Common wisdom holds that when organizations are hit by a cyberattack, the ensuing response should be led by information technology (IT), security, legal and finance staff, with human resources taking a back seat. But cybersecurity experts say HR's communication skills, key role as the bridge between leadership and employees, and knowledge of sensitive worker data should make it an integral rather than a peripheral member of any incident response team.
"Too many times companies think only IT and security should be part of the incident response, but they overlook HR," said LeeAnne Pelzer, consulting director of Unit 42 at Palo Alto Networks, a cybersecurity company in Santa Clara, Calif. "In the middle of a response, organizations often realize just how important HR is, but by that point they're usually scrambling or hitting communication bottlenecks because they didn't integrate HR into the planning process. There are always critical responsibilities right after a cyberattack that align with HR."
HR's Role When a Cyberattack Hits
With cyberattacks on the rise, experts say it's only matter of time before most organizations fall prey to some form of cybercrime. How well they respond will be a function of how well they plan for that eventuality, and cybersecurity pros say HR should be a key part of an incident response team that conducts tabletop exercises and simulations to delineate roles and rehearse responses to cyberattacks.
Jess Burn, a senior analyst in security and risk with Forrester, said the primary role for HR following a cyberattack is one of communication, relaying pertinent information or instructions to the workforce after consulting with the cross-functional incident response team.
"HR should reassure employees the organization has a plan in place, has been preparing for this or similar incidents and is working to resolve any issues affecting organizational productivity and viability," Burn said.
HR should craft the core of these messages in advance of any potential cyberattack to ensure the right tone is set, and that communication is compliant with company policy and defensible should litigation arise from the incident, Burn said.
Pelzer said HR's communication responsibilities following a cyberattack should include addressing employee questions or concerns using a multichannel approach, helping to inform customer service teams about what to communicate to clients about the attack, and communicating to the workforce about how access to any impacted technology platforms will be affected.
"No one party should handle communications alone, however," Pelzer said. "Creating and delivering messages should be a joint effort between HR, legal, IT and security experts. Communication should include what happened and what information may have been compromised, what's being done about it, and stressing that the situation is still evolving if all the facts aren't yet known. Not communicating proactively with internal or external stakeholders is one of the quickest ways to harm your reputation in these scenarios."
Kathy Walen, vice president of people for Code42, a cybersecurity firm In Minneapolis, agrees that responding to a cyberattack should be a team effort, with HR playing a lead communications role.
"It's not just the role of a security team to think about risks and threats; it's the responsibility of the entire organization," Walen said. "For HR it's about working in partnership with the IT and security team to develop a response plan."
Walen said it's vital for HR to stay in close contact with those internal partners as a response unfolds to create consistent messaging to internal and external audiences.
"If sensitive employee data was breached, for example, it's important to be transparent about the reach of the cyberattack so people understand what's at risk and what the company is doing to mitigate those risks as quickly as possible," Walen said.
Additional Key Roles for HR
If employee data is affected by a cyberattack, Burn said HR should lead the assessment of any regulatory compliance issues and roll out employee support for identification monitoring services. Given its role in compliance, HR should work with legal in assessing whether any privacy regulations that govern how companies store and protect employee data—such as the General Data Protection Regulation or the California Consumer Privacy Act—were impacted by a data breach.
Pelzer believes one of the most important roles for HR following a cyberattack is to compare active user network accounts against a current list of employees and contractors. User accounts can often become inactive but stay open when employees depart a company or go on extended leave, providing an opportunity for hackers.
"Dormant accounts are sometimes used to carry out a threat actor's objectives, whether that threat comes from outside or inside the company," Pelzer said. "It's critical that the list of active accounts aligns with the number of current employees and contractors, and HR is one of the best sources for that information."
HR's role in a response should be expanded if a cyberattack is caused by a malicious insider, experts say. "That's especially the case if an employee termination is necessary," Burn said. "In that case HR would need to work with legal and privacy teams to ensure termination or other punitive action is defensible should a lawsuit be filed."
Should the source of an attack be internal, HR's role also would be to consult with legal around user account access and data retention issues, Pelzer said. "HR should meet with legal to put the necessary hold on certain accounts or system access if there was data exfiltration," she said. "For example, legal will sometimes put a special hold on a user account to retain data because they may need to submit it to a regulatory agency or for insurance purposes after an attack."
Burn said HR also should assist in ensuring front-line incident responders don't burn out and have time to recharge during what can often be a prolonged response period.
"HR should work with the CISO [chief information security officer], CIO [chief information officer] and the company's retained incident response (IR) services firm if it has one to ensure there's a bench of capable security, IT and IR services team members to provide relief for the core team," Burn said.
Detailed Plans, Practice Key to Effective Response
The biggest reason why organizations fail to respond effectively to cyberattacks—often damaging their reputations and impacting financial performance for years—is the lack of thorough planning for these events.
"The biggest misstep I see is not preparing well for these scenarios," Burn said. "Time and effort is needed not only to develop incident response plans and playbooks with associated rules and responsibilities, but also to test them."
Burn said that requires conducting tabletop exercises and full-crisis simulations, ideally led by outside counsel or an IR services firm. "It should allow HR to work through its delineated roles and responsibilities and find out where communication breaks down or where specific messages or actions are missing from the response plan," she said.
Sam Grinter, a senior principal analyst with Gartner, studied how clients of HR technology vendor UKG responded when that company was hit by a ransomware attack in 2021, an event that interrupted payroll and timekeeping services for 2,000 of UKG's private cloud customers.
"Having spoken to many companies impacted by the UKG attack, it's easy to see differences in outcomes based on the quality of pre-planning for such an event," Grinter said. Many customers who fared well had created plans for manual back-up systems with incident response teams ready go with contingency plans when the ransomware attack happened, he said.
Pelzer said having a well-rehearsed plan ensures that panic and disjointed responses don't win out when a cyberattack is identified. "A cyberattack might arguably be one of the worst days you ever experience at work, and your brain may not be firing on all cylinders," she said. "That's when you need to lean on your plan. It's easy when you're feeling pressure or stress to skip over critical parts of a good response to a cyberattack, but your plan will bring you back in line."
Dave Zielinski is principal of Skiwood Communications, a business writing and editing company in Minneapolis.