How HR Leaders Can Prevent and Mitigate Cyber Loss

By Franklin R. Cragle III July 10, 2015

Sony. Anthem. Target. The federal government.

Large-scale cyber breaches dominate the headlines and cost companies tens of millions of dollars. In the latest news, Office of Personnel Management Director Katherine Archuleta announced July 10 that she was resigning, a day after the government announced that more than 22 million people had their information stolen in two large cyberattacks on the government’s HR agency. While these mega-breaches receive the most media coverage, hackers are also now targeting smaller companies.

As observed by Security Magazine, human resource leaders, teaming with IT professionals, sit in a critical position to help prevent and mitigate loss. According to the Identity Theft Resource Center, the 380 reported cyber breaches in the U.S., as of June 23, 2015, resulted in the exposure of 117,381,357 records, many of these involving employee data. And these are just the reported breaches. Further, the vast majority of these incidents were not the Sonys or Anthems of the world; small to midsize companies are equally—if not more—vulnerable to attack.

Below are four steps that human resource managers can take to evaluate and hedge against cyber risk.

Educate Internally

The easiest way hackers enter a network is through employees.

In a 2012 study on cybersecurity mistakes, global auditing firm KPMG observed that “the human factor” remains “the weakest link in relation to [cyber]security.” Education strengthens that weak link.

Hackers often target smaller companies, betting on fewer safeguards and an internal sense of invulnerability (i.e., we’re too small to be attacked). The most common security threats remain phishing (such as the deposed Nigerian prince who needs your help), viruses attached to unsecured or unknown downloads, and open Wi-Fi accounts. Educating employees on these vulnerabilities and how to protect against them is a first line of defense against cyberattacks. To accomplish this, HR professionals should team with IT leaders to develop curriculum and training programs to educate the workforce on the do’s and don’ts and protocols relating to cybersecurity.

Monitor Compliance

Education must be paired with compliance monitoring, which is accomplished in several ways.

  • Employee self-reporting of breaches is the easiest and least expensive. The most critical step an employee can take to mitigate damages or prevent a future attack is to tell someone about a breach.
  • Anonymous or safe-harbor reporting systems can help employees feel comfortable reporting a suspected breach without fear of repercussions. HR departments can demonstrate tremendous value and leadership by creating processes for reporting that protect employees and prompt immediate action.
  • Investing in advanced network security helps employers be less dependent on employees to self-report and allows them to better track breaches at the corporate level. Companies already have the ability to observe innumerable metrics and vast amounts of electronic data through their IT resources. This same technology can be used to monitor for security breaches.
  • Understand Your Insurance Policy and Its Limits

Every employer has—or should have—insurance, and every policy has limitations. For example:

  • Does your policy have a cyber-liability component?
  • If your Commercial General Liability (CGL) policy does cover cyber loss (which is unlikely), is it to the full extent of your coverage or is there a sublimit?
  • Even if your CGL covers cyber loss to the extent of the limits, is that enough?

Audit and Fill the Gaps

Not everyone is knowledgeable about insurance. Policies are dense, terse and written in ways that can seem nearly incomprehensible. But someone needs to understand and assess these policies to determine if adequate coverage exists. Brokers can provide a degree of comfort with regard to policy terms and conditions; however, insurance coverage attorneys and independent auditors can ensure the most appropriate coverage.

While knowledge is critical to loss prevention, in the event of a breach, mitigation becomes key. The most effective mitigation tool is appropriate cyber-liability insurance coverage. Performing a policy audit is critical to ensuring appropriate coverage. Cyber policies are becoming a necessity, not just a luxury, and even with loss-prevention protocols in place, companies should maintain specialized cyber policies with generous limits.

Franklin R. Cragle III is a trial lawyer and member of the Insurance Recovery Team at Hirschler Fleischer in Richmond, Va.He may be reached at


Job Finder

Find an HR Job Near You
Search Jobs


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.