HR and Cybersecurity
Conduit for Change
July 2, 2020
Cybersecurity is far more topical than ever as real dollar losses, resulting reputational damage, and business disruption continue to drive major headlines around the world. Typically there are two broad forms of cyber-attacks against staff members from the outside. The first is a scattergun email to many end users within multiple corporates, and is aimed at potentially encrypting corporate data so that it cannot be used without a ransom payment that may or may not unlock your data. The second is a highly targeted email or voice driven vishing attack to specific or groups of individuals within a single company, with the primary objective of making you undertake an action or series of actions for the transfer of funds. Whilst cybersecurity has improved it has a long way to go for reasons drawn out below, but one major risk vector is for any single employee to click on a hyperlink that in turn triggers a related malware event or for a process action to be started for a funds transfer.
HR has a real opportunity to step up and be part of the solution to influence your internal cyber culture in the fight to maximise cybersecurity awareness, because with vishing and phishing being one of the leading threat vectors for attack initiation, Human Resources is in a prime position to embed and constantly reinforce an enhanced awareness throughout the organisation, including the C-suite on best practices for mitigation on these risk types.
Complicating matters is the assigned role of HR and whether it is being managed with functional or geographical reporting lines. For example, is it being seen as a cost centre or mission critical function for value creation? All corporates are different even across geographies, and with Human Resources Management systems being relatively late in deployment within most corporates there is in fact a complex series of undertones that will influence outcome for any cyber step up scenarios, especially those relating to consistency of a global or regional approach.
Human resources management software has been relatively late to arrive within corporates, compared with other business software areas like Financials. This lag historically is mainly due to the complexity of global payrolls, with vendors even today finding it hard to build and maintain these types of systems, coupled with the economics and risks of such ventures.
The existence of a HR function itself at a regional or entity level is also not a given, and very much depends on the size of the organisation at any specific location, its overall strategic value, plus its individual market dynamics. To a certain extent it also depends on the existence of individual digital innovation drivers who are really focused on removing friction in business processes by enabling more functions to be undertaken by staff and managers. For example Employee Self Service (ESS) or Manager Self Service (MSS) applications respectively.
However building proactive cyber awareness requires managed execution through for example ESS, training content, execution methodology and constant reinforcement, so Human Resources is in an ideal position to influence behaviour throughout the employee lifecycle to instil a strong cyber culture. Cybersecurity to some corporates is sometimes treated as a tick box type of activity, but in reality it needs to be proactively and dynamically managed consistently across the corporate. One has to start somewhere.
This needs to be done for all employees, including the C suite, making them aware of risk vectors plus the creation of an overall corporate incident response plan by entity should an event arise to avoid loss of time when a breach occurs. After all, although we can all mitigate risk we cannot fully remove it, and no one is risk free.
Resulting from the above HR policies today are loosely managed compared with where they will be over the next 5 to 10 years, with many subtle operational variances between entities which are probably not fully understood at HQ.
Corporates do not yet generally enjoy in-depth and timely visibility into operational dynamics for their organisations, and some have even been slow to leverage senior HR resources across their smaller operational units through use of proactive processes with oversight. Important drivers like access to an ageing of approved but unfilled hires, or reasons for attrition at a granular level does not exist for many smaller or larger business units across the globe thereby inhibiting proactive business execution.
After all how many corporates still do not have immediate access to their current headcount numbers mainly due to the aggregation and transformational requirements to drive consistent data, particularly in situations where staff pay scale or pay grades are not in place.
HR has relatively lagged other types of business software deployments, probably due to the fact that underlying payroll applications have been acquired by corporates from multiple geographic vendors who serve only a few limited markets, and where corporate choice is highly limited.
This in turn also points to the fact that ESS and MSS deployments are relatively new and used more lightly in some entities within the same corporate, due to the fact that payroll is in fact inextricably linked to these underlying processes.
On the other hand ESS and MSS touch many subtle cyber areas that can delay deployment as they are new within the corporate or within certain geo locations of that same corporate, requiring a learning curve pre execution; for example HTTPS, encryption @rest @transit, secure point to point access from staff for these systems, cloud deployments, GDPR, China Cyber Rules etc. In many respects HR’s advance around the board room table has probably lagged simply due to the non-availability of standardised data points, and mechanisms to compare them.
HR having a seat around the boardroom table has been a contentious area that has been partly driven by a combination of a lack of understanding at senior level as to how a corporation might be impacted by a more proactive and functional HR team, the cost to achieve its active deployment, and more pertinently to a lack of real level timely metrics of any perceived value to drive value creation within and across each entity.
HR systems have in fact progressed to the next level with new deployments allowing for end to end processes to be deployed from data collection, through all required transformational process flows with contextual actionable reporting @anywhere within the process and workforce planning simulations.
This is starting to empower Human Resources to drive revenue, for example through the leverage of proactive sales commissions where appropriate, and to give a better mechanism for the handling of specific challenges such as oversight, diversity and gender pay throughout the corporate. Put another way it is an enabler for smaller operations to step up, and a precursor for larger ones to start exploring new tools like AI to remove bias in pay rises by individual managers.
It seems slightly unfair in life that a company can suffer severe reputational loss from one employee clicking on a nefarious link or an error in execution deployment of underlying software, but that is simply the nature of the beast and a result of today’s interconnected environments. One simply cannot dismiss the fact that at any point in time the true driver for an attack maybe simple or complex.
Who should own the cyber challenge at least as it relates to a staff perspective. Ultimately it should be a board level decision driven by the CEO due to the risks involved but with shared responsibilities across all functional areas including Human Resources Management, because the chance of an instant reputational hit with devastating short term impact might only be a click away.
HR is still emerging and arguably has not had the benefit of analytical tools to drive even more tangible and meaningful value within the enterprise, but with digital innovation driving change not to mention major risk there seems to be an immediate gap that Human Resources can fill, in order to step up and play a much more pivotal and inclusive role especially in light of the fact that new data performance metrics will bridge the gap between HR and finance. A game changer to be leveraged!!