Cybersecurity begins with your HR department

In today's digital world, cyber threats don't always hide behind complex codes or technical tricks. Often, they come through the front door—disguised as job applications, resignation letters, or support requests. While organisations spend heavily on cybersecurity technology, they often overlook a more critical entry point: the Human Resources (HR) department.

HR teams work at the centre of people and information. From the day someone applies for a job until the day they leave, HR handles sensitive data. This includes national ID numbers, addresses, health records, salaries, and disciplinary files. For cybercriminals, this is a goldmine. 

One of the easiest ways hackers break into companies is through social engineering—tricking people into giving up access. HR staff are especially exposed. Think about how many emails HR receives every day from unknown applicants. A fake resume with hidden malware can slip past security filters. An HR officer, just doing their job, might open the file—and unknowingly let an attacker into the system.

Consider this scenario: An HR officer receives an email with the subject line "Application for Suitable Role." It looks professional and includes a well-formatted CV. But when the attachment is opened, malicious software installs silently in the background. Within minutes, attackers have access to internal documents and can monitor keystrokes. As one IT manager later explained: "It wasn't a sophisticated hack. They simply trusted an email that looked right. That's all it took."

The risks don't stop with recruitment. HR manages who gets access to systems and when. If accounts aren't shut down properly when employees leave, those old logins can become back doors for attackers. Many breaches happen simply because someone forgot to disable an account after an employee moved on.

One company learned this the hard way: A former employee's account stayed active for six months after they left. During that time, someone logged in using the old credentials and stole confidential project files.

"We assumed the account was disabled," the HR director admitted later. "It wasn't. And we paid the price."

Today, HR uses more digital tools than ever—cloud platforms for payroll, performance reviews, and employee records. These systems make work faster and easier. But if they are not set up securely, they also make it easier for criminals to steal data. A weak password, missing two-factor authentication, or poor vendor security can open the door to an attack. Sometimes, HR teams start using these tools without involving the IT or security teams, which increases the risk.

But HR is not just a point of weakness. It can also be a powerful line of defense.

Cybersecurity is not only about firewalls and software—it's about people. Even the best technology cannot stop a careless click or a reused password. This is why HR's role is so important. As the department that shapes company culture and trains employees, HR has the chance to make security part of everyday work.

From the first day, HR can help employees build good habits. Onboarding should include simple, clear training about cyber hygiene: how to spot phishing emails, why passwords must be strong, and what to do if something seems suspicious. Security training should not be a one-off presentation. It should happen regularly, through reminders, workshops, and leadership example.

A senior HR leader in a multinational company described it this way: "We tell new employees that cybersecurity isn't just an IT job. It's part of everyone's role here. From the moment you log in, you're part of our defense."

Performance reviews also matter. Companies should recognise employees who follow security best practices, just like they reward business goals. If someone repeatedly ignores security rules, HR should address it as a professional issue.

Another key responsibility is protecting employee data. When personal details—like health records or home addresses—are leaked, it does more than cause technical problems. It breaks trust. Employees expect their information to be safe. A single data breach can damage morale and harm the company's reputation. In many countries, it can also lead to legal action and fines.

This is why international standards like ISO 27001 and PCI DSS exist. They outline clear rules for handling sensitive data. For example, ISO 27001 requires companies to limit access to personal data only to those who truly need it. It also calls for background checks on new hires, confidentiality agreements, and clear procedures for shutting down accounts when someone leaves. PCI DSS, which focuses on payment data, also insists on strict controls over who can see and handle information. Even if HR doesn't process payments, these principles still apply—because attackers will target any system with valuable data.

HR leaders need to be part of data governance efforts. They should always know where employee records are kept, who can see them, and how long they are stored. Policies should be clear and regularly updated. If HR uses outside vendors, those partners must prove they have strong security measures in place.

Collaboration is critical. Too often, HR and IT work in silos and only talk when problems arise. This needs to change. Regular meetings between HR, IT, legal, and risk teams can help align policies and close gaps before they become bigger issues. In many forward-thinking companies, security officers and HR leaders work closely to make sure training, processes, and controls meet global standards.

The rise of remote work has made HR's role in cybersecurity even more important. Employees now log in from home networks and personal devices. Remote hiring and digital identities create new challenges. As artificial intelligence tools become part of recruitment and monitoring, the need for ethical use and data protection will grow. HR must be ready—not just to enforce rules but to lead the culture of trust and security.

In the end, cybersecurity is not only a technical project. It is a shared mindset. It must touch every department and every role. And because people shape culture, it starts with HR.

Technology can help detect threats. But it's people who prevent them. That prevention begins when HR sends an offer letter or opens a CV. It begins when HR asks, "Are we protecting our systems at every step?"

The strongest firewall is not built only with code. It is built with awareness, accountability, and teamwork. HR is no longer on the sidelines. It is time we recognise it as the first line of defense.

B M Zahid ul Haque is an Experienced CISO and Global Cyber Digital Transformation Adviser. The author can be reached at bmzahidul.haque@gmail.com

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.