Cybersecurity is an HR Responsibility, Too
Cybercrime is a constant source of fear and frustration in the modern world of business. The number of attacks are increasing as the tactics used by cybercriminals are becoming more sophisticated. And the potential damage to companies is also rising, with the global average cost of a data breach rising to $4.35m in 2022, according to IBM.
There are various factors driving the surge in cybercrime, but one recent study linked the increasing risk of cyberattacks to the shift toward remote work in recent years, as the typical remote workspace is insufficiently protected, creating cybersecurity vulnerabilities. Furthermore, because remote workers rely on digital communication tools to do their work, they are more susceptible to phishing and social engineering attacks. The study also claims that because remote workers are not physically in the office together, they may find it more challenging to communicate with colleagues and verify the information or requests made in phishing emails.
Given this potentially increased risk, should companies cease remote work? Doing so would come with its own costs, as remote work has been shown to lead to increased productivity and staff retention. Our survey of 1,004 HR and business decision-makers and workers across the world found that 69% of employers with a distributed remote workforce said that employee retention had increased since their business adopted the practice. Meanwhile, 72% of companies with an international remote workforce stated that productivity has risen since adopting a distributed model.
So, what should companies do to improve their cyber defenses without sacrificing the benefits of remote work? Organizations might assume that their cybersecurity is solely a concern for the IT department, but this is not the case. In fact, focusing too heavily on technology will ignore the most important element of cybersecurity: your people.
According to another IBM study, 95% of cybersecurity breaches are the result of human error. So, if the people in an organization are the weakest link, then it is also the responsibility of HR to improve cybersecurity and help implement the practices needed to safeguard valuable data. HR has an invaluable role to play in preventing data breaches, and HR leaders must step up and help protect their organizations from cyber risks.
But what steps should HR take to address this issue? The first thing needed is to develop a culture of corporate cybersecurity safety through partnerships between HR leaders, internal IT teams, and data protection specialists. Cooperation across departments is essential.
One way in which HR can actively contribute is by partnering with IT to establish more refined access levels based on the organizational structure, including the employee’s level and department. By doing so, HR can assist in controlling and regulating access to specific types of information and actions. This collaborative effort between HR and IT aims to safeguard sensitive data by granting access privileges only to those individuals who genuinely require it to fulfill their job responsibilities. The principle of least privilege serves as a guiding principle, emphasizing that the intent is not to exclude individuals or withhold knowledge from employees, but rather to acknowledge that employees in different departments, such as marketing and finance or accounting, do not require unrestricted access to each other’s data. This principle should help to limit the potential damage of a data breach caused by any single employee.
Next, HR can use recruitment, onboarding, and ongoing training as opportunities to ensure staff are aware of their responsibilities towards cybersecurity across the organization.
For instance, recruitment is an opportunity to probe candidates for any potential red flags, given that employee misconduct is a common cause of data breaches. Running background checks on applicants to verify the accuracy of their employment and education history and screening for any history of criminal activity or policy violations is essential.
HR departments themselves must also be careful during the recruitment period not to fall for a ransomware or phishing attack disguised as a resume or cover letter. And if they are to conduct virtual interviews with candidates, then HR teams must ensure they have appropriate network security measures in place, and confirm any recruitment software being used is installed with the latest security updates.
Similarly, the onboarding phase is a crucial moment for HR to help protect sensitive information. HR must keep a record of all the equipment a new employee receives and ensure it is returned if and when the employee leaves the company, so they do not take away any sensitive data. New recruits must also be made aware of important safety precautions, such as how to spot phishing emails and how to build strong, unique passwords.
Again, HR must also be careful during the onboarding phase, as they will receive a large amount of personally identifiable information from the new employee, usually via email or fax. HR departments must ensure such communications are encrypted before personal data is collected and stored.
Finally, training is a significant opportunity to invest in ongoing cybersecurity education so your team can establish and maintain best practices. Employees need regular reminders about the dangers posed by weak passwords and phishing emails. This training is also an opportunity to teach staff about the latest hacking methods used by cybercriminals and how to stay safe while working remotely. For instance, public Wi-Fi can represent a major risk, and although remote workers may enjoy the flexibility to work from a cafe or public space, they are safer using their smartphone as a hotspot rather than connecting to an unknown network.
At Remote, all staff are required to undergo training within their first 30 days of employment and annually thereafter, to ensure they understand security policies, procedures, and best practices. Investing in your workforce through training helps to create trust among your employees, who are your first line of defence against a cybersecurity breach.
Companies do not have to grapple with this task alone; they can work with trusted partners who can help to protect their data while continuing to employ an internationally dispersed workforce. Employer of record (EOR) service providers can help organizations grow secure global teams, while also ensuring employers are compliant with local and international data protection laws in the markets where they operate. This frees companies to focus on managing and growing their business.
There are further advantages of collaborating with companies like Remote, who have complete ownership over their end-to-end operations, as opposed to relying on third-party entities. This approach is particularly beneficial because it allows them to have complete control over the data and mitigates the risk of uncertain data handling practices. Remote sought out ISO27001 certification as well as the SOC2 Type II, the world’s best-known, internationally recognized standard for information security management systems, to demonstrate our commitment to information security and providing a secure platform for our customers. As EORs handle sensitive employee data, including personal information, financial records, and legal documents, these certifications provide a standardized and independent confirmation, so employers can be confident that rigorous security measures protect their employee information.
Integrating cybersecurity into company culture must be an endeavour tackled by the whole organisation, not just the IT team. The HR department has a key role to play in building a solid and safe foundation for a business to grow its globally distributed workforce.
By Marcelo Lebre, COO and co-founder of Remote.