensure that everyone considers cybersecurity a fundamental part of their responsibilities is to build it into performance reviews. This should not take the form of calling out workers for every dodgy link they click on. Instead, it should be a constructive conversation about how they’re keeping up with their cyber literacy training. There are cyber health-check tools that workers can use to analyze their online behavior and address weaknesses (like reusing Pa$$w0rd across half the internet or not using two-factor authentication) and often these can be used to track progress toward cybersecurity goals at an organizational level.
When safety precautions are regularly discussed, they just become part of how you do business.
Protect your crown jewels
HR has custody of some of the most sensitive information in an organization — and hackers know this. In the past five years or so, many companies have adopted platforms that enable employees to self-serve routine tasks like vacation requests. However, third-party platforms come with risks. Hackers target them in so-called supply chain attacks, knowing that if they get lucky, they can access troves of information from multiple companies. In 2021, more than 300 organizations were breached in a hack of a widely used file transfer system. One of these was the University of California, which said the information exposed included employees’ social security numbers, driver’s licenses and passport details (the UC system offered its staff free ID monitoring services).
Job one for HR professionals is to ensure employee data remains confidential. Perform extensive due diligence before your organization signs up for any third-party HR service. Only consider companies that comply with international standards (SOC 2 and ISO 27001 are the main ones to look out for) and check online for reports of security incidents at the site in the past few years. Also, look into where your data is being stored and how it is being backed up. Depending on your location and industry, you may have to comply with data residency laws.
Stop hoarding data
Updating the data retention policy should be on the to-do list of every HR department. I say updating because every company has a data retention policy whether they know it or not. If yours isn’t written down, then your policy is simply to keep everything forever. And that exposes you to considerable risk. The more data you have, the worse a breach can be — it’s especially bad if you’re hoarding data you no longer need. Many jurisdictions have limits on how long companies should retain sensitive information — it’s often around seven years for records on former employees.
Figure out who will call the shots when a breach happens
Cybersecurity may be everyone’s day-to-day responsibility, but when an attack gets through there should be one person in charge of the response. In cybersecurity lingo, we call this the incident commander. While everyone can have an opinion on the best course of action, decision-making power rests with them.
The job spec for incident commander only has one line: It’s whoever best understands cybersecurity issues in your organization. Depending on the size of your business, that might be a cybersecurity leader, the head of IT or it could be Joanne in accounting who took a few courses on this stuff. Whoever it is, make sure you’ve identified them before an incident happens and have clearly communicated that to your team. Once a cybersecurity incident happens, events move quickly — in one case I was involved in, the hackers gave a 45-minute warning before starting to post sensitive information — so you don’t want to waste time figuring out who’s in charge.
Run some drills
Planning is only one half of the equation. Practice is the other. Plenty of research has shown that people don’t think clearly in stressful situations. We perform drills for fires and earthquakes to give us a framework to fall back on in an emergency. The same idea works for cybersecurity incidents. Set aside two hours once a year to run a tabletop exercise with key staff that simulates what you’ll do if the company is hacked. In these exercises, someone takes the role of a moderator to explain the nature of the attack and what’s been affected, while everyone else plays out how they’d respond.
The first time you conduct the exercise, it’ll likely be a mess — but that’s the point. The scramble to figure things out will reveal the gaps in your plans. Over time, the drills will become second nature.
Related: So, You’ve Been Hacked. These are the Best Practices for Business Leaders Post-Hack
And write contact information down — on paper
Put the incident team’s phone numbers down on paper and update the list regularly. Yes, it’s old school. Yes, it’s annoying. And yes, one day you’ll be thankful you did.