Culture to blame for massive HR hack

The cyber-attack on the biggest US personnel department holds lessons for HR practitioners around the world

The U.S. congressional findings on the massive cyberattack at the U.S. Office of Personnel Management (OPM) was released Wednesday and revealed that the federal agency “did not follow rudimentary cyber security recommendations [and] ... were made worse by lax security culture and ineffective leadership.”

According to a report by Reuters, the Republican-party led investigation showed that OPM had been notified as far back as 2005 for weaknesses in their cybersecurity protocols but chose to ignore it, resulting in the exposure of sensitive data belonging to 22 million people. 

In the interest of political fair play, the Reuters report also noted that Democratic party representatives rejected the findings claiming “factual deficiencies and did not account for mistakes made by federal contractors”. 

OPM acting director Beth Cobert also disagreed with the report, stating in a blog post that the organization has “achieved ‘significant progress over the past year to improve cyber security”. 

One measure they put into place was the creation of a new entity, the National Background Investigations Bureau. It is set to go live in October and is tasked to handle all background and reference checks for new federal hires. Additionally, the new information system will be directly managed by the Pentagon. 

But what does this all mean for the HR profession? How can HR practitioners be the gatekeepers in the fight for tighter cybersecurity?

Speaking at a business leaders’ summit in Arizona, Matthew Rosenquist, Cybersecurity Strategist for Intel Security, put it best when he said, “Security is comprised of both technology and people. Human resources can support or undermine security.”

“Cybersecurity may be fought with technology, but it is people who triumph,” he added. 

He said that there are six issues that HR should be able to address to ensure the company’s cybersecurity. These are:

•    Hiring practices
•    Disgruntled employees
•    Employee security education
•    Regulatory compliance
•    Protecting HR data
•    Cybersecurity resource hiring

He suggested opening online portals for the anonymous reporting of malicious behavior in order to relieve pressure on the employee and advised companies to provide annual minimum training of employees on online security. 

“Involve legal to review gathering and storage practices for hiring data, [and] privacy controls must extend to employees, vendors, customers, and partners,” he said.

He also advised that sensitive roles within the company should undergo stricter scrutiny and reminded HR practitioners to always be involved in the creation of a company-wide cyber response plan.

“Be aware of confidentiality risks for HR data, privacy, and regulatory compliance,” he emphasised. 


Recent articles & video

Use the force: How a Jedi approach to culture can transform your practices

Global IT outage ‘wake-up call’ for employers, business leaders: expert

Most HR leaders believe AI can help to find qualified talent: survey

Just 1 in 4 Japanese employers have introduced AI: reports

Most Read Articles

Coaching deficiency: Leaders, workers dissatisfied with mentorship levels

Where are the best countries for work-life balance?

Singapore's funeral employers facing recruitment, retention challenges: report