This article will answer the following questions:

  • What is the best way for a cybersecurity manager and HR to work together?
  • How do I find out which HR security measures are in place?
  • Can a cybersecurity manager help write security requirements for job descriptions?
  • What security items should be on the HR hiring checklist?
  • What security items should be on the HR firing checklist?
  • Does my company need a security awareness programme?
  • What is the best way to set up a security awareness programme?
  • Should I track attendance at our security awareness programme?

HR and security part I:
Human Resources

The human resources department helps the company find people, hire them, train them, fire them, and manage the whole personnel process. For some reason, there are a lot of jokes about HR people being evil, maybe because they control people’s careers. But they are essential to any organisation. They have a say in the allocation of money for salaries and benefits. They are the gatekeepers for employment issues and education and training. Because cybersecurity is first and foremost a people problem and only secondarily a technology problem, cybersecurity managers should consider HR folks essential partners.

HR actually tends to be quite helpful to the cybersecurity manager. We don’t remember a single instance when HR hasn’t wanted to help improve security. In fact, HR managers usually become friends with the cybersecurity manager.

The cybersecurity manager should find those few cybersecurity issues that actually belong to HR or where HR is instrumental, then enlist their help. The cybersecurity manager can place certain checks and security controls on the employment process, then just stay hands off. Set HR up with the right tools then let the HR machine run on its own.

Security in the Hiring Process

When starting on the job, the cybersecurity manager should meet with someone in HR as soon as possible—preferably an HR manager or director—and have a discussion about security. Ask the HR manager or director the questions below. Their answers will help you understand which security measures are in place and which are not.

  • What do you do for security when new employees start at the company?
  • Is there any formal security training provided?
  • How does the company maintain its security awareness continuously?
  • What do you do when they leave the company?

The discussion will also help establish a relationship between the cybersecurity manager and HR personnel, and establish the cybersecurity manager as someone who is there to help. In fact, if the company is big enough to hire employees with cybersecurity skills, or if it’s hiring a cybersecurity specialist, the cybersecurity manager might even be able to help HR craft the security requirements in their job descriptions. For example, if they are looking to hire an internal auditor for security, HR will probably not be able to define what skill set and capabilities the role and the candidate should have, but the cybersecurity manager certainly can.

The cybersecurity manager can guide HR to create—and use—a hiring checklist. The checklist should include simple things like verifying the candidate’s identity—are they really who they claim to be? HR should check each new hire’s CV and certificates to make sure they match. They should also have procedures in place that require the new employee to sign for any computers, keys, and keycards issued to them. Other checklist items include assessing which user access rights are appropriate for the new employee—what access will they get to the network and services, both within the company and externally? The HR manager should also ensure that the employee receives access induction and familiarisation training when they start the job. The cybersecurity manager should make sure HR has this hiring checklist in place and that every hiring manager uses it each time someone is hired.

Next, the cybersecurity manager should make sure HR is providing at least basic security training to each new employee. The company may have internal policies and procedures in place about security, but if they’re not part of the induction training, then the new hire won’t know about them. If she doesn’t know about them, she won’t comply, leaving the company open to a possible security breach. The responsibility for that breach would then make it through the chain of responsibility, from the supervisor all the way up to the CEO. Ultimately, the responsibility lies with the company.

Security in hiring requires attention to detail, but at the same time, the cybersecurity manager should make sure they don’t lose track of the bigger picture: usually the biggest risk is hiring someone who is not a good fit for the company. The cybersecurity manager can’t forget that the main goal of the HR process is to find the right person for the job.

Security in the Firing Process

During firing, HR should also have a checklist. The hiring manager or supervisor essentially reverses the hiring process:

  • What does the terminated employee have that they need to return?
  • Did they give them all back? Did they get a signed receipt for returning their equipment?
  • When should account access be disabled, and where did they have access to?
  • Are there any foreseeable disputes that make it wise to end access early?
  • Or will the departing employee keep temporary access to computers or accounts?

It’s up to each company how they want to implement different types of exit scenarios. But there should be a plan and set policies in place. In our experience, which includes firing CEOs, it’s best to have an established checklist and follow it every time without fail.

If possible, it’s useful to have the employee sign the checklist and agree in writing that the computer will be returned that day before they leave, that they understand that their email password will no longer work after a certain date, and so on. When they sign that list and hand over the items, there can be no dispute about what was agreed to and what was done.

The best practice is to make security discussions with new hires a standardised process. If you make it a process, it’s not personal. It’s just a typical work conversation. “I have this HR paper; can we go through it together? We have to do it. It’s policy.” This is much easier than arguing over a computer or access rights or what to do with an email account. If the employee doesn’t like how they’re being treated, you can blame the paper, the policy, the process, and the bureaucracy.

Security During Employment

During their time working for the company, each employee will need ongoing training and education on security issues. HR usually arranges these sessions, so when the cybersecurity manager needs to deliver a security awareness programme, they should go right to HR for help.

They will probably help the cybersecurity manager set up a short training course, delivered either as a lecture or as an e-learning experience. The format is not that important, but tracking attendance is. Many cybersecurity managers get into hard spot when auditors ask them to provide attendance logs from the training as proof that awareness training has been provided. These logs can’t be fabricated in the aftermath. Is every person in the company actually participating? How often does the training happen? An annual programme is good practice, but does it need to happen more frequently?

Another important question: Who gets this training? Typically, companies think that everyone should know basic things related to security, especially anyone who has access to confidential company information, but different specialists have different needs. Maybe IT employees should know a bit more than the average employee about cybersecurity. What about supervisors? Do their additional responsibilities—hiring and firing—mean they need additional security training?

Cultivating Security Awareness

All of these things have to be part of a cybersecurity awareness programme or plan, but the overall goal is to improve security awareness within the company. There is no fix for human stupidity or carelessness, but security awareness training can help avert the worst problems.

We’ve spoken with cybersecurity managers in high positions and asked them how much emphasis they put on technology and how much on awareness and human behaviour. One said he’s putting half the budget on awareness. It sounds like a lot, but think about what happens if you don’t. A simple email can be used to steal millions of dollars from a company. If employees aren’t aware of such a risk, no amount of technological protection can save them.

We worked with one person who received such an email. It appeared to be from the CEO and said, “I’m travelling and this is a busy case. Here’s the bill that should be paid to a service provider in the far east. It’s nighttime out there. Please just put the payment in and then we can handle the proper paperwork later.” The bill looked legit. The email looked legit. The only thing that was not correct was the account number and bank. That company lost $17 million because of that email. Security awareness and training is the only thing that helps in those cases.

Even drastic technological measures to prevent cyberattacks can fail. Recently, in Singapore, the government enacted a new regulation that requires all public entities—governments, schools, hospitals—to disconnect from the internet; they had to use different computers for internet and physically separate networks for internal needs. It sounds like this change should help, but people can be fooled into overcoming that “air gap.” If that happens, this technical measure isn’t helpful. The money stolen in the example above would still be gone. Just recently, the health information of 1.5 million people was stolen from SingHealth, a major healthcare provider in Singapore. A simple click on a wrong email could still cost your organisation millions.

Attackers pay attention to human behaviour; they will try to fool somebody within the company into unknowingly assisting them with the fraud or hack they are performing. If all staff remain alert to these attempts, many of them can be avoided. Not long ago, someone tried to get billions of dollars from the Bank of Bangladesh in one of the largest attempted cyberattacks in history. In the end, they were only able to steal tens of millions, not billions, all because someone in the company noticed a typo in one message and put a halt to the scheme.

These examples illustrate the need for security awareness training. Human carelessness is hard to regulate. But training employees at least every year can prevent needless disasters like those described above.

Make HR Happy

HR is happy when the cybersecurity manager helps them acquire the proper training and create the guide for the training. But they usually do not like when a cybersecurity manager forces on them a new security checklist or process. It feels like extra work. The best way to help them gain ownership is to talk with them and let them come up with the process and structure on their own. This way, HR can figure out for themselves the best way to do training and then build a programme from scratch. A cybersecurity manager who imposes training requirements may face resistance and have to do a lot of pushing and pushing to make progress. But when a cybersecurity manager is clearly there to help HR implement their own ideas, their input is usually welcome.

In the end, a company is nothing but a bunch of people working together. As in any relationship, reciprocity is key. HR, instrumental in a lot of important activities in the company, can cause problems for the cybersecurity manager if the cybersecurity manager is not helpful to HR in return. On the other hand, we’ve never seen an HR director who didn’t want to improve cybersecurity. Make HR your friend, and you will be much more successful as a cybersecurity manager.

Send check result to email