We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Chief Human Resources Officer: Why Your Employees Are Your Strongest — and Weakest — Link in Your Cyber Defenses

Posted by Elisabeth Case November 12, 2015

An unattended laptop, a lost cell phone, or a client document that is visible on a commuter’s iPad: Like it or not, any of these can be a corporation’s worst nightmare when it comes to cyber risk management. Because effective cybersecurity often begins and ends with employee behavior, the chief human resources officer (CHRO) plays a major role in preventing cyber incidents.

Employees, after all, are a common source of data breaches or business interruption, whether through human error related to information technology (IT), a vendor that had login credentials compromised, or an employee’s inadvertent click on a rogue email. According to the IBM Security Services 2014 Cyber Security Intelligence Index, human error was cited as a contributing factor in more than 95% of the cyber incidents investigated.

As a head of HR, you work to keep employees abreast of incidents that can affect worker safety or morale. Educating them about cyber threat intelligence is no different.


The following five preventive steps can help you work with employees to prevent and mitigate cyber-attacks:  

  1. Monitor your company’s bring your own device (BYOD) program. One of the biggest challenges is how to enforce password protections while conducting business on personal devices.
  2. Put cyber awareness campaigns into place. HR and IT should work closely to inform employees about cyber threats.
  3. Create policies and procedures around data security when employees leave the company. Too often, departing employees’ credentials are not cancelled in a timely manner, allowing them to retain access to sensitive data.   
  4. Educate employees about spear phishing attacks. It’s important to develop live exercises in conjunction with IT to determine employee responses to spear phishing.
  5. Keep abreast of change.  A continuous effort is needed to educate employees about evolving cyber risks.


Depending on the motivation for a breach, all sorts of employee information can go astray in the middle of a cyber-attack, including performance ratings, salaries, and other proprietary records. And it can be costly. Personal data can potentially be sold on the “dark web,” where health records, for example, generally command a higher price than credit card information.

The loss of data can also lead to significant employment practices liability claims against corporations. For example, leaks about salaries or management compensation strategies could lead to claims.

As a CHRO, you have a unique opportunity to engage employees about cybersecurity and help them protect themselves and the company. The more active a role you play, the better protected your firm and its people will be.

Related to:  Cyber Risk

Elisabeth Case