Let’s be honest, for years many of us have seen cybersecurity as a problem for the IT department to solve. That view is now dangerously outdated. In our hyper-connected workplaces, security isn’t a line item; it’s a shared responsibility woven into the very fabric of the organisation. And one area is emerging as both a major vulnerability and, more importantly, our greatest untapped asset: Human Resources.
With October being Cyber Security Awareness Month, it’s a good moment to face a stark reality. A recent report from the North East Business Resilience Centre (NEBRC) should give us all pause: a staggering 77% of HR professionals have encountered phishing attacks. That’s significantly higher than the 54% reported across the general workforce. This isn’t just a statistic; it’s a huge red flag. Because we hold the keys to so much sensitive employee data, we are now on the digital front line, making us exceptionally attractive targets for cybercriminals.
They’re Not Hacking Systems; They’re Hacking People
The days of clumsily worded scam emails are well and truly over. Today’s phishing attempts are incredibly sophisticated, often perfectly mimicking messages from senior colleagues, trusted partners, or even the CEO. They’re designed to catch you and your teams off-guard during routine moments, with a single purpose: to deceive, disrupt and extract. They achieve this by:
- Luring your staff into clicking on malicious links
- Coaxing them into downloading infected files, often disguised as invoices or reports
- Tricking them into disclosing their passwords or other credentials
Given our access to payroll, contracts and vast amounts of personal information, we in HR have become the prime entry point for attackers. They are not trying to smash through a digital wall when they can simply be given the keys by manipulating one of us on the “people perimeter.”
Why MFA Isn’t the Silver Bullet You Think It Is
Multi-Factor Authentication (MFA) has rightly become the standard gatekeeper for most of our digital systems. While it’s an essential layer of defence, it is by no means bulletproof. The more determined actors are already finding ways to bypass it through methods like:
- Real-time interception of one-time passcodes
- SIM-swapping attacks, a nasty trick where they convince a mobile provider to reassign a phone number to a device they control
- Phishing malware that quietly captures and relays MFA codes from an infected machine
Once they’re inside, these attackers don’t just grab what they need and leave. They often create invisible backdoors, modify email rules to monitor communications, and embed themselves deep within the network to evade detection for weeks or months.
In this challenging landscape, you must view MFA as a foundation, not a fortress.
This Is Where We Step Up: HR’s Role in Real Cyber Defence
Despite the enormous risk, that same NEBRC report highlighted a massive gap. It found that over 50% of employees hadn’t received any recent cybersecurity training, and many weren’t even sure if they’d had any at all. For us, a profession built on training, development and policy, this presents both a glaring vulnerability and a huge opportunity.
Here’s how we, as HR teams, can move from being a target to being a strategic defender:
- Deliver engaging, regular cybersecurity training using scenarios your people will actually recognise, not just generic box-ticking exercises.
- Push for better MFA methods by advocating a move away from easily intercepted SMS codes to more robust authenticator apps or physical security tokens.
- Audit for unauthorised email rules and work with IT to investigate any abnormal login activity. An employee suddenly logging in from another continent at 3am is a clear warning sign.
- Lobby for geolocation-based restrictions that limit access. If your organisation only operates in the UK, why allow login attempts from thousands of miles away?
- Promote early threat reporting by building a culture where employees feel safe to raise the alarm without fear of judgement or blame.
Cybersecurity Isn’t a Checkbox It’s a Culture
All too often, cyber awareness becomes just another compliance task; something to be ticked off during induction and forgotten about. But let’s be blunt: training that doesn’t genuinely shift behaviour is little more than security theatre.
It falls to us as HR leaders to foster cultures of excellence where cybersecurity is a **shared mindset**, not a responsibility delegated solely to IT. It’s about empowering every single individual to see themselves as an active custodian of company data, not just a passive recipient of policy documents.
When your training is practical, relevant and woven into the daily rhythm of the organisation, it fosters lasting behavioural change. Think less “e-learning module,” more “cyber muscle memory.”
From Vulnerability to Vanguard
It’s time we reframed the entire narrative. HR is not the weak link in the chain that needs protecting; we are a powerful line of defence waiting to be properly activated. By championing awareness, tightening our own processes, and modelling impeccable cyber accountability, we can shift from being the primary target to being the most trusted defenders.
In doing so, we become more than just guardians of people. We become the architects of organisational resilience.
A Final Thought
In an era where data is as valuable as any currency, the security of your organisation hinges entirely on the people who manage that data. HR teams, with our unique access, authority and influence, must be equipped not just with technical safeguards but with a deep-seated mindset grounded in vigilance, empathy and accountability.
Cybersecurity isn’t just an IT problem. It’s a people problem, and that means it has to be an HR priority.
