Author Profile Picture

Katherine Jones


Partner and Director of Talent Research

Read more about Katherine Jones

A wake-up call to HR: GDPR is right around the corner


The Plainspeak Analyst is Katherine Jones, Partner and Director of Talent Research at Mercer, the world’s largest human resources consulting firm. Her job is to design and deliver insight research and services to Mercer’s global clients. She was previously VP, Human Capital Management Technology Research at Bersin by Deloitte. She has a PhD in Curriculum and Instruction from Cornell University.

No more head in the sand—cyberthreats are everyone’s responsibility. It’s just not an IT issue anymore—that group is chartered with guarding the cyber perimeter with firewalls, managing dual level authentication, access controls and many other important aspects of network security.

But it also now falls on HR to help prevent threats that may initiate inside the company – either through carelessness, ignorance or maliciousness.  The weakest link is often the workforce.

The European General Data Protection Regulation raises the bar for managing corporate data and adds imperatives for reporting when breaches occur.

Only half of senior cybersecurity leaders report that HR assists with creating corporate risk tolerance strategies (50%) or helps develop contingency plans for addressing a breach of employee data (45%) according to Mercer Select Intelligence research, 2017.

Overall, HR can contribute to corporate security greatly through the development of an overall risk mitigation governance policy that includes a comprehensive cyber-risk learning strategy. Fighting back with security awareness training for employees is expected to become a fundamental cyber-defense strategy by 2021.

HR has a role to play by educating the workforce on accidentally or carelessly abetting cyber culprits, particularly those who try to infiltrate the corporate network.

Cyber-risk awareness has to include all employees: from new-hire training that includes education on cyber risk and other risk-related issues, to ongoing security education.

Regularly-scheduled employee education can better ensure that data security is top of mind. According to corporate cybersecurity leaders, currently only 55% of HR departments deploy organization-wide training and testing on the importance of mitigating risky behaviors and overall cyber safety.

HR can contribute to corporate security greatly through the development of an overall risk mitigation governance policy.

Falling for phishing, for example, is one of the more common ways that workers and the population in general succumbs to what looks like a normal email or web request, only to discover they have opened a back door to viruses, worms, and a host of other vermin.

Consider this data point: 23% of recipients open phishing messages, 11% click on attachments; this means that a phishing campaign sent to 50 people will net five to six victims in the catch – hardly small fry.

Many employees are tech-savvy – and may have a tendency to “go rogue” if permitted. Because they know how, they may download applications to their laptops and mobile devices that could open the door to ransomware or malware. Again, likely unintentionally, their behavior can put computer networks at risk. 

Malicious employees, on the other hand, may have entered the corporation with an agenda to subterfuge – here diligent hiring practices, enforced system access controls, and sentiment-monitoring prove their worth.

Research tells us three main points about these employees who purposefully cause cyber damage: most perpetrators have acted out at work previously, they planned their activities in advance, and their actions were most likely triggered by a negative work-related event.

HR members know better than anyone when those potential flash point – events at work that affect employee sentiment adversely – may occur. Monitor employee sentiment: alienation and disengagement may occur during reorganizations; corporate mergers, buyouts or divestitures; layoffs; or other internal or external events that affect the workforce. 

Unfortunately in today’s world, a cyberattack is almost as inevitable as the proverbial death and taxes.

Plan for reducing feelings of alienation through positive, honest communication, and monitor those employees most likely to be affected. Proactively consider and plan for extra risk protection during tense periods that affect the workforce.

Unfortunately in today’s world, a cyberattack is almost as inevitable as the proverbial death and taxes – but there are things as noted here that HR can begin to do to better educate employees about the risks of security breaches and what they can do to help prevent them.

Author Profile Picture
Katherine Jones

Partner and Director of Talent Research

Read more from Katherine Jones

Get the latest from HRZone.

Subscribe to expert insights on how to create a better workplace for both your business and its people.


Thank you.