April 25, 2018

GDPR: HR’s Role in Preventing Cyber-Attacks and Costly Breaches

The impending introduction of the General Data Protection Regulation on 25 May means the cost of poor cyber security is about to rocket, with lost, hacked, stolen and badly-managed data liable to cost your business up to £17 million (€20 million) or 4% of global turnover in fines.

These are serious figures, but many in HR would assume (and be forgiven for assuming) that preventing cyber-attacks is not their responsibility – of course it’s down to IT to sort all that stuff out, right?

No, I’m afraid that’s not the case!

Let’s look at the origins of the word ‘cyber’. It comes from the Greek ‘cybernetic’, meaning ‘skilled in steering or governing’.  When you think about the function of HR in an organisation this becomes more obvious.

It is HR’s role to steer and/or govern the organisation’s culture, using policies and compliance mechanisms to ensure the right behaviours are embedded, trained-in, kept up-to-date and upheld consistently across the human resource.

Because the truth is that those delightful humans you employ are the greatest threat to your cyber security, not hackers.

There are plenty of research papers and studies on the subject and the findings are the same regardless of which ones you read – so let’s take a look at the top causes of data breaches:

  • The Association of Corporate Counsel released a report last year which said 62% of SMEs had experienced cyber-attacks and human error was the leading cause
  • In another report 42 percent of contributors blamed end-user failure to follow policies and procedures. Carelessness, failure to recognise or be alert to new threats, and a lack of expertise with websites/applications were also cited

Every single one of these reasons can be traced back to HR’s responsibility to communicate security standards and maintain them.

Of course, if IT staff fail to follow policies and procedures this can significantly increase risk as they have responsibility to put adequate protections in place to reduce exposure.

But they are only the failover: HR is the gatekeeper.

So what are the causes of data breaches?

The Information Commissioner’s Office (ICO) publishes quarterly statistics about the main causes of reported data security incidents. In the last published quarter, the top five causes in cases where the ICO took action involved human errors or process failures, all of which were avoidable.

Think about the following behaviours – could they be happening in your organisation?

  1. Loss or theft of paperwork
  2. Data posted or faxed to incorrect recipient
  3. Data sent by email to incorrect recipients
  4. Insecure web pages
  5. Loss or theft of an unencrypted device

For many months I have been advising HR professionals and senior executives to ensure that GDPR is on the agenda at every board meeting, because every business needs to get their house in order before May.

In particular, HR needs to think about cyber security much as it does about general health & safety management systems, because it’s all about mitigating risk. Risks will always exist, and it is what you do to minimise them that matters most.

Any organisation unfortunate enough to experience a data breach can only defend any legal action against itself in the context of what it did to avoid or minimise the attack, and that all comes back to good governance.

But if I have still not convinced you here’s some more food for thought.

The Chartered Institute of Professional Development (CIPD) collaborated with the Government to produce a very informative – and free – e-learning course on HR’s role in leading cyber security.

Why not see for yourself?

Want a round-up of stories like this delivered to your inbox?

About the author

Lisa Gillespie

Over 20 years Lisa has acted as a consultant and adviser on many HR issues and employment tribunals across public, private and third sector organisations. She has worked in most UK local authority areas on projects ranging from social care and health to training and conciliation arrangements. Lisa studied psychology before moving into employment law and HR after further study at Manchester Metropolitan University and the University of Salford, and she is also qualified in project management and counselling.