Educating HR professionals on cyber risk is just as important as having technical cyber experts within your businesses. HR pros regularly handle personal data and sensitive business information, support employee development through training opportunities and are a driving force aligning business processes. That’s why recruiting people who are committed to implementing a strategic HR strategy that covers more than employee performance, can make all the difference when it comes to reducing cyber risk.

It is often mistakenly assumed that cybercriminals will only go after large corporations however, small businesses are at considerable risk. According to the latest cyber readiness report from Hiscox (2023), there has been a “rise in the proportion of the smallest businesses being targeted”. Up by half in the past three years alone, the percentage of attacks is now 36%. With many smaller businesses tending to have tighter margins and fewer resources to combat threats, any successful attacks are likely to have an immediate and critical impact.

Cybercrime and prevention experts at the NEBRC, along with board members and Cyber Essentials Partner organisations have collaborated, to create the 2024 cyber threats for SMEs report. This report predicts expected cybersecurity issues which are set to grow over the next year and beyond. In addition, experts have provided recommendations on how to best prevent attacks and explore the role of HR in protecting against threats.

The role of HR professionals in the fight against cybercrime

Whilst many companies will have specific in-house or third-party IT suppliers and cybersecurity support, the responsibility doesn’t solely lie with these individuals. All employees can play a part in the fight against cyber threats, with HR having a crucial role in supporting both cyber specialists and general employees.

Securing the HR supply chain: HR professionals will work with suppliers and services, from recruitment partners to training providers and HR software. Supply chains, however, can easily be targeted by threat actors to infiltrate your security and prey on weak spots.

Debra Cairns, Managing Director at Net-Defence and Advisory Board NEBRC said, “Supply chain risk has moved from an emerging risk to a current risk in the last 12 months and will continue to be a threat as we move into 2024. Most organisations are dependent on their suppliers to deliver products, systems and services, meaning that an attack on your supply chain could be as damaging as a direct attack on your business.

“Once inside your supply chain, an attack can take many forms, including; service interruption, data theft, a stepping stone to directly access your systems and infrastructure or to launch a direct cyberattack. By coming through your supply chain, the attack can be incredibly difficult and sometimes impossible for the employee to detect.”

Two-factor authentication for HR systems and tools, education and awareness, passwordless authentication and strong processes for invoicing, can all help reduce the risks associated with third parties.

Implementing remote working policies: Remote working is more prevalent than ever, with many offices now using hybrid models. This means that remote working policies need to note risks such as, exposure when connecting to public wifi, checking who might be listening in to private calls, and vigilance to see if someone is looking over your shoulder as you type passwords. Whilst these basics are all current risks, Martin Wilson, Police Superintendent and Head of Student Services at NEBRC also noted that,

“Researchers have crafted a deep learning system, a type of artificial intelligence (AI), capable of extracting data which uses keyboard inputs. Essentially, this AI can predict typed content by interpreting the sound of your keystrokes. The ramifications imply that sensitive information like passwords or private messages could potentially be accessed. It is important to stress that this is just a theoretical finding at this stage, but it is a useful case study to demonstrate the importance of a wider point of some simple remote working precautions.”

Social media policy enforcement: Social media policies should cover a range of best practice guidance for employees; from limiting when and where employees can access their social media at work, to guidance on what should and shouldn’t be shared online and who has access to the company log-ins. Social can support a business in its growth however, it is also a place where threat actors can take advantage of the people in your business. Impersonation scams are becoming more believable and an increasing amount of information can be gathered using social media and third-party social apps, plus poor password management can leave cracks in your cyber defences.

Martin Hart, MD at CyberShelter commented that AI social media information gathering will make phishing attacks almost undetectable, saying,

“AI is developing at a rapid rate, being applied to existing cybercriminal tactics. We expect to see AI being used to gather much more personal and business information from social media, enabling phishing attacks to become even more difficult to spot and almost undetectable. The days of grammatically bad phishing attempts are coming to an end. This can become an issue for businesses, as collecting social information is just step one. Once credentials have been exfiltrated then further, monetised attacks can start to happen.”

He adds, “To avoid falling victim, always confirm even slightly suspicious emails that ask for any data somehow, ideally with a phone call or using multiple sources. SME’s will usually be more at risk than larger corporations due to the lack of available investment in protection-based technologies but, regular training can help your teams spot the warning signs and look after their data more effectively. Encourage your team to take a moment to stop, think and check before they click.”

Thorough onboarding and comprehensive training plans in collaboration with experts –
Your employees are the first line of defence when it comes to cyber security. With criminals exploiting mistakes made by employees, thorough training plans implemented by HR pros, IT and line managers can dramatically reduce exposure.

John Hay, Head of Information Security at Net-Defence and CE Partner at NEBRC commented,

“Keeping employees interested and informed is increasingly challenging but, training will play a crucial role to prevent attacks in the year ahead. This is especially important given the new and evolving threat landscape, with new and complex threats emerging.

“In addition, organisations’ employees are busier than ever working on core business areas, however, it is when this happens that cyber security can fall by the wayside, training becomes deprioritised and human error becomes more likely.

“Despite cutting-edge technological solutions, the human element remains a critical factor in cybersecurity. Small businesses often lack the extensive resources of larger enterprises, making them particularly vulnerable. Cybercriminals recognise this vulnerability and increasingly target employees through sophisticated social engineering attacks.”

Whilst prevention is the best route for dealing with cyber security risk, even the most prepared businesses may fall victim. This is where reacting quickly and reporting suspected breaches is key. Rebecca Chapman, CEO at NEBRC and ex-police superintendent discusses reporting in more depth, commenting,

“The prevalence of attacks will continue unabated against all sizes of companies both through phishing and malware. An increasing number of smaller businesses will identify one or more breaches in their security, without having the correct measures in place to deal with them.

“It is worrying that businesses won’t report these breaches to the authorities and many will go unrecorded. This then limits police intelligence which is needed to help allocate resources to this ever-growing area of crime.”

HR professionals will need to support in leading the charge when it comes to preventative measures, dealing with breaches should they be suspected and also reporting it both internally and to the Police and relevant third parties. The cybersecurity landscape can be daunting but, free support is available through local non-profits such as the NEBRC.