1. Audit and Enforce Compliance
Even in a well-trained workplace, people make mistakes. Research shows 95% of global cybersecurity incidents occur because of human error. If human resources (HR) professionals want to shrink this statistic, they need to develop a strategy to audit and enforce compliance.
To begin, employees should be the top priority since they have the potential to do the most damage. The HR department can use a combination of technology and policies to ensure they remain compliant with cybersecurity best practices.
Vendor compliance is fundamental to a company’s security, which makes third-party service providers a high priority. Although HR professionals can’t be as thorough with their audit in this case, they can make up for it by routinely communicating their expectations.
In situations where an audit uncovers noncompliance, the HR department must investigate. Finding the vendor or worker who’s responsible protects the company from future data breaches. Some scenarios may require help from the IT or legal department, so it is best to strategize before moving forward.
2. Improve Password Management
Proper password management is fundamental to a company’s security. If an attacker steals login credentials or uses brute-force strategies, they can do serious damage. Even a single compromised account contains enough sensitive data and communications to put a company at risk of a data breach.
Poor password management can increase the chances of a data breach. If employees reuse login credentials, attackers can use previously stolen credentials to hijack multiple accounts. At that point, the IT department will have difficulty securing systems and data.
Fortunately, HR professionals can educate employees to help secure their company. Typically, experts say passwords should contain numbers, special symbols and at least sixteen characters. It’s also a good rule of thumb to never use dictionary words since they make brute force attacks easier.
If employees share company accounts, the HR department can use a password manager. With this tool, they can keep all sensitive credentials in one place instead of spread out on everyone’s personal devices. As a bonus, it makes updating login details far more straightforward.
3. Train and Test Staff
In New Zealand, cyber-attacks have increased for many years. In fact, New Zealanders reported over 8,800 cybersecurity incidents to the Computer Emergency Response Team (CERT) in 2021 alone. Although they’re becoming increasingly common, many professionals are unaware of how to deal with them.
Fortunately, the HR team can train employees to make sure they know how to prevent data breaches. Routine meetings, short quizzes and education sessions led by the IT department will inform everyone on potential risks and best practices.
HR professionals should conduct tests to see how well employees absorbed the material. Considering phishing is one of the top five attack tactics in New Zealand, fake phishing emails would be incredibly helpful. This method shows who was paying attention and who needed additional training. At the very least, it acts as a good refresher.
4. Use the Principle of Least Privilege
Many companies — especially small and medium-sized businesses — don’t have a set hierarchy for who can use data, systems or applications. Instead, anyone can access anything at any time, increasing the chances of accidents, negligence and vulnerabilities. As a result, breaches have become more common.
The principle of least privilege is the best way to address this situation. It restricts access to systems, applications and data unless employees explicitly need those resources to do their jobs. The HR or IT department can grant special authorization upon request if they want to.
These additional security and identity validation layers minimize human error and make it easier to trace data breaches back to the source. Best of all, it effectively makes phishing useless since most employees won’t have access to anything of use to the attacker.
5. Provide Company Devices
Cybercriminals are taking advantage of weaknesses to launch massive attacks. According to the New Zealand Government Communications Security Bureau, vulnerability exploitation is becoming more common and severe. Its scale and speed have increased drastically since anyone can find a security gap using only a particular search engine.
This development isn’t an issue for those who routinely scan for vulnerabilities, update devices and patch weaknesses. However, companies that allow employees to use their personal phones and computers are at risk of an exploitation-based data breach.
Many companies allow employees to use their own technology for work purposes. After all, it would be expensive to buy and maintain enough devices for the entire workplace. However, they open themselves up to risk this way. Instead, they should provide company laptops, tablets, wearables or phones — whatever people need to do their jobs.
Data breaches can be costly. While they cause $4.9 million in direct losses per quarter on average, damages totaled $5.8 million in the first quarter of 2023 — a 66% increase from the end of 2022. Naturally, purchasing company devices is a much better investment since it pays off in the long run and is far more affordable.
When the HR team assigns work laptops and phones to employees, they can schedule updates, block sketchy websites and enforce relevant punishments for risky behavior. Generally, all company devices should have built-in security measures — like multi-factor authentication and antivirus software — to further protect against data breaches.
6. Install Tracking Software
Although most employees don’t view excessive oversight favorably, it can help protect companies from data breaches. The HR department can install tracking software on company devices to monitor employee behavior. If anyone engages in risky online behavior, it can swiftly and directly address them.
While all tracking software is different, most monitor workers' everyday behavior — it keeps track of the websites they visit, the links they click and the items they download. When HR professionals use it to keep tabs on staff, they gain insight into compliance and risk.
HR Is the First Line of Defense
When it comes to cybersecurity, the HR team — not the IT department — is the first line of defense. After all, employees are the ones who open up the company to potential attacks and breaches. Naturally, strategic policy changes and comprehensive security enforcement are early protection measures.