HR professionals should have adequate cyber security training: Selcore

Selcore provides data security software for the enterprises. Seclore’s mission is to protect sensitive data, giving organizations complete control over critical information with innovative solutions. Founded on the principle that traditional cyber security is no longer sufficient, it aims to be a leading provider of data-centric security solutions. The vision is to deliver unparalleled protection and control over sensitive information on all platforms and devices. 

Shraddha Reghe, VP, People Practices, Seclore, tell us more. Excerpts from an interview.

DQ: Why is it crucial for CHROs and HR professionals to undergo cyber security training, and how does it impact the overall security posture of an organisation? 

Shraddha Reghe: The reason cyber security training is so important for CHROs and HR professionals is that HR holds the personal, and financial details of employees. If they are unaware of security risks, the HR teams themselves may become an easy entry point for cyberattacks. Thus, enabling HR with relevant skills to protect sensitive employee data as well as identify threats is necessary and crucial in the current digitized world we are living in. 

When HR professionals are well informed and trained in cyber security, they would play an important role in enhancing the overall security posture of an organization, ensuring that the cyber security training of HR professionals doesn't break in compliance, shows trust in employees and stakeholders, and ensuring sensitive information is protected. 

DQ: How has the shift towards remote and hybrid work environments changed the cybersecurity landscape for HR professionals, and what training adaptations are needed to address these changes? How can CHROs and HR professionals be trained to recognize and respond to these threats effectively? 

Shraddha Reghe: The shift to remote and hybrid work has increased the attack surface, as now sensitive employee data is accessed from diverse devices and locations by hackers. As per a report in 2023, the average cost of a data breach has reached a record high of US$ 4.45 million, according to the 2023 cost of a data breach report by IBM and the Ponemon Institute. Therefore, HR professionals need to be more careful and not get exposed to phishing, data leaks, or breaches. 

At Seclore, we ensure that every employee, including HR and IT and other support functions, receives Information Security Management Systems Training (ISMS). ISMS is a collection of guidelines and protocols that systematically handle sensitive data. 

These guidelines, practices, and procedures are evaluated, improved, and put into place over time. ISMS ensures that all risks are minimized and that all risk management processes run smoothly. More precisely, it provides a framework based on the organization’s information security goals, safeguards its information assets, and aids in managing its cybersecurity initiatives. 

With the right rules and training, cyber security training has developed into a thorough communication channel that controls sensitive data from distant systems, enforces data protection regulations across many platforms, and teaches employees how to spot phishing efforts. 

DQ: What unique cyber security challenges do HR departments face, and how can targeted training help mitigate these risks? 

Shraddha Reghe: The HR departments face significant cyber security challenges mainly because of the access they have to sensitive employee data, including employee details which consist of social security numbers, financial information like banking data, and payroll records. This information makes HR a prime target for cyberattacks, especially through some form of social engineering tactic. 

According to PurpleSec (2021), 98% of cyberattacks rely on social engineering. The same report indicates that new employees are the most susceptible, with 60% of IT professionals citing recent hires as at high risk of falling for social engineering tactics. 

Typical cyber security attacks include insider threats, spear-phishing, and phishing, in which the attackers obtain unauthorized access or even compromise the data. High levels of trust in interactions with the HR department make it easier for assaults to gain sensitive information by tricking the very few HR personnel. 

Targeted cyber security training should be provided to HR teams to answer these vulnerabilities. For instance, slight markers about phishing attacks will keep a company’s HR personnel more efficient in recognizing and blocking these malicious attacks. HR-centric cyber security training could focus on the secure management of digital employee records and access controls. 

As an example, role-based access controls prevent authorized personnel from viewing or changing sensitive data against insider threats. 

With the evolution of technologies, organizations are implementing multi-factor authentication for their HR Systems, which has resulted in a reduction in data breaches. This enables organizations to make their HR teams obtain special cyber security skills and tools, creating a more secure environment for effectively managing employee information with minimal risks due to both external and internal threats. 

DQ: What immediate steps can CHROs take post-training to implement cyber security best practices within their teams and protect against real-time threats? 

Shraddha Reghe: After training, CHROs can start working on several instant activities, such as reinforcing data-centric security policies across the department of HR, which involves data encryption, proper document-sharing tools, and rights management solutions like Seclore's Digital Rights Management, which has control over access and divulgence. 

Organize phishing simulations and make everyone feel comfortable reporting even the slightest suspicion. To add to that, CHROs can ensure that there is continuous employee education about the areas of cyber security. Security protocols have become part of all other HR functions in current times. They are the fortress of strength processes that minimize human error in defense so that security gets amplified. 

DQ: Can you share examples of how HR professionals with cyber security training have successfully prevented or mitigated security breaches? 

Shraddha Reghe: HR professionals with cyber security training are much more effective in protecting their organizations against those security breaches, especially when dealing with sensitive information about employee data. For example, a well-trained mid-sized company HR professional was able to identify a phishing scam when the email asked her to update an employee's payroll information. 

Since she/he was fully aware of the phishing approach, the HR professional detected some typos and a sense of urgency that she reported to IT. Taking swift action would have saved the organization thousands of dollars by stopping the illegal transfer of payroll cash. 

It was concluded in a 2022 report from Kaspersky that 40% of organizations identified unauthorized data access as the major security threat, and therefore, HR has had to focus on proactive management and restriction of access to the sensitive data of employees. 

Hence, data-centric security controls allow HR teams to implement limitations on accessible employee data reactively. These types of solutions, combined with vigilance, thus reduce risk and prevent the intentional and accidental leakage of data. 

In another instance, one of the HR department's employees discovered spear-phishing in connection with a purported urgent request from the CEO to provide a list of employee data. Since he was taught to handle such circumstances, using a different communication method, he was able to confirm the request and discovered it was false. 

A potential compromise of employee data and the private information of thousands of people, including hundreds of employees, may have been prevented. Research from the Sans Institute shows that companies that train HR team in cybersecurity can cut phishing rates by as much as 70%, to prevent and reduce deliberate scams. 

Preventing insider threats is the critical role of HR in access management. Indeed, after enforcing role-based access control and multi-factor authentication (MFA), organizations have seen a decline in unauthorized access attempts in one year. 

For example, trained HR personnel noticed odd login attempts while working remotely but immediately reported it to IT, thus blocking their access and protecting employee records. Such examples and data points provide a fact about how cyber security-trained HR professionals help prevent potential security breaches and build a stronger overall data security framework for an organization. 

In addition to their organizational security requirements, HR teams at our customer organizations implement Seclore’s data protection solutions for protecting sensitive employee records. 

Seclore’s product allows HR teams to protect their employee’s data with late-stage pre-emptive measures preventing access or leakage of sensitive information from employees to only the authorized employees and protecting the information from any external or even internal threats. 

By adopting Seclore technology, HR personnel can not only take the existing security measures but also lower the risks associated with data leakages and other compliance issues as well as enhance their readiness for new aggressors posing security threats.