Why HR is critical now to preventing phishing and cyberattacks

After a record year of data breaches highlighted widespread vulnerabilities, many enterprises are rethinking their cybersecurity strategies. Organizations that enabled remote access or moved to the cloud and work-from-home quickly out of necessity as the pandemic spread are finding that they may not have fully addressed security dependencies in the process. Industry experts expect that hackers are both aware of these emerging vulnerabilities and working to exploit them. As a result, large-scale attacks are expected to continue to proliferate well into 2022, affecting even those organizations that are veteran cloud users.

One kind of cyberattack that is widespread yet easily preventable? phishing. Three-fourths of organizations experienced at least one phishing attack in 2020, according to a report from proofpoint. Phishing scams rely on social engineering or psychological manipulation. The goal of a phisher is to manipulate victims into giving away confidential information. Without the proper tools, training and defense systems in place, enterprises will remain in a crippling, reactionary cycle, responding to breaches instead of preventing these types of attacks by starting at the entry point: employees.

HR has a critical role to play in breaking this cycle. Unlike the role IT plays, where leaders are often focused on business-critical systems and the tech stack, HR leaders have a holistic view of the organization and the people and processes that power it. As such, HR is in a unique position to effect change. From developing and implementing company-wide training programs and formal collaborations with IT to revamping hiring and security policies, HR leaders can work proactively to help the organization prevent phishing, ransomware and other attacks.

Why Phishing Attacks Are So Pervasive

Quite simply, phishing and malware attacks have increased because they work. Three in four organizations in the United States have fallen victim to a successful phishing attack, a number that is 30% higher than the global average and up 14% from last year.

In its classic form, a phishing attack looks something like this: The attacker, posing as something or someone else–a familiar bank or HR rep, for example–sends a message asking users to click a link to verify their account, confirm their billing information or take some other action. The recipient, who trusts the sender, then provides sensitive personal information or clicks on a link that downloads ransomware.

Related: 7 steps HR needs to take today to beef up cybersecurity

Phishing attacks have been around for more than 25 years–the practice originated around 1995–but COVID-19 created a perfect storm that is fueling larger, more damaging attacks. With entire industries shifting to work from home, remote work is now “just work.” Remote connectivity presents a host of new security challenges, introducing risks where there weren’t any before.

Because there’s no guarantee that the remote network or computer an employee connects from is properly secured, IT’s ability to prevent phishing needs to be augmented by a more robust response from HR. Doing nothing can be catastrophic for a business. Accounting and finance functions were often the most targeted, as companies moved from on-premise to remote access for critical systems, and a single lapse can cause millions of dollars in damages.

How HR Leaders Can Help Prevent Phishing Attacks

For many years, security was considered to be an IT problem, but it goes far beyond securing data and systems with VPNs and other security measures. HR leaders can play an essential role in protecting the organization against phishing attacks with a few key steps:

Stay aware of evolving threats. Being proactive by educating yourself about overall market trends. The security landscape is dynamic, with new threats emerging all the time. To master technical content, consider partnering with someone in IT who can explain the impact of a particular risk. Utilize outside resources such as Krebs on Security, which provides news and analysis of emerging threats, with explanations of potential risk and impact.

Develop ongoing quarterly training programs. The best form of protection is to educate employees. How savvy are your teams, and are they aware of the risks of clicking on a link or attachment from an unknown sender? Are they likely to take an email that’s ostensibly from the CEO at face value, even if seems to be making a strange request?

  • With its organization-wide view, HR can put risks into context in a way that stakeholders across the enterprise can more readily understand.
  • It’s particularly important to tailor training to people in high-risk roles, such as the C-suite, accounting and finance, as well as IT administrators who may have access to a greater number of systems.

Set people-related security policies–and include consequences for repeated violations. If an employee acts in a way that could expose the company to a phishing attack, do they know how their behavior needs to change? Clearly define and communicate your expectations and include escalating consequences in case employees are unable or unwilling to change.

Identify potential insider threats with pre-employment, employment and post-employment measures. During the hiring phase, probe into any red flags and screen for a history of security violations. Once someone is working within the organization, identify and report any concerning behavioral changes. If an employee violates a security policy, review what happened and what co-workers may have observed–with large-scale breaches enabled by an insider, organizations almost always find that there were early warning signs that were overlooked or ignored. Work with legal teams to determine whether an investigation is necessary.

When an employee leaves the organization, ensure that access to critical systems is terminated promptly and that you have a process in place to notify co-workers of the departure. Many organizations lag in notifying IT about changes in employee status, and automated audits can help ensure that as an employee’s status changes (whether from leaving the company or moving to a new role in the organization), so too does access.

Then, do it all again. Just as cyber threats continue to evolve, so should HR’s practices and policies. Monitor the effectiveness of what you’ve put in place and take steps to remediate as needed. Look at metrics and refresh training quarterly. It’s far from a set-it-and-forget-it approach.

No organization is perfectly secure, but HR can play an essential role in preventing a phishing attack. People–the enterprise’s single greatest asset–are also its single greatest risk. By implementing training, policies and security practices that span the employee lifecycle, HR can be a true partner with IT in protecting the organization.

Ryan Riggs and Carissa Destinia
Ryan Riggs is the managing director of cybersecurity at PK, a global digital services firm. Carissa Destinia is a senior consultant at PK, focusing on HR transformation strategy and implementation.