*Per Paulo Oliveira
In recent years, Human Resources has become an integral part of organizational cyber risk management. Along with information security technologies, HR is increasingly called upon to help determine and enforce employee data permissions, train and enforce cybersecurity policies and procedures, and assist in responding to cyber events involving employees.
Increased industry engagement is due to a convergence of factors, including: a more active regulatory environment, the widespread use of technology and devices in employee work, and recognition of the importance of a strong organizational cybersecurity culture.
Employee data and security practices are critical determinants of an organization's overall cybersecurity. About 62% of executives say the biggest threat to cybersecurity in their organization is the failure of professionals to comply with data security rules, not hackers or vendors. That's what Mercer's 2021 Global Talent Trends Study indicates.
However, HR is not typically the primary owner or driver of cyber risk management. According to a study by Marsh in conjunction with Microsoft, about 88% of companies continue to delegate cyber risk first to IT, second to legal and third to finance – which can be considered a mistake . A strong alliance between IT and HR could manage data and technology risk more broadly, especially in a remote work environment.
cybersecurity culture
HR is often the first and last point of contact for employees and therefore plays an important role in creating and maintaining a robust cybersecurity culture.
While the IT industry creates cybersecurity training sessions, HR involvement has increased as the importance of this training for employees has become better understood.
Training should include guidance in recognizing and dealing with common scenarios such as phishing and password security. It should also include how to handle the organization's digital transformation and implementation of new technologies, as well as best practices for remote access, incident response and recovery, and use of mobile devices.
A robust cybersecurity culture starts at the top of the organization and involves ongoing communication and training for employees across all functions.
regulatory compliance
Several countries are implementing or have already implemented privacy regulations that set strict guidelines for how organizations collect and use consumer data. This includes the General Data Protection Law (LGPD), a Brazilian law enacted to protect each person's fundamental freedom and privacy rights.
Failure to comply with these regulations carries heavy fines, penalties and the potential for lawsuits – not just for data breaches, but also for mishandling consumer information.
HR traditionally conducts training on protecting sensitive data and securely using technology devices as part of the onboarding process. However, the industry is now also tasked with conducting privacy regulation training, in conjunction with IT, for employees and contractors who engage with the organization's information.
Internal responsibility for errors and misdeeds generally rests with IT, Compliance, and third-party investigators. But because of its role in managing employee compliance with organizational policies, HR is best positioned to provide guidance on appropriate punitive or corrective actions for misconduct or errors in data handling.
That's why it's important for HR and IT to be aligned in creating and implementing a robust data incident response plan, especially for dealing with an event involving employees.
Disclosure of data
HR also has an important role to play in helping to manage data breaches and disclosures. Whether accidental or malicious, such events can result in significant financial damage, legal action, reputational damage and loss of consumer confidence.
In the case of accidental disclosure or a former employee requesting deletion of their information, best practices require that the incident response plan define which department would send the breach or deletion notice, which would respond, and what the appropriate response would be. HR is often the first to receive such a request from an ex-employee and their communication and direction with other functions is essential to handle this properly.
In an increasingly connected world, it is common for cybercrime to become eminent. Therefore, it is extremely important to ensure that the company has an HR and IT team that acts in compliance to ensure data protection and avoid possible leaks.
*Paulo Oliveira, marketing manager at Apdata
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
