top of page
  • Inside Out Communications Consulting

The role of HR in creating a positive cyber security culture

And how Inside Out’s CyberSafe programme can support this

When it comes to preventing cyber attacks, the last few years have seen a huge shift towards encouraging personal responsibility.

The role of all employees in keeping organisations safe online has become the key to a holistic approach to cyber security. Keeping cyber criminals out of company networks and devices is no longer seen solely as the responsibility of the CIO and their IT department.

And rightly so, with up to 90% of cyber security breaches being the result of human error, our soft skills and behaviours need to support the efforts of the technical teams working behind the scenes.

With this shift it has become increasingly clear that cyber needs to be a regular part of staff induction, development, training, and review, and is therefore steadily becoming part of the HR remit.

But how exactly can HR help to create a positive cyber security culture?

Collaboration between HR and cyber security

‘When adapting and responding to uncertain times, the role of the HR team is more important than ever to provide the necessary support and communication to concerned employees... HR leaders need to turn their attention towards recovery, and a priority within this mindset must be cyber security.’ - The HR Director

Bringing HR to the forefront of cyber security strategy is a hot topic, and something we've been doing with our clients at Inside Out since we started almost two years ago. A lot of our work has focused on internal communications around digital and IT change programmes, as well as cyber safety. Our founder Danielle Phillips firmly believes in getting HR departments on board, via a strong partnership with the IT department, to educate staff.

“It’s not just about putting the firewalls in place, or having a SWAT-like IT department ready to counter any attack. It’s about our behaviours: inspecting email attachments, using Multi-Factor Authentication, knowing how to get a suspicious email checked out.”

“It’s also the need for this change to happen from the top down, from the CEO to the Sales Officer, to ensure your business, people, information and finances stay safe. This is what it means to have a positive cyber security culture, and HR can play a huge role in writing some of the story”, she said.

What are the statistics?

According to the government's 2021 Cyber Security Breaches Survey:

  • Four in ten businesses (39%) report having cyber security breaches or attacks in the last 12 months.

  • Phishing attacks affected 83% of businesses targeted by cyber crime.

  • The vast majority of breaches and attacks identified come via staff members’ user accounts.

  • Only 23% of businesses have formal policies covering remote or mobile working.

  • Only 9% of businesses have formal policy covering what staff are permitted to do on the organisation’s IT devices and carry out cyber security training for staff.

How can HR get involved?

While cyber security awareness training and online working policies that are traditionally delivered by IT teams are important - you can’t stop there.

HR can play a hugely beneficial role in embedding a positive cyber security culture into the staff development cycle. From the second an employee joins the organisation and begins their onboarding process, to off-boarding. From the delivery of training, to pointing staff in the right direction for help. There are countless opportunities for HR to play a part in creating, or boosting, cyber security awareness.

“This is all part of the reason why Inside Out works with IT and HR departments to build engaging communications campaigns to get across to staff what is expected of them in terms of cyber safety. We use proven employee engagement and internal communications techniques to create a positive cyber security culture, merging the gap between HR and IT, whilst working with their expertise. While we collaborate with these departments to keep staff vigilant, motivated and skilled, we also regularly measure awareness, to show the difference this approach can make in reducing risk,” said Danielle Phillips.

“Developments in cyber crime are happening, and advancing, very quickly. What you don’t want to be doing is relying on once a year, one-size-fits-all training - you need to keep employees up to date with the latest threats and how they can protect themselves.”

“Your IT policies are also so important, they are essentially your cyber safety instruction manuals. But again, you can’t just get them written up and post them on the employee intranet. You need to break the information down into digestible chunks using clever internal communications, and even workshops,” Danielle added. “The HR department can play a key part in making these things happen at various stages of the employee development cycle.”

“HR Directors, you should be having these conversations with your CIOs right now. Imagine the difference you could make,” concluded Danielle.

Let us do the work

Our communications and behaviour change programme, CyberSafe, contains everything your people need to know to keep themselves and your organisation safe from cyber security attacks.

Curious about what CyberSafe could do for your organisation? Send us an email or visit our website


bottom of page