By fostering a work culture that emphasises data security, providing employee training, and building strong partnerships with security and IT teams, HR leaders can help protect their company’s personal data.
By Simon Kent
Recent history has shown that despite living with technology for many years, organisations are as vulnerable to cyberattacks as ever. Indeed, the increasing sophistication of attacks may be mirroring the increasing sophistication of systems. As organisations trust more of their business and data to technology, they also increase the associated risk. However, there are still steps which organisations and HR in particular should make to protect their businesses and thereby their people and reputations.
Earlier this year, U.K. law firm Nockolds analysed reports to the country’s Information Commissioner’s Office (ICO) and found that data protection breaches involving employee data have reached their highest level since 2019. Powered perhaps by the increase in hybrid and home working, the firm found a 40.76% increase in such breaches during 2023, with reports to the ICO increasing by nearly 1,000 over the previous year. Ransomware attacks rose from 352 in 2022 to 554 in 2023, an increase of 57.39%. Phishing attacks targeting employee data jumped by 56%. While security tools no doubt have a part to play in organisational security, they are only ever going to be as strong as the culture that surrounds them. And that’s where HR comes in.
“The best thing HR can do to help prevent personal data from falling into the wrong hands is foster a work culture that keeps data security top of mind,” agrees Joy Burkholder Meier, general counsel and chief human resources officer at application security business Black Duck. “Data security training, as well as phishing tests are critical to keeping an organisation safe, particularly because bad actors often impersonate HR or payroll team members to lure unsuspecting employees into sharing sensitive information.”
However, the risk to businesses is not always straight forward. Kristian Torode, director and co-founder of Crystaline, a Vodafone secure device manager provider, suggests the platforms HR’s using aren’t designed with security front of mind. “At a time when hybrid work and cross-functional systems demand data sharing, HR teams need secure, traceable communication tools that don’t rely on personal messaging apps or unmanaged cloud services,” he says. “One essential step is to implement a unified communications (UC) platform with business-grade encryption, access controls, and audit trails. This ensures HR data isn’t scattered across multiple channels like email, text or WhatsApp, where it’s hard to control or retrieve. UC platforms help HR teams share sensitive updates securely with managers, legal or payroll, while maintaining a clear record for compliance.”
Torode extends consideration to mobile device management (MDM) as many HR professionals work on the go. “MDM allows organisations to enforce essential protections such as strong passwords, data encryption, app usage controls, and the ability to remotely lock or wipe a device if it’s lost or stolen,” he says.
“Any AI tools being utilized must be continuously monitored and refined to ensure proper alignment with regulations and company values. Without human oversight, AI-generated insights can deteriorate over time, leading to unintended consequences. Regular updates and ethical consideration must therefore remain central.” — Joy Burkholder Meier, CHRO, Black Duck
It should be noted that the risks HR is dealing with are not always straight-forward either. AJ Lindner, a solutions architect at One Identity, recounts the case of a disgruntled tech staffer in America who activated computer crashing and file deleting code when his employment was terminated. The attack was clearly pre-meditated, triggered by a company restructure that reduced the employee’s responsibilities. As such the danger could have been on HR’s radar and the business could have spotted what was happening before it did.
“A mature cybersecurity programme monitors the internal environment in great detail, from firewall and network activity to application behaviour,” explains Lindner. “One of the critical signals should be the identity and access management suite. Login events, access requests, and user behaviour across the environment could point to an imminent attack, or a breach.”
This level of detection work requires collaboration across an organisation to keep everyone vigilant for red flags. “While the technology is available to automate privileged access management, closer collaboration between HR officers and IT administrators can also pre-empt malicious activity and provide an additional layer of security,” says Lindner.
“HR should build strong partnerships with their internal risk management and IT security department, as well as with their legal teams, and engage them to spot issues when HR is procuring new software or other tools, given most HR applications process or store personally identifiable information,” agrees Black Duck’s Meier.
This is a level of vigilance that Oliver Allanach, solicitor and employment law expert at law firm Gordons, also promotes, noting that with the use of third-party IT platforms—payroll management, recruitment, employee engagement and so on—employers remain the responsible “data controllers” of the personal data used. “This means employers have overall responsibility for safeguarding employee data,” he says. “These duties cannot be contracted out to external providers, although risk can be managed contractually depending on the negotiating power of each party. As a result, employers and HR teams must take care when using others to manage employee data. Even if you are working with a market leader, this does not guarantee that data will be totally secure.”
One of his top recommendations is to conduct due diligence. “Data privacy laws allow data controllers a reasonable right of audit of third-party processors,” Allanach says. “Depending on the contract terms, this can range from a comprehensive right of audit through to third-party security certifications. This is a useful right to invoke to ensure contractual compliance.”
What this complexity comes down to at the end of the day is a good data protection policy (DPP) as recommended by Daniel Milnes, partner at Forbes Solicitors. “A well-developed DPP will cover key elements of how data is collected, used, stored, accessed, and shared,” he says. “This will take into account any local laws and regulatory requirements governing data protection and will assess the varying threats to data security. For these reasons, creating a DPP acts as a valuable first step towards risk mitigation, enhancing compliance, and promoting best practice.”
Research from CyberArk finds that 65% of employees often bypass cybersecurity policies to make their lives easier, and 38% either “sometimes” or “never” adhere to guidelines on handling sensitive information when using AI tools.
However, as with any other policy, its ultimate strength will rest in the extent to which it is understood, observed, and implemented. Otherwise, this simply represents a description of what should be happening rather than delivering any real protection.
“Once a DPP has been created, it’s important that HR communicates the policy to staff,” asserts Milnes. “This helps ensure all parties understand their roles and responsibilities in terms of data management and security, and take it seriously, if staff don’t comply.”
