HR on guard for cybersecurity

The most effective protection is increasing employees’ awareness, and it’s up to HR to maintain it.

Did you know you need to enlist the help of a Human Resources expert to successfully combat cyberthreats? Is that a surprise? It shouldn’t be. Sure, there are technical experts who are responsible for cybersecurity on the server, computer and software levels. But the company’s security cannot be ensured by technical measures alone; organizational ones are also needed. In particular, someone needs to train employees to recognize cybercriminals’ tricks and to counter them. This is where the experience and skills of HR specialists can come in handy.

Why purely technical measures are not enough

Some might say “that’s what IT and Infosec specialists are for!” And that’s partly right. The IT or security department probably does everything it can to reduce the risk of an attack and mitigate possible consequences. However, just one human error can nullify most of their efforts. In fact, all employees should keep cybersecurity issues in mind. For any one of them could unintentionally deal the company’s reputation and finances a blow. All they need do is open a malicious attachment, or believe something like a “message from the boss” prompting them to transfer money to an unfamiliar account.

Cybercriminals have been relying on employees’ mistakes and unawareness above all else over the past few years. Phishing has become the most popular means for them to get their hands on confidential data, which involves attempts to trick people into disclosing information using social engineering, spoofed e-mails or fake websites. These days, corporate security depends on every employee, and the company should inform every single one of them about the rules of secure work.

Why IT and Infosec departments need help in efforts to educate colleagues

It’s the technical side they’re good at — working with people usually isn’t a central role in their job descriptions, never mind educating other employees. If you’re good at what you do — it doesn’t necessarily mean you can explain how you do it, especially to people outside the field. What seems obvious to a security expert may not be familiar to a sales manager at all. That’s why a specialist’s instructions and talks are often too difficult to understand and don’t produce the desired results.

In addition, a lecture is generally not the most optimal format for learning. As our experience shows, few people really process information presented in this way. This is like fire safety training — it seems to be vital, but most perceive it as a formality. Even if someone really listens to the lecturer, in a best-case scenario he probably forgets about 70% of what was said in a couple of days. It is always better to have a training conducted by an HR employee who knows how to convey information to the employee in the right way.

Not to mention that IT and InfoSec teams tend to be overloaded dealing with ongoing routine issues — from forgotten passwords to hundreds of notifications from security solutions, each of which may be a sign of an attack. That means there simply aren’t enough resources for unfamiliar strategic tasks such as security awareness training.

Your company needs a new hero

You’ve no doubt got it by now: Human Resources specialists are indispensable in the fight against cyberthreats. An HR expert knows all the ins and outs of corporate training. So who could do a better job at communicating the importance of this mission to management?

And we, for our part, are ready to provide all the resources and means necessary. As part of the Kaspersky Security Awareness services, we’ve collected a variety of trainings and educational programs for specialists and companies of different levels and experience — from the basics to highly specialized interactive simulations.

Despite the fact that the topic is not easy, you do not need to be an expert in cybersecurity to arrange trainings. Our specialists have prepared and systematized all the necessary information, and even a person without experience in the field of information security can manage the process.

Our blog can serve as an additional source of information that can help HR specialist learn about the latest cyberthreats and modern approaches to train others to protect against those threats in simple terms. From time to time we publish posts relevant to HR professionals, and we also we plan to publish additional materials that can help HRs make a persuasive case for your management and get support from the IT department.