Cybersecurity is not just an IT issue. 

When 95% of breaches[1] are a result of an organization’s own workforce, HR professionals must be involved in creating a culture of cybersecurity and helping employees adopt good cyber hygiene habits.

Organizations that don’t take all the necessary steps to protect their people and businesses leave the doors wide open to cyberattacks that could cost thousands in revenue, data and lost employee trust.

The HRPA sat down with George Finney, Chief Information Security Officer and CEO and founder of Well Aware Security, to learn more about how HR professionals, alongside IT, can help safeguard their employees and businesses from malicious hackers.

1) What will be the top cybersecurity concern for businesses post-pandemic?

Remote workers. 

Businesses with remote workers are more susceptible to online security breaches and account compromises than those that go into the office. 

“Companies can’t protect personal devices on home networks, so work computers at home are potentially more vulnerable. It’s also much more challenging to remediate ransomware at home,” says Finney.

Most cyber criminals know this and with more people working remotely since the pandemic, they are taking advantage of the situation. According to the 2020 Canadian Internet Registration Authority Report, about 3 in 10 businesses have noticed a significant increase in reported cyberattacks, insider threats, or data breaches during the global health crisis.[2] “It’s more important, now more than ever, to implement Multifactor Authentication for every application in a company.” 

2) What role can HR professionals play in the fight against cyberattacks? 

“When it comes to cybersecurity, we need to know where our ‘crown jewels’ are, in order to protect them. Our people are the crown that holds those jewels,” says Finney. 

Since HR is about helping companies succeed by managing its human resources (or people), ensuring employees are well-versed in cybersecurity fundamentals should be top of mind for HR leaders. 

“HR already has a way of helping influence employees to change their behaviors (i.e. training programs),” adds Finney. “We know what 40-50% of human behavior is made up of habits, so we need to be able to change habits in order to be successful at protecting our organizations.” 

While HR may not be developing the training programs, they can be responsible for creating security newsletters, ensuring that employees know who to contact if something goes wrong or is suspicious, and making sure employees adopt cybersecurity habits. 

To help you identify your cybersecurity habits, Finney has provided a free Cyber-Personality test from Well Aware Security. (Founded by Finney, Well Aware Security believes that great cybersecurity starts with people not technology.) “Most security training focuses on what you know, not how you behave. This is a good first step, but to fully understand where an employee is, we need to know how they would act.” 

HR professionals can also help by remembering that they are employees too – ones who manage sensitive data information. Knowing how to protect this data must be baked into the basic operational HR procedure as they collect and maintain employee social security numbers, addresses and full names. One misstep on the part of an HR professional, like using free-wifi in a public cafe, can severely setback an organization financially and reputationally.

3) Where does HR’s role end and IT’s begin? How should they work together?

“People can be your organization’s secret weapon when it comes to security, and HR can be one of the biggest advocates for creating a culture of cybersecurity,” says Finney. 

HR leaders can fortify the relationships across departments and mobilize the right leaders in the organization to ensure employees are adopting best practices for safeguarding against online threats. 

In smaller organizations, where no dedicated IT team is available, HR professionals may have to wear the IT hat. “About half of the security leaders I’ve talked to don’t have their own internal training staff so they rely on HR to help get the message out there on how to be secure which can include security documentation or training as a part of a new hire orientation.”  

Bottomline: Gone are the days when IT could protect organizations acting alone. With a high number of cyberattacks caused by employee error and a high volume of employees working remotely since the pandemic started, HR professionals can’t afford not to be included in the cybersecurity process. 

[1] 2020 IBM Cost of a Data Breach Report by Ponemon Institute and IBM, https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/pdf

[2] 2020 CIRA Cybersecurity Report by Canadian Internet Registration Authority https://www.cira.ca/cybersecurity-report-2020

 

Interviewee Bio:
George Finney
George Finney

Chief Information Security Officer and CEO and founder of Well Aware Security

George Finney is a Chief Information Security Officer who believes people are the key to solving our cybersecurity challenges. He is the CEO and founder of Well Aware Security and the CSO for Southern Methodist University in Dallas, Texas. Finney has worked in Cybersecurity for nearly 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture. As a part of his passion for education, he has taught cybersecurity at Southern Methodist University and is the author of several cybersecurity books including Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future, and No More Magic Wands: Transformative Cybersecurity Change for Everyone.

Finney was recognized by Security Magazine as a top cybersecurity leader in 2018, and is part of the Texas CISO Council, a member of the Board of Directors for the Palo Alto Networks FUEL User Group, and an Advisory Board member for SecureWorld. He holds a Juris Doctorate from Southern Methodist University and a Bachelor of Arts from St. John’s College as well as multiple cybersecurity certifications including the CISSP, CISM, and CIPP.

George Finney
George Finney

Chief Information Security Officer and CEO and founder of Well Aware Security

George Finney is a Chief Information Security Officer who believes people are the key to solving our cybersecurity challenges. He is the CEO and founder of Well Aware Security and the CSO for Southern Methodist University in Dallas, Texas. Finney has worked in Cybersecurity for nearly 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture. As a part of his passion for education, he has taught cybersecurity at Southern Methodist University and is the author of several cybersecurity books including Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future, and No More Magic Wands: Transformative Cybersecurity Change for Everyone.

Finney was recognized by Security Magazine as a top cybersecurity leader in 2018, and is part of the Texas CISO Council, a member of the Board of Directors for the Palo Alto Networks FUEL User Group, and an Advisory Board member for SecureWorld. He holds a Juris Doctorate from Southern Methodist University and a Bachelor of Arts from St. John’s College as well as multiple cybersecurity certifications including the CISSP, CISM, and CIPP.