What Role Can HR Play in Mitigating Cyber Security Threats

By Swati Thakur March 8, 2018

Cyber attacks have been wreaking havoc across the world for the past few years, such as WannaCry, Shadow Brokers and Petya, spurring billions of dollars in global economic loss.

Indian organizations have borne the brunt of cybercrime, especially last year and the year before. Here is the timeline:

  • May 2016: The Indian Railways e-ticketing website IRCTC reported that account details of its users were allegedly compromised.

  • August 2016: More than 22,000 pages of sensitive information related to the first Scorpene-class submarine built in India were leaked, putting the Indian Navy and the government in a fix.

  • October 2016: A botnet malware named Mirai affected millions of Internet of Things (IoT) devices across the world, including India. However, the exact figures pertaining to the loss in India is not known.

  • October 2016: More than 3.2 million debit cards of customers of ICICI, YES, SBI, HDFC and Axis banks were compromised.

  • May 2017: The food-tech company Zomato suffered a security breach when a hacker by the name of 'nclay' claimed to have hacked more than 17 million user records and threatened to put them on sale on a popular Dark Web marketplace.

  • May 2017: WannaCry stalled operations of several private and public enterprises across many states, including Maharashtra, Gujarat, West Bengal, Odisha, Gujarat and Delhi NCR.

  • June 2017: India was among the top 10 countries that were  hardest hit by the Petya attack. The country's largest container port Jawaharlal Nehru Port (JNPT), near Mumbai, was disrupted for several hours.

  • June 2017: A malware attack impacted thousands of broadband modems of the state-owned telecom operator BSNL.

According to 'Cisco 2018 Annual Cyber Security Report', cyber attacks have caused financial damages worth USD 500,000 to Indian firms in the last 1.5 years. The report, based on a survey of 200 organisations across government (including defence), manufacturing, financial services, healthcare, telecommunication, pharmaceuticals, education and retail sectors, also revealed that the nature of cybersecurity issues has become more complex and the scope of breaches is expanding.

The threat is only likely to escalate given that India is focusing on becoming a digital economy, and the rapid adoption of technologies by Indian firms. As an increasing number of businesses go online and financial transactions become electronic, the Indian websites and users are highly vulnerable to cyber attacks and data breaches. In fact, the report titled 'State of the Internet Security Q4 2017', released by the CDN service provider, states that India is the seventh most targeted nation for Web Application Attacks. This is a certainly a wakeup call for Indian companies.

While cybersecurity is still in a nascent stage in India, organisations have started implementing measures to curtail the threats. From implementing sophisticated IT systems and availing cyber insurance to hiring cybersecurity experts, they are taking every possible step to fight cybercrime. Now, one school of thought believes that the IT team should have the key responsibility to tackle cybersecurity-related concerns, but there is another school of thought which puts HR in the forefront on this matter. So, the question the HR community has been debating is whether HR is responsible for cybersecurity and if yes, then how.

 It wouldn't be incorrect to say that HR would have to play a 'people's role' in cybersecurity. Let's delve deeper and throw more light on this matter.

1. Recruitment

Research by the technology platform Belong states that the demand for both tech and non-tech cybersecurity professionals has boomed over the last 18 months.  According to NASSCOM, India's trade association for the IT and BPO industries, cyber security will create one million jobs by 2025 for the country. Thus, HR has its job cut out in two ways:

  • It needs to understand the cybersecurity requirements of the organization and myriad job roles that exist in cybersecurity - security analyst, chief information security officer, intrusion detection specialist, incident responder, information risk auditors, vulnerability assessor and so forth. Only then can HR create accurate job descriptions and identify the right fit.

  • The cybersecurity job market offers many choices for job seekers, and they have the upper hand in compensation negotiation. The average salaries for freshers in cybersecurity are around Rs4-5 lakhs while that of top cybersecurity talent have risen in the range of 25-35 percent and to the tune of Rs2-4 crores in the last 18 months. So, HR needs to work out a package that will not only attract the candidates but also retain them. 

2.  Risk Management Posed by and for Employees

The '2017 IBM X-Force Threat Intelligence Index' report states that 60 percent of cyber attacks are the result of insider activity, either through unintentional negligence or malicious intent. This means that employees are either inadvertently or directly involved in the crime, endangering the digital security of the organisation. They could accidentally end up sharing information on social media or clicking on phishing emails. If the crime is intentional, then they could use personal ids instead of official work ids to leak information. It is under the purview of HR to design a robust risk management policy to prevent and monitor cybersecurity risk in the organisation. This policy usually entails:

  • Setting up approval and authentication workflows across hierarchies and departments.

  • Educating employees to sensitise them on cyber risks and implications of non-adherance to security measures at the organizational as well as individual level.

  • Looking for triggers that could induce security breach from employees. For instance, demotions, transfers or exits.

  • Laying down Bring Your Own Device (BYOD) and remote working policies – personal devices used by employees for office work or workforce located at remote locations are highly vulnerable to cyber threats.

3. Ethical Hacking and Cyber Security Measures

Thwarting threats is necessary, but overstepping ethical boundaries is uncalled for. HR needs to take care of ethics in cyber security on two fronts:

  • Employee Privacy: Most organisations monitor the telephone, mobile, email, computer and internet usage activity of their employees to prevent inappropriate or unlawful behaviour. While the employers do have a legal right to preserve the security of their data, they should ensure that they do not cross the privacy of employees. Or else, it could lead to an atmosphere of mistrust. It is here that HR should formulate a clear and transparent policy informing employees about the organisation's communication (digital as well as non-digital) monitoring policy.

  • Hiring Ethical Hackers: Today, many organisations hire ethical hackers to analyse the hidden vulnerabilities in the organisation's security system. Also known as the undercover cops or white hat hackers, these professionals hack the internal systems with company's permission. However, if the hiring of ethical hackers goes wrong, it could have severe adverse implications for the organisation. It is HR's responsibility to decide the terms of engagement such as hiring and termination dates, non-disclosure agreements and communication protocols with hackers.

4. Anticipate Skilling Needs

The cybersecurity professionals employed by the organisation should be aware of new technologies and cyber threats that emerge every day. They should be equipped with necessary skills to handle such situations promptly. HR has to ensure that assessments of organisation's cybersecurity competency and individual cybersecurity skills are conducted at regular intervals. This will ensure that both organisations and cyber security teams are ready to respond to cyber attacks when they take place. If the existing cybersecurity staff needs re-skilling or upskilling, HR should design tailor-made training programs and also ensure that its curricula stay updated. If the capability cannot be built in-house, then HR needs to anticipate the cyber skill requirements and hire externally.

HR does not need to become cybersecurity experts, but it can certainly liaise with the IT and legal teams to continuously evaluate cybersecurity needs, build cybersecurity competencies, establish cybersecurity protocols, make cybersecurity training integral to the on-boarding process, and take timely disciplinary actions in case of breaches.

About the author: Swati Thakur is a part of the SHRM India Knowledge & Advisory team 



Hire the best HR talent or advance your own career.

Are you a department of one?

Expand your toolbox with the tools and techniques needed to fix your organization’s unique needs.

Expand your toolbox with the tools and techniques needed to fix your organization’s unique needs.



HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.