Security experts from Bulletproof and Microsoft Canada weigh in on the vital role that HR has to play in ensuring an organisation’s cybersecurity protection
This article was produced in partnership with Microsoft Canada.
Cybersecurity is a people problem as much as it’s a technology problem, and the statistics couldn’t be clearer.
These numbers come as no surprise to Shaun Hughes, a director at the IT consultancy Bulletproof, who has been tackling cybersecurity threats for 25 years.
“People are the weakest link when it comes to cybersecurity. If you want to protect your organisation’s information, you have to talk to the people working with that information.”
Every employee is a potential vulnerability. This ranges from a new hire who wasn’t vetted properly, to a departing employee who may be leaving with sensitive information. While IT has a big role to play in managing the security around these employees, so does HR.
At every step of an employee’s journey from their first day to their last, it is HR that monitors and mentors an organisation’s workforce. That makes HR an essential part of an effective security strategy.
The weakest link
This human factor in cybersecurity is a growing concern, with the research firm Gartner calling it the top cybersecurity priority for 2023.
As employees increasingly work from home, the dispersal of people and their devices creates a bigger attack face for hackers. It also poses a problem for an organisation’s ability to train the workforce – further increasing their vulnerability to data theft and loss, while heightening the risk of ransomware and damage to a brand’s reputation. Ransomware, a type of malicious malware that blocks access to critical data or systems until a ransom is paid, remains one of the most impactful threats to organizations today.
This increased vulnerability has caught the eye of regulators as well, and they are introducing sharply higher fines for failures to protect sensitive information.
In Canada, the Consumer Privacy Protection Act (CPPA) would raise penalties for mishandling personal information to a fine of up to $10 million or 3% of an organisation’s gross global revenue in the previous financial year, whichever is higher. More serious offences could carry fines of up to $25 million or 5% of an organisation’s global revenue.
This brings us to a question. If an organisation’s personnel are a key point of failure when it comes to security, why doesn’t HR play a more prominent role in that security?
Kevin Magee, the Chief Security Officer for Microsoft Canada, says it often comes down to a fundamental misconception, with organisations seeing security as a specific technological problem rather than a broader cultural solution.
“At Microsoft, we are focusing on changing beliefs and behaviours,” he says. “How can we build a culture that makes it easy to do the right thing, but hard to do the wrong thing?”
Building that security culture across the organisation isn’t easy for a wide range of reasons. The IT department can be protective of their turf and unwilling to involve others in what they view as deeply technical issues. HR, meanwhile, may be reluctant to get involved because they are uncertain about their expertise and the role they should play.
And there could be a problem further up the hierarchy as well, where no one executive is willing or able to bring different departments together in a concerted effort that can address security as a holistic, human-centred endeavour.
Bulletproof’s Hughes says one of his main objectives in working with clients is to get every department involved in developing solutions, especially HR and finance because they manage some of the most sensitive information.
“Our most successful projects are when we have representation from across the organisation,” he says. “It may involve a governance group where everyone contributes to the conversation and highlights their concerns.”
Stitching together the various parts of an organisation to create a common goal also helps avoid the proliferation of single-point solutions, where different departments want different fixes for similar problems.
“If you want a fully protected environment, you can't deliver one-point solutions,” Hughes says. “You need security that covers all the bases, like we see with Microsoft 365 where security features are built directly into the applications employees use every day.”
Covering all the bases means going beyond the technology itself. It requires a comprehensive cultural shift that transforms employees from vulnerabilities into powerful weapons against hacking and theft. This more holistic approach to security is often referred to as Zero Trust.
Look at it this way, Magee says: “The human mind is the most powerful computer on earth. It’s an organisation’s most valuable asset. So why do they spend the least amount of time and money investing in this asset?”
It’s a good question, and one that Hughes is busy solving in his work with clients.
“It's all about knowledge and educating people,” he says. “Ideally, you want a situation where IT isn’t going to HR and saying they spotted a problem. Instead, HR is being proactive and working collaboratively with IT to identify potential threats.”
This is a vulnerability that goes beyond technology, and HR has an important role to play. By taking a more holistic view of potential threats, an organisation can address any risks long before they hit the tech stack.
“Zero Trust is a cultural shift, it is not a product you can buy,” Magee says. It’s a strategy that includes people, processes, and technology in a collaborative effort to improve overall security.
Magee says this may mean broadening the skills and experience within a cybersecurity team. “When I talk to CISOs or CIOs, I’ll sometimes ask about the composition of their team. Are they all computer science majors? Or do you have a criminologist? Do you have a psychologist? Do you have people that understand social engineering and human psychology?”
Making a difference
Organisations are facing a growing number of threats, along with emergent risks from remote work and much stiffer government penalties for failure.
There’s no quick fix to ensure an organisation is protected from threats, just as there’s no single person or department that can provide that protection.
Security must mobilise and empower everyone within an organisation if it is to be effective, and that means including HR as a close and continuous partner.