Cybersecurity is no longer just a concern for IT departments. With the rise of advanced phishing tactics targeting human vulnerabilities, HR teams have become a primary focus for cybercriminals. Why? HR professionals manage sensitive employee data — payroll, contracts, personal information — making them a tempting entry point for hackers.
October marks Cyber Security Awareness Month, and a recent North East Business Resilience Centre (NEBRC) report highlights a startling trend. Over a third of HR professionals (77%) have fallen victim to phishing attacks, compared to just over half (54%) of the general workforce. This alarming statistic points to a more significant issue: HR’s critical role in maintaining cybersecurity.
While it’s tempting to think of cybersecurity as the domain of IT, the increasing volume of data handled by HR means the responsibility must be shared. HR could be the most vulnerable link in your cybersecurity chain—but it doesn’t have to stay that way.
The Real Threat of Phishing Emails
Phishing attacks have evolved far beyond the days of poorly written emails from mysterious “princes” offering vast sums of money. Today’s phishing emails are sophisticated, appearing to come from trusted contacts within your organisation or network.
But what exactly is phishing? It’s a cyberattack where fraudsters send deceptive emails designed to trick the recipient into taking harmful actions, such as:
- Clicking a malicious link
- Downloading a dangerous attachment
- Sharing sensitive login details
These emails are becoming increasingly targeted, and HR professionals are especially vulnerable. Handling sensitive data like employee details, payroll information, and contracts makes HR an attractive target for cybercriminals seeking to cause maximum disruption.
MFA Isn’t Foolproof
Many organisations rely on multi-factor authentication (MFA) to secure their systems. While it’s a solid first line of defence, MFA isn’t infallible. Cybercriminals have developed techniques to bypass it, mainly if your MFA system relies on SMS codes or mobile authenticator apps.
Hackers often use tactics like:
- OTP Interception: They steal one-time passwords in real time.
- SIM Swapping: Hackers trick your mobile provider into transferring your phone number to their device, allowing them to receive your MFA codes.
- Phishing Malware: This malicious software intercepts and forwards MFA codes to hackers.
Once hackers gain access to an account, they can continue their attacks undetected, creating email rules, sending phishing emails, and setting up new ways to compromise your organisation’s security.
What HR Can Do to Strengthen Cybersecurity
HR departments play a crucial role in protecting an organisation’s data. According to the NEBRC report, more than half (53%) of employees haven’t received recent cybersecurity training or don’t remember if they have. This gap in awareness can have severe consequences, especially for HR teams handling sensitive data.
Here’s how HR can take proactive steps to bolster cybersecurity:
- Invest in Regular Training: Cyber threats evolve constantly. Providing HR professionals with up-to-date training on phishing tactics and emerging cybersecurity risks is essential.
- Strengthen MFA Methods: Consider more secure MFA options, such as physical keys or on-screen codes. Avoid relying on SMS or email-based MFA, which are easier for hackers to exploit.
- Monitor for Suspicious Activity: Be vigilant about unexpected MFA prompts or unusual login attempts. Investigating these incidents promptly can help catch attacks early.
- Review Email Rules: Hackers often create hidden email rules to cover their tracks. Regularly look for and eliminate any suspicious rules your team did not establish.
- Set Geolocation Rules: If your company operates mainly in specific regions, restrict MFA access to those locations. This can act as an additional safeguard against international phishing attacks.
Don’t Let Cybersecurity Training Become a Tick-Box Exercise
It’s easy to think, “This won’t happen to us.” However, businesses of all sizes are vulnerable. The NEBRC report reveals that two-thirds of business owners haven’t had any cybersecurity training in the past year, with half admitting they’ve never been trained on phishing or MFA best practices.
This is especially concerning for HR leaders. If your team isn’t trained to recognise phishing emails or understand how MFA can be bypassed, your organisation is exposed to risk. The good news is that it’s never too late to make improvements.
A Shift in Mindset: Cybersecurity Is Everyone’s Responsibility
Cybersecurity is as much about behaviour as it is about technology. As HR professionals, you’re responsible for managing people and key players in protecting your organisation’s data. Creating a culture where cybersecurity is a shared responsibility ensures everyone understands the role they play in safeguarding the company.
Engaging and practical training is vital. Make cybersecurity feel less like a compliance task and more like a crucial part of your team’s everyday work. When people see cybersecurity as integral to their role, the training will resonate more, leading to long-term behavioural changes.
Turning HR from the Weakest Link to the Strongest Defence
It’s time to stop viewing phishing emails, and MFA bypasses as IT problems. These are challenges for all of us, and HR is uniquely positioned to lead by example. HR can become a cornerstone of your organisation's cybersecurity strategy by prioritising more robust MFA methods, providing regular training, and maintaining a vigilant approach to monitoring threats.
The Bottom Line
As phishing attacks and MFA bypasses grow, HR departments are increasingly at risk. However, with the right tools, training, and mindset, HR can shift from being a potential vulnerability to a critical line of defence in cybersecurity.
Let’s move past the notion that cybersecurity is solely an IT issue. HR professionals manage some of the most sensitive data within an organisation, and their role in securing it is paramount. Protecting your people and your organisation starts with empowering HR teams to be cybersecurity champions.
About the Author
Karl Wood is an HR professional with over 25 years of experience helping organisations transform through innovative people strategies. With a deep understanding of leadership, culture, and diversity, Karl is passionate about assisting companies in building resilient, inclusive workplaces that drive growth and success.
If you’re interested in rethinking how leadership failure is handled in your organisation or want to explore fresh HR strategies, subscribe to HR Horizons for more insights. Feel free to connect with me on LinkedIn or directly—I'm always up for a chat!
