Recently, I attended an in-person meeting of our CHRO Today Executive Network (C-TEN), an affinity group of chief HR officers. I was tasked with leading a shared problem-solving discussion on HR technology. We discussed the role of HR being at the leading edge versus the bleeding edge of technology innovation. There was discussion of the usual topics of platform product complexity, the tribulations of large-scale implementations, and the challenges of product integrations for related software such as candidate relationship management tools and applicant tracking solutions. The conversation turned to cybersecurity exposures for HR software and became more diffuse. Most had annual audits and worked with IT to ensure that IT was dialed into their vendors on cyber risks. HR and cybersecurity is an area that we do not think about often enough. So let’s take a moment this Halloween to scare ourselves about the tricks and lack of treats in HR information technology.
In fact, if you search the internet for information on training HR on cybersecurity, most of what you find is coursework or articles on the role of HR in supporting the IT function and the chief information security officer (CISO). Most of the available content is about how HR needs to reinforce training and provide communication about policies and procedures for the handling of data, managing external communications, and reporting incidents. Clearly, any policy or risk-related issues are in HR’s purview to manage, orchestrate, and reinforce. In my explorations of available information on HR and cybersecurity, I found little if any content strictly related to what HR executives or HRIS professionals needed to know about their own platforms and applications. While most HR people would rather focus on people-related issues, we all know technology is a great enabler and, frankly, “disabler” if compromised. We need to be more aware of the risks and more vigilant about the protections.
If you’re an average criminal hacking network operating out of, let’s say, Eastern Europe or Asia, the jewel in the crown of identity theft is either U.S. social security numbers or national identity numbers. A major is issue is that all of that information is in several places in the HR infrastructure. HRIS platforms, software vendors, and service companies all house this data for companies, and they are interconnected by APIs and sockets that connect to each other and to the internet for transmission in encrypted-data streams. Every one of these connection points and the platforms themselves all represent a potential point of penetration and failure. In many companies, there is no one HR functionary that specifically owns the data security of the HR systems and is responsible for coordination with the CISO. I know one person who is responsible whether named or not. The CHRO will own this issue if a vendor’s software or an API is hacked.
Given the sensitivity of the data for which it is responsible, I believe the HR community needs to become better educated within its own right rather than relying on the external IT functions alone. Cyber threats are very real and very present as we all know from the news headlines. In addition, hackers now use tools like generative AI to launch repetitive attacks as the AI modifies its code in real time to find penetration points. Scary stuff for all of us and especially those with whom the employees have placed ultimate trust to manage their most sensitive personal information.
I am sure many of you are aware of these threats and are taking steps, but, perhaps now is a good time to review them and provide training to staff. And for those of you that are not thinking about this threat, well, trick or treat. It’s pretty scary out there especially when you realize for hackers and other denizens of evil, every day is Halloween.
Elliot S. Clark