A Cybersecurity Expert Reveals Why You're a Cybercriminal's Next Target — and 5 Things You Can Do to Beef Up Your Defense.The right plans and procedures can be the difference between thwarting a cyberattack and becoming headline news.

If your company was hit byransomwaretoday, who would you call? Or perhaps a better question: How would you call them? It sounds absurd, but as acybersecurity expert,我看到组织瘫痪的hours after an incident simply because nobody knows anyone's cell number anymore. Without access to email or messaging systems, communication grinds to a halt and workers, customers and suppliers are all left wondering what is going on. Panic rapidly escalates into a crisis.

There's a tendency to think about cybersecurity as being the responsibility of the IT orsecurity department. But protecting your company comes down to two things: organizational culture and planning. That's why some of the most important people on cyber defense aren't in the IT team — they're in human resources.

TheHR teamis uniquely placed to embed cybersecurity preparedness into the everyday working of an organization. It's responsible for building the policies and processes to mitigate risks and ensure the business has the competencies to be resilient toforeseeable challenges— and those includecyberattacks. And as the custodians of employees' sensitive personal information, HR teams are themselves prime targets forhackers.

Unfortunately, this vital role is often overlooked. So here are five ways HR can help make your business a tough target for cybercriminals.

Related:78% of Employers Are Using Remote Work Tools to Spy on You. Here's a More Effective (and Ethical) Approach to Tracking Employee Productivity.

Build a cybersecurity culture

Eternalvigilanceis the price of our liberty to roam the internet. The number of threats is mind-blowing — arecent reportfound the average education institution faces more than 2,300 attempts to breach its systems in a week, while healthcare organizations fend off more than 1,600 attacks. With so many digital grenades being lobbed, it's incredibly hard to catch them all. However, a strong cybersecurity culture helps an organization defend against attacks and limits the blast radius when one does get through. The tough part: Everyone has to be on the same page when it comes to online behaviors.

Step one is to ensure you have thetraining toolsso that employees know what they should and shouldnotbe doing. Most organizations are reasonably good at this. Whereas, many fall short by not putting that information into practice every day.

The best way to ensure that everyone considerscybersecuritya fundamental part of their responsibilities is to build it intoperformance reviews. This should not take the form of calling out workers for every dodgy link they click on. Instead, it should be a constructive conversation about how they're keeping up with theircyber literacy training. There are cyberhealth-check toolsthat workers can use to analyze their online behavior and address weaknesses (like reusing Pa$$w0rd across half the internet or not using two-factor authentication) and often these can be used to track progress toward cybersecurity goals at an organizational level.

When safety precautions are regularly discussed, they just become part of how you do business.

Protect your crown jewels

HR has custody of some of the most sensitive information in an organization — and hackers know this. In the past five years or so, many companies have adopted platforms that enable employees to self-serve routine tasks like vacation requests. However, third-party platforms come with risks. Hackers target them in so-calledsupply chain attacks, knowing that if they get lucky, they can access troves of information from multiple companies. In 2021, more than 300 organizations were breached in a hack of a widely used file transfer system. One of these was the University of California, which said the information exposed included employees' social security numbers, driver's licenses and passport details (the UC system offered its staff free ID monitoring services).

Job one for HR professionals is to ensureemployee data remains confidential. Perform extensive due diligence before your organization signs up for any third-party HR service. Only consider companies that comply with international standards (SOC 2 and ISO 27001 are the main ones to look out for) and check online for reports of security incidents at the site in the past few years. Also, look into where your data is being stored and how it is being backed up. Depending on your location and industry, you may have to comply with data residency laws.

Stop hoarding data

Updating the data retention policy should be on the to-do list of every HR department. I say updating because every company has a data retention policy whether they know it or not. If yours isn't written down, then your policy is simply to keep everything forever. And that exposes you to considerable risk. The more data you have, the worse a breach can be — it's especially bad if you're hoarding data you no longer need. Many jurisdictions have limits on how long companies should retain sensitive information — it's often around seven years for records on former employees.

Figure out who will call the shots when a breach happens

Cybersecurity may be everyone's day-to-day responsibility, but when an attack gets through there should be one person in charge of the response. In cybersecurity lingo, we call this the incident commander. While everyone can have an opinion on the best course of action, decision-making power rests with them.

The job spec for incident commander only has one line: It's whoever best understandscybersecurity issuesin your organization. Depending on the size of your business, that might be acybersecurity leader, the head of IT or it could be Joanne in accounting who took a few courses on this stuff. Whoever it is, make sure you've identified them before an incident happens and have clearly communicated that to your team. Once a cybersecurity incident happens, events move quickly — in one case I was involved in, the hackers gave a 45-minute warning before starting to post sensitive information — so you don't want to waste time figuring out who's in charge.

Run some drills

Planning is only one half of the equation. Practice is the other. Plenty of research has shown that people don't think clearly in stressful situations. We perform drills for fires and earthquakes to give us a framework to fall back on in an emergency. The same idea works for cybersecurity incidents. Set aside two hours once a year to run a tabletop exercise with key staff that simulates what you'll do if the company ishacked. In these exercises, someone takes the role of a moderator to explain the nature of the attack and what's been affected, while everyone else plays out how they'd respond.

你第一次进行锻炼,它将莱克阀门ely be a mess — but that's the point. The scramble to figure things out will reveal the gaps in your plans. Over time, the drills will become second nature.

Related:So, You've Been Hacked. These are the Best Practices for Business Leaders Post-Hack

And write contact information down — on paper

把事件团队的电话号码放在佩普r and update the list regularly. Yes, it's old school. Yes, it's annoying. And yes, one day you'll be thankful you did.