By John Donovan
The internal employee threat is still a leading cause of data breaches. According to the latest report by the Office of the Australian Information Commissioner (OAIC), over a third of the 518 notifications it received over January-June 2020 (34 per cent) were caused by human error. This is likely to increase as companies continue to work remotely during the pandemic.
Each cyberattack is costing Australia an average of $3.9 million. Organisations cannot afford to continue allowing preventable attacks take place when resources to protect against human error are available. As such, cybersecurity education and training must be re-evaluated to ensure all employees remain cyber-vigilant while working from home.
While technologies such as firewalls and endpoint protection have a clear role to play in keeping organisations safe, employee education is one of the best ways an organisation mitigate against cyber threats and manage risk. Technology alone isn’t enough, organisations must develop a culture of cybersecurity awareness, education, and training, which is impossible to achieve without the help of senior HR leaders.
Driven by the COVID-19-accelerated move to remote working, HR leaders are increasingly collaborating with IT leaders to devise policies, frameworks and training to better support and educate employees on how to be cybersecurity-aware. At the same time, HR has a clear role in helping to fill the cybersecurity talent pool gap to ensure organisations maintain a strong security posture. It’s estimated nearly 17,000 more cybersecurity workers are needed by 2026 and HR professionals will play a pivotal role in helping to close the skills gap.
Evaluating the skills gap issue
According to our research, inadequate education, leadership and funding are major barriers to Australia’s cybersecurity preparedness. Across Australia, most business decision-makers believe a lack of security expertise is a challenge for their organisation, with 65 per cent observing recruitment of skills to be a struggle.
Compounding these issues, is the apparent confusion over cybersecurity responsibility within organisations and a lack of understanding of the specialist skills required. A common oversight is tasking IT staff with cybersecurity in addition to their other key responsibilities, rather than treating cybersecurity as a role in itself. This is where it is critical for senior HR and IT leaders to closely collaborate to determine specific skills requirements.
How HR can play a role in cybersecurity?
Ultimately, cybersecurity is about managing risk. To do that effectively, HR staff must work closely with technology leaders to identify key areas where their team’s actions will have an outsized impact on protecting their organisation, employees and the data their company has been entrusted with.
The mindset of an organisation’s HR team can set the culture for the entire organisation. Disengaged employees are an attractive target for cybercriminals to exploit. Therefore, the onus is on HR leaders to take their organisation’s security seriously and work with the necessary business and technology teams to set the right attitudes, culture and processes to keep it secure.
Organisations must be proactive in their response to today’s cyber threats. With the ever-evolving security landscape and the never-ending search for skills and best practices to overcome these threats, collaboration between senior leaders is key.
Most importantly, by fostering a workplace that prioritises cybersecurity awareness and training, and has the tools to effectively find suspicious activity, organisations will be on the right path to strong cybersecurity hygiene.
(The writer is the Managing Director of ANZ at Sophos)