The Role of HR in Preventing Cyber Incidents

Technology is a fundamental cog in the operations of every modern business. With internet-based communication and software solutions being so prevalent and remote forms of working increasingly on the rise, it is no surprise that more and more employers are reconsidering their cyber security.

In a survey of risk management specialists by Allianz, cyber incidents were noted as being the biggest threat facing businesses in 2022. The risk of ransomware attacks and other types of data breaches was a bigger fear than COVID-19.

A cyber incident is a breach of a company’s data protection processes which harms the confidentiality, integrity or accessibility of personal data. Such incidents can occur in various ways, including malware entering a company’s systems, phishing attacks or Denial-of-Service attacks.

There is an inherent connection between HR and such attacks, as they often involve employee personal data or the actions (or negligence) of an individual employee contributing to the security breach.

Prevention is the best cure for cyber incidents, so in this article, we explore the legal and practical considerations for employers when preparing for a cyber incident.

Training, training and more training

Employees are often a company’s most important form of defence against cyber attacks. The government’s cyber security breaches survey in 2020 revealed that 63% of breaches were spotted by employees, whilst antivirus protection software only caught 7% of attacks.

Simple but effective training can be rolled out to teach staff how to identify strange emails and respond when there is an attack or data breach. The company’s data protection and IT procedures can also be covered, including issues such as how to safely use IT equipment, rules on remote working, the use of document management systems and rules on removing data from company systems.

It is common for this training to be part of the company’s induction process for new hires, but refresher training should be used to ensure good practices are maintained. In addition, training tools and quizzes could be circulated to staff on a regular basis to gauge whether they respond correctly to mock cyber security scenarios.

Keeping track of the employer’s methods and reasons for storing and processing personal data is vital. When a security breach occurs, and the compromised data contains employee data, knowledge of the employer’s data framework will be crucial in remedying the breach, communicating to staff, handling any reports to regulators and dealing with any legal claims. The information that HR should track and record includes:

• The categories of employee personal data, including any special category of personal data stored by the business.
• Where the data is held and who can access it.
• The purpose(s) of the data processing.
• The categories of recipients of employee personal data.
• The security measures in place in relation to the data.
• Applicable retention periods (see below).

HR policies and procedures should be audited and updated to ensure compliance on a regular basis. This will make sure that security protocols do not become outdated and that the business is properly protected. This might include a review of data protection policies, privacy notices, IT security policies and data retention policies, data subject access request protocols and homeworking policies.

In addition, HR should reassess the adequacy of protections within contracts of employment and contracts for workers and freelancers. Confidentiality provisions and post-termination restrictions, when drafted correctly, can help protect an employer’s data during and after employment ends.

Employers are increasingly relying on technology as an important tool in their cyber incident protocols.

This can involve monitoring employee activity on company equipment, but such monitoring must be compliant with data protection laws, which generally means ensuring there is a legitimate interest for the monitoring in question and that a balanced approach is taken to ensure the monitoring goes no further than necessary in achieving its purpose. 

Proportionate monitoring with the aim of highlighting cyber risks is likely to be justifiable given the dangerous and prevalent nature of cyber attacks.

In addition, many employers use data protection software to guard their data and prevent unauthorised data from exiting their networks. For example, there is software that can scan outgoing emails and notify staff when data is being sent out to the wrong recipient or a suspicious recipient.