HR and IT: The Dynamic Duo in Fighting Cybersecurity Risks

By Andie Burjek

May. 4, 2016

Companies have undergone significant changes in the past few years. Before, employee would come into the same workspace and be connected via the same on-premise system. Now people can work from almost anywhere, bring their own devices, use cloud-based applications and access work files on their mobile devices. The result? An increase in threats to cybersecurity.

However, just because cybersecurity threats affect, well, cyberspace, doesn’t mean a human element isn’t necessary to mitigate them.

“People often mistake security risk in a company as being primarily a technology risk — making sure you have the right systems in place, etc.,” said David Meyer, vice president of product at OneLogin, an identity management and cybersecurity company based in San Francisco. “But it’s just much, if not more, a cultural risk.”

The information technology and human resources department, together, make a smart team in fighting these risks, Meyer said, because most cybersecurity threats come from inside the company.

This is especially concerning because of the great financial effect a security breach can have on a company. For example, there has been a 64 percent increase in security breaches from 2014 to 2015, according to the U.S. Department of Homeland Security, and the average breach costs a business $3.8 million, according to a 2015 Ponemon Institute study.

The HR department has the skills necessary to mitigate two potential insider threats, Meyer said. The first threat is well-intentioned employees who make a mistake, such as using a personal email rather than a work email or accidentally sharing something classified on social media. HR can deal with these cases by making sure employees are properly trained and educating them on a regular basis.

The second threat is disaffected employees who have ill will toward the company. Because part of an HR person’s job is understanding employee behavior, HR is the best department to notice early warning signs that an employee could be being disloyal or headed in that direction, experts say.

Meanwhile, the IT department has the technical skills to put certain systems in place — another key ingredient to stopping insider threats. There are systems such as Elastic Search, CloudLock, OneLogin and others that can detect when employees access or download documents they normally don’t and alert HR.

The connection between HR professionals and security professionals needs to be the closest it’s ever been in history, said Pete Metzger, vice chairman at executive search firm DHR International. The chief human resources officer and the chief information security officer, for example, should communicate with each other about important security issues, like securing mobile devices, hiring trustworthy people (more of an HR issue) and implementing good kinds of authentication (more of a technical issue), he added.

“If it’s not an important relationship, it certainly should be,” Metzger said.

Moreover, he added, HR and IT should brief all the company leadership on important security issues, keeping everyone updated on any potential risks.

Once HR and IT team up, they can cooperate to put together an effective cybersecurity training program.

HR should educate employees point-blank on the do’s and don’ts, Metzger said. There are certain things employees should always do, such as calling IT about any suspicious emails.

From an IT perspective, Meyer recommends integrating HR with identity systems. If an employee changes roles or departments, the integrated system will automatically give the employee new access and remove old access. This keeps HR from having to manually take old employees out of systems, and it verifies that employees only have access to files or applications that they actually need. 

“In the modern era where employees are using every app on every device,” he added, security “comes from a combination of good IT systems, which protect employees and give them the right guard rails and effective cultural training.”

Andie Burjek is a Workforce editorial intern. Comment below or email Follow Workforce on Twitter at @workforcenews.

Andie Burjek is an associate editor at

What’s New at

blog workforce

Come see what we’re building in the world of predictive employee scheduling, superior labor insights and next-gen employee apps. We’re on a mission to automate workforce management for hourly employees and bring productivity, optimization and engagement to the frontline.

Book a call
See the software
workforce news

Related Articles

workforce blog


Labor analytics: A how-to guide for company leadership

Make sure to start small, clean your data, use data from a variety of sources and use desired business ...

data analytics, employee data, HR Tech, people analytics, talent management

workforce blog


Why tattleware isn’t the solution for underperforming teams

If your employees can take their smartphones out of their pockets to circumvent your efforts, how can y...

employee monitoring, HR technology, tattleware

workforce blog


4 Ways to Maximize HR and WFM Data

Technology and cloud-based applications and platforms enable companies to gather more data, but can the...