Arrow back

Why HR’s role in cyber risk management is growing

21 April, 2022

It won’t surprise you to read that cyberattacks have become an all-too-common occurrence for businesses, with cyberattacks in 2021 increasing 50% over 2020.

There are many causes for this startling increase, but a consistent issue is one of complacency. Quite simply, many businesses make the mistake of thinking that cyberattacks are only targeting bigger, higher-profile companies.

The reality? Small businesses are often targeted too. Hackers look to take advantage of the smaller IT and training budgets of smaller businesses, which allow them to find vulnerabilities that can be used for financial gain.

For example, ransomware attacks have become a major issue, with approximately 37% of global organisations being victims in 2021, according to the IDC’s 2021 Ransomware Study. Ransomware attacks involve the use of malicious software that blocks system access and demands a sum of money as ransom, in order to give access back to the business.

Historically, protecting IT systems was seen as a problem for the IT department and HR would have minimal involvement in cyber risk management. However, more and more organisations are realising that HR has a crucial role in enabling the organisation to establish robust cyber risk management processes.

While IT provides the expertise in installing hardware security solutions, such as antivirus and antimalware software, firewalls and SSL certificates, HR are the experts in policies and people. One of the biggest risks to an organisation’s cybersecurity is employee errors, both accidental mistakes and intended breaches of data security.

Therefore, HR has a significant role to play in developing a culture of employees who are cyber risk-averse, and who also display the required behaviours to help keep the organisation protected from cyberattacks. But what can they do to help?

These are some of the ways HR can develop a high-quality cybersecurity risk management framework:


HR should ensure that there are comprehensive company policies in place, such as information security, social media use and other policies related to cybersecurity.

Although the IT team will have the main responsibility for writing policies that sit within their domain, HR should have a policy management process to ensure that policies are kept up to date and are easily accessed by employees - for example, published on the company intranet site.

Setting data and access controls

Another area that HR can support cybersecurity is by ensuring that access levels are appropriate. Access to systems and data should be restricted; this ensures that the only people who can access data are the ones who are essentially required to for their job responsibilities.

Background checks

Internal fraud is a problem that can lead to data breaches and HR can implement strict screening processes when recruiting, such as background checks and references. This can help to detect candidates who represent a higher risk to the organisation.

Training and regulatory compliance

HR is responsible for regulatory compliance, including mandatory training.

For organisations to increase employee knowledge and develop a culture of high cybersecurity awareness, traditional regulatory compliance training is not always effective. Remember, 90% of breaches start with human error!

At Bob’s Business, we build brilliantly effective training programmes for all employees, reducing your risk of a breach. Your employees will develop the tools they need to protect themselves and your business.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance