Why an HR-IT Partnership is Critical for Managing Cybersecurity Risk
2024-2-6 22:0:46 Author: securityboulevard.com(查看原文) 阅读量:12 收藏

The human resources (HR) function is undergoing a major transformation when it comes to cybersecurity. For many organizations, HR’s role is expanding from simply overseeing workplace policy to serving as a pivotal player in defending against data breaches, privacy violations and cyberattacks.

With remote work becoming commonplace and employees representing the biggest security risk for companies today, both HR and information technology (IT) hold responsibility for mitigating insider threats. Yet they have traditionally operated in siloes instead of strategic alignment.

That old way of separating duties for managing people versus technology is proving inadequate in the face of modern cyber risk. As the first and last line of contact with employees, HR possesses unrivaled influence for instilling security-first practices across the workforce.

All Webinars

Meanwhile, IT owns technical defenses like firewalls and access controls. Even if these systems and processes offer some protection to the HR platform, organizational risks remain without accompanying policies and culture to govern employee platform usage. As such, it’s time these functions join forces to establish unified protection powered by people and technology working together.

Employees are the Weakest Link

Consider this alarming stat: A recent report from Kaspersky revealed over half of companies (52%) believe they face major risk from their staff. Whether through intentional misdeeds or by accident, employees routinely put their employers in cybersecurity peril.

Let’s break this down. More than half of businesses recognize the massive danger from insider threats within their workforce. Yet, employees don’t always mean harm. Their lack of cybersecurity knowledge or even simple mistakes can damage data security. For instance, you don’t have to look far to find examples like these:

● The accountant who accidentally emails company financials to the wrong Robert Smith in the company directory.

● The sales manager who clicks on a seemingly harmless link that infects the network with ransomware.

● The HR coordinator who picks “Password123” as their work computer credentials.

The truth is that many cyber calamities happen because the staff just don’t know better. Sure, your IT team can load up security software and firewalls, but that won’t cover basic human errors that are continuously repeated.

Even IT pros, with all their technical defenses, rely heavily on end users, the employees, to make smart data decisions. Yet most people without “cybersecurity” in their job titles receive little guidance on keeping data safe amid their daily workflow.

The Convergence of HR & Security

Securing organizations requires bridging the human element with strong technology protections – a double-pronged focus. Enter HR’s expanding role to team up with IT and make this vision of workforce education and alignment finally happen.

For a long time, HR owned the people side of the business – talent, culture and policies. IT handled the tech side – systems, data and devices. As separate kingdoms, they operated just fine in the past.

Yet, with growing cyberthreats emerging today, neither can go it alone. As regulations bring heavy fines for data mishaps and remote work erodes visibility, HR and IT must unite forces towards a shared priority: Ensuring employees handle data responsibly and securely every day.

That means tightly aligning HR’s policy-setting strengths with IT’s technical controls. Jointly building a cybersavvy workforce through modernized training. And having open communication to instill security-first practices across the employee lifecycle – from onboarding to offboarding.

Four Key Areas for HR-IT Alignment

Forging an HR-IT partnership calls for collaboration across several integral facets of cyber risk management. By determining shared goals and complementary areas of oversight, both groups can shape a workforce that serves as a frontline defense rather than a vulnerability.

Regulatory Compliance Obligations
With the onset of rigorous data privacy regulations like GDPR and CCPA, steep fines now apply for improper data handling. HR and IT must establish unified training to educate employees on compliance obligations for collecting, storing, and using sensitive personal information. Covering concepts like data minimization and encryption, multi-format workshops can ensure staff take privacy requirements seriously. Annual refresher courses should also be mandated to keep knowledge sharp.

Controlling Employee Data Access
Access management represents a lynchpin of security. HR and IT should map minimal permissions to roles, granting access strictly on a need-to-know basis. That includes profiling granular read/write privileges at onboarding and promptly revoking all system credentials when employees depart via automated deprovisioning. Enforcing multifactor authentication and fastidious monitoring can also help safeguard against unauthorized access attempts.

Managing Data Disclosures
Despite best efforts, breaches still happen. HR is often the first stop for insider threat notifications while IT detects and investigates incidents. By creating integrated disclosure response protocols, HR can quickly activate disciplinary procedures per policy while IT executes tactical triage (e.g. shutting down impacted servers, forensic analysis). Joint reporting nourishes continuous security improvement. Post-incident assessments should review where visibility gaps occurred.

Championing Cybersecurity Culture
Technology is only one piece of defense. Employees represent the strongest layer of protection when awareness translates into vigilance. HR should champion baseline security training for all personnel with IT assisting on technical specifics. Pop quizzes, simulated phishing tests, and gamified modules embed retention while consequences for violations spur accountability. Creative bonus incentives can also motivate extra vigilance in reporting risks.

Simulating Crisis Response Together

When real cyberattacks strike, swift yet coordinated reactions become critical. To align responses, HR and IT must run regular incident simulation exercises together. Known as “tabletop exercises,” these drills assemble key stakeholders to walk through hypothetical breach scenarios and test response protocols. By discussing details like containment strategies, internal vs external communications, and steps to notify affected individuals, HR and IT can surface any alignment gaps in advance.

Cross-training during simulations also allows HR to gain technical familiarity with IT response tools like antivirus scans or VPN isolations. In turn, IT gets exposed to HR playbooks around policy suspensions, legal escalations, or staff disciplinary procedures according to incident severity. Aligned understanding on both sides only forges tighter response coordination.

In Conclusion

At the end of the day, dealing with cyber risks requires tackling both the people and technology angles. HR oversees the human workforce side, while IT controls the systems side. Operating independently, each only sees part of the puzzle.

By linking arms and aligning priorities into a shared game plan, HR and IT can finally set their organizations up to defend against modern cyberthreats. Combining policy and culture guidance from HR with technical protections from IT forges a formidable security front.


文章来源: https://securityboulevard.com/2024/02/why-an-hr-it-partnership-is-critical-for-managing-cybersecurity-risk/
如有侵权请联系:admin#unsafe.sh