In today’s hyper-connected workplace, cybersecurity isn’t merely a line item on the IT department’s agenda it’s a shared responsibility woven through the fabric of your entire organisation. One area, however, is emerging as both a surprising vulnerability and an untapped asset: Human Resources.
October, recognised as Cyber Security Awareness Month, brings timely attention to a growing concern. A recent report from the North East Business Resilience Centre (NEBRC) found that a striking 77% of HR professionals had encountered phishing attacks a higher incidence than the general workforce, where the figure stood at 54%. This isn’t just a statistic; it’s a red flag. HR teams are increasingly on the digital front line, managing sensitive employee data that makes them attractive targets for cybercriminals.
The Rise of Socially Engineered Threats
The age of obvious scams from foreign royalty is long gone. Phishing emails have matured into convincing impersonations mimicking internal colleagues, partners, or senior executives and catching recipients off-guard in moments of routine. These messages are designed to deceive, disrupt, and extract, whether by:
- Luring staff to click on malicious links
- Coaxing them into downloading infected files
- Tricking them into disclosing passwords or credentials
Given their access to payroll, contracts, and personal data, HR professionals have become prime entry points for attackers looking to infiltrate systems via the human layer the “people perimeter,” as it’s often described.
Why MFA Alone Is Not a Silver Bullet
Multi-Factor Authentication (MFA) has become the default gatekeeper for many digital environments. Yet, while it’s an important barrier, it’s not bulletproof. Sophisticated actors now circumvent MFA through:
- Real-time interception of OTPs
- SIM swapping attacks, where mobile numbers are reassigned to attacker-controlled devices
- Phishing malware that silently relays MFA codes
Once inside, hackers often set up invisible backdoors modifying email rules, launching lateral attacks, or embedding persistence mechanisms that evade detection.
In this evolving landscape, MFA should be viewed as a foundation, not a fortress.
HR’s Role in Strengthening Organisational Cyber Hygiene
Despite the scale of the risk, the NEBRC report noted that over 50% of employees hadn’t received recent cybersecurity training and many weren’t even sure if they had. For HR, whose remit includes onboarding, training, and policy enforcement, this presents both a vulnerability and an opportunity.
Here’s how HR teams can sharpen their operational precision and become strategic defenders:
- Deliver engaging, regular cybersecurity training tailored to real-world scenarios
- Upgrade MFA methods, adopting physical tokens or authenticator apps over easily exploited SMS codes
- Audit for unauthorised email rules and investigate abnormal login activity
- Implement geolocation-based restrictions to limit access attempts from foreign IPs
- Promote early threat reporting, encouraging employees to raise the alarm without fear of judgement
Cybersecurity Isn’t a Checkbox It’s a Culture
Too often, cyber awareness becomes another compliance task something to tick off during induction or annual reviews. But training that doesn’t shift behaviour is little more than theatre.
HR leaders must foster cultures of excellence where cybersecurity becomes a shared mindset, not a delegated responsibility. It’s about empowering individuals to see themselves as active custodians of company data not passive recipients of policies.
When training is practical, relevant, and woven into the rhythm of the organisation, it fosters lasting behavioural change. Think less “e-learning module,” more “muscle memory.”
From Vulnerability to Vanguard
Let’s reframe the narrative. HR is not a weak link to be protected it’s a powerful line of defence waiting to be activated. By championing awareness, tightening processes, and role-modelling cyber accountability, HR teams can shift from being targeted to being trusted.
And in doing so, they become more than just guardians of people they become architects of organisational resilience.
Final Reflection
In an era where data is as valuable as currency, the security of your organisation hinges on the people who manage it. HR teams, with their access, authority, and influence, must be equipped not only with technical safeguards but with a mindset grounded in vigilance, empathy, and accountability.
Cybersecurity isn’t just an IT problem. It’s a people problem and that means it’s an HR priority.