HR's role in bridging cybersecurity gaps in organizations

Digital transformation has presented countless opportunities for organizations trying to scale and grow their teams. However, bilaterally, it has also paved the way for more sophisticated and covert cybercrime and risks that threaten their (and, by extension, their teams’) data and information.

As cyber attacks become more frequent and severe, organizations risk falling behind if they do not sufficiently equip their workforce with the proper resources and people to safeguard their data and infrastructure. The problem is that many organizations sector-wide are battling a significant and prevalent gap in cyber security skills, knowledge, and techniques, leaving them increasingly vulnerable to data breaches, ransomware, and other prominent types of cybercrime.

When there is a severely limited talent pool to choose from and with increasingly more technical positions to fill, companies, including health care insurers must make crucial decisions and tackle the challenges head on. Either they bide their time to find the right people or fill it with supplemental personnel who aren’t properly qualified or who lack adequate cyber security knowledge. 

So, what’s the solution? It turns out that upskilling and reskilling your current workforce could be a valuable answer. 

This article delves into the importance of enhanced cyber security awareness and skills, highlighting the vital role that HR decision-makers can play in bridging this widening skills gap. 

Before we delve into how you as an HR leader can empower your employees with greater cyber resilience skills, it’s important to understand just how volatile the current cyber threat landscape is.

The alarming reality of cybercrime and security

• The global cost of cybercrime is projected to skyrocket from $9.22 trillion in 2024 to a staggering $13.82 trillion by 2028, according to Statista. 

• Cyber threats are constantly evolving, with innovative new attack vectors and techniques emerging by the day. Malware, ransomware, distributed denial-of-service (DDoS) attacks, man-in-the-middle (MITM) attacks, and phishing campaigns are just some of the examples of the types of threats facing organizations across sectors.

• Not only do organizations risk having funds extorted through calculated ransomware attacks, but they also face potential regulatory or statutory fines if they are found to have breached data privacy laws.

• One successful cyber attack – however sophisticated – can drastically affect stakeholder or consumer trust, which can have a knock-on effect on a business’s reputation and, by extension, its turnover.

• The types of sophisticated cyber security skills needed to combat new attack vectors range from vulnerability assessments and penetration testing (ethical hacking) simulations to managed SIEM or SOAR services and red and blue team exercises, to name just a few.

• According to the most recent Cybersecurity Workforce Study from ISC2, there is a global shortage of four million skilled cyber professionals. Despite the cyber workforce growing in 2023, the gap between the number of in-demand workers and those available has risen by 12.6%, indicating a shortage of approximately 1 million people.

• This widespread shortage of workers emphasizes just how urgently organizations need to recruit more skilled and cyber-aware employees, who can identify and contain potential threats as they emerge. In turn, their presence can drastically improve the whole organization’s cyber hygiene and reduce its threat exposure.

The importance of cyber hygiene

Individuals and teams within any organization, regardless of size, must maintain proper security and adopt a mindset that keeps digital assets and infrastructure safe. Whether working solely with internal teams or with external stakeholders, suppliers or partners, maintaining cyber hygiene is vital.

Good cyber hygiene includes:

• Keeping software and systems up-to-date with new security patches to protect them against known vulnerabilities.
• Using strong, unique passwords for each shared or accessible account, backed up by multi-factor authentication (MFA) to verify access.
• Regularly backing up systems and files using both offsite and onsite solutions to ensure business continuity and disaster recovery post-attack, should an organization fall victim to one.
• Remaining vigilant and cautious when opening email attachments or downloading files from unknown or suspicious sources, which may contain malicious code or lead to phishing attacks.

These are just some examples of what all employees should do at the minimum to uphold data integrity. While promoting and enforcing good cyber hygiene across your entire workforce can drastically reduce the risk of suffering a data breach or cyber attack, it’s important to remember that this is not entirely full-proof. 

Most data breaches are – statistically – caused by some form of human error, emphasizing the need for more robust cyber knowledge and awareness among your teams, however well-defined their security knowledge is. 

That said, organizations and, specifically their HR teams, prove pivotal in closing this notable skills gap. Empowering and equipping employees with the relevant skills, knowledge and resources they need is critical in bolstering an organization’s security, and the HR function is where all of that can be delivered.

How HR can bridge the cybersecurity skills gap

Training, upskilling and reskilling

• HR should make a conscious effort to develop robust, bespoke cyber security awareness and training programs for their staff. These comprehensive programs should be tailored to the specific knowledge gaps while factoring in the needs and risks to the organization.
• Ensure that all training and upskilling programs are relevant and accessible to all employees, regardless of their role, tenure, or seniority.
• Conduct regular refresher training and reskilling sessions to reinforce new and up-to-date cyber best practices.
• Communicate regularly with teams about emerging threats and vulnerabilities, emphasizing their critical role to play.
• Consider realistic, interactive, scenario-based training exercises to test their real-world response strategies and build their practical knowledge.

Rethinking policies

• HR should collaborate closely with security and IT teams as well as top-level management to develop and deliver relevant policies that reflect the correct and appropriate behaviors, protocols and strategies for teams as it pertains to cyber security.
• Confirm that all policies align with the organization’s overarching strategy, culture, and values while reflecting new industry recommendations and compliance requirements for cyber security.
• Improve and enhance policies in line with relevant regulatory frameworks for your organization’s industry, such as GDPR, CCPA, and others.
• Reinforce policy updates and adjustments to your wider team in clear communications and reminders for personnel to agree that they understand the changes.

New talent acquisition and development strategies

• When recruiting new talent, run relevant cyber security skills assessments to test their knowledge alongside interviews. This is crucial when hiring for roles that involve handling sensitive personal or critical system data.
• Extend opportunities for existing staff to develop and upskill their cyber security knowledge through accredited training programs, certifications, job shadowing, rotations, and so on.
• Transition employees to new roles or departments with approval having ensured they receive appropriate training relevant to their new responsibilities.
• Partner with reputable niche recruiters to attract cyber security talent whether searching for full-time roles or temporary contractor placements to supplement your team.

Related: Cyber risk rises as a commercial health threat

Watch your team’s cyber awareness flourish

The guidance above scratches the surface as far as cyber security in an organization is concerned. It’s a shared function and responsibility that requires individual and collective action and awareness, with collaboration and communication firmly at the heart of it. 

Taking this advice on board, HR leaders can play a crucial role in bridging the lingering cyber security skills gap and fostering an aligned culture of improved cyber hygiene across the organization. Prioritizing these strategies will reinforce HR’s role as a crucial, multi-faceted department that does more than simply recruit and hire the best cyber security talent, and provide benefits that raise employee morale. While the latter are both crucial, an organization’s HR team can establish itself as a critical asset in improving cyber resilience too.

Organizations that proactively make security a collective priority and back these values up with decisive, meaningful action will position themselves for optimal protection against cyber threats.