Lighthouse Labs Cybersecurity Training for HR

On Aug. 19, 2021, CPHR Alberta, in collaboration with Lighthouse Labs, hosted an online webinar discussion with experts in both human resources and cybersecurity, Bronwyn Dunphy and Matt Richardson, to understand the resounding transformational effect and impact the pandemic has had on the role of HR professionals.

You can watch the full recording with many more insights and a full Q&A period, in detail below:

Lighthouse Labs is now accepting registrations for Cybersecurity Training for HR, a one-day immersive course, on Nov. 2, 2021 where students will be guided through knowledge and solutions to reduce the risk of employees and organizations falling victims to cyberattacks.

The discussion was kicked off by Lighthouse Lab’s own Manager of Associations, Caroline Lauder, as the moderator for this event.

Caroline: What are some of the biggest transformations that you’ve noticed and why have they become increasingly important in your role as an HR professional, specifically as a result of the pandemic?

Bronwyn: There have been many transformations in my role. First and foremost we became public health administrators essentially. We became IT and privacy specialists at our organizations; And most importantly we had to learn how to be effective in our roles remotely because everything went digital, with increasing use of technology for our HR functions, such as our engagement focus groups, onboarding, interviews, and performance management meetings. I work in a 24/7 industrial manufacturing environment where my key stakeholders are everyone from labourers to trades people, managers, corporate services etc. so it was imperative that we continue to maintain those relationships from a distance, and not everyone was technologically savvy, so we were relied on incredibly.

Why is this important for us? The pandemic has demonstrated how quickly our workforce as we know it can change and in order to be successful, we need to be agile and proactive.

How have you noticed your role transform as a result of the pandemic, and perhaps some of the clients you’ve worked with, and why is that important to HR professionals specifically?

Matt: Great question. One thing we definitely saw in my industry is an uptick that coincided with the pandemic in terms of online accreditation. As we’re all online more, it’s just numbers, there’s more opportunity.

As for employees we’ve made this grand pivot from the office space where we have firewalls and an IT department, and the infrastructure. We’re working from home now, in many cases from our own devices and either way, certainly with less cybersecurity than we had in the office. So I do see that the criminal elements have identified the opportunity there.

Another way it’s changed is specifically to you as HR professionals, you are going to be targeted for scams and social engineering attempts, which is where they look us up and learn about us and they make a very targeted, very plausible pitch (for lack of a better word). Prior to Covid I’m sure that happened, but it happens way more often now. Be prepared that you would be a popular target for them because you’re seen as public faces and gatekeepers for the organization. You have the highest levels of access to data, maybe finances as well. So what I’ve learned, even in my role is to be more careful on platforms such as LinkedIn and scruitinze emails because I’ve been targeted with some pretty sophisticated techniques, so as HR you have a very sacred duty to your people that work with you, and you owe it to yourself to take extra special care above what the average employee would need to.

Can you tell us a bit more about how cyber and data interact and intersect?

Matt: It’s a very clear relationship. We collect data on clients and employees for a variety of reasons. When we collect that data, we are the custodians and are responsible for protecting it. When we have poor cybersecurity practices, we expose our organizations to risks, and by extension our employees and clients. Our personal reputations as professionals and those of our organizations can be at jeopardy when these things happen. So the strongest relationship between the two is simple: we are in the business of data and so need to be equally in the business of strong cybersecurity practices because it is our responsibility to safeguard the data.

Bronwyn: Because of the pandemic, a large portion of employees started working from home so we were tasked with not only safeguarding the data we were already collecting but working from home just added that whole new layer. When you think about it, everyone is connected to the network from home. In our case users are accessing the data and video surveillance remotely. So we really used this as an opportunity to ensure that our employees were trained on cybersecurity and privacy laws and we also implemented a multi-factor authentication to improve account security.

Can you expand on what some of the implications are of not protecting your data? What your clients or any HR professionals in a corporation are at risk of if they are not properly protecting their data?

Matt: The stakes are high. There is more pressure on us than ever given the pivot. Social Media has been around but can now catch like wildfire. If we lose the trust of our staff and clients, we lose the house. And one of the easiest ways to lose trust is to expose them (clients and staff) to risk. You’re leaders in HR and you need to have buy-in. And as employees, how would we feel if all of our private confidential information was breached because somebody used a silly password that was easily guessed. Maybe they didn’t adhere to company policy. Or they were a VP and they didn’t use it to save time. You can lose the trust of your employees and communities very quickly through these breaches. The reputational damage can take a long time to restore. There are legal risks of course, and there are certainly a whole bunch of PR risks involved because these things make the news. It is a lot of responsibility. The good news is there are really simple practical ways to mitigate that risk. There are some very user friendly and HR friendly ways of protecting that data and therefore the reputations of our organizations.

  1. Strong passwords. Most of the time when there is a hack there isn’t a criminal mastermind hacking with expensive tools and advanced coding techniques. They usually just guess your passwords. I know this because I see passwords for sale on the dark web, they get leaked and end up for sale for bitcoin. The weak link is the human element and it’s not that we’re not intelligent. Maybe we don't know enough. That can be fixed with training, and we as humans do tend to cut corners sometimes, that’s human nature. They rely on that. You’re going to use an easier password, you’re probably going to recycle it. So if I figure out your Instagram, I’m getting your work one, your bank account, etc.. Passwords are the first line of defense, no exception. There are password manager tools. One is called LastPass, but there are lots of options. Tools like these allow you to create very complicated passwords, and save them in a vault on your device and quickly and easily do a unique one for each account.

  2. Multi Factor Authentication (MFA). I have personal experience where I almost got hacked. They played to my ego as a public speaker and social-engineered me and they did get me. I’m not embarrassed to say it. If something happens, just disclose it. It happens, it’s getting harder. I did change all my passwords, because I figured out what happened and I enabled MFA and got an email that night that someone logged into my FB with the right password but did not have the code on my phone.

  3. Listen to the experts in house, follow the policies and use the tools they’re given to you.

  4. Be careful how quickly you respond to emails. We tend to respond too quickly. An Apple employee, very smart, hard working, was tricked by a spoof email to wire $15K to a vendor, at the behest of the project manager. They had the right name, they spoofed the emails.

If you have any doubt, check it out.

What have you done in your organization around how employees can protect the data that they’re in charge of?

Bronwyn: Password protection, locking your computer, keeping your desk clean and locking your office door (because we deal with a lot of private data on paper). The company I’m at now gets fake phishing emails, which I'm not proud to admit but I have clicked on one in the past so it just goes to show that it can happen to anyone. I love that: “when in doubt, check it out” comment Matt made. When someone clicks on a fake phishing email at the company we then re-education and re-train. Understand what data you're collecting, and why, and how it needs to be protected.

What’s the importance of transference from paper-to-online data, and how individuals and companies can safeguard themselves in that process?

Matt: If you’re going to collect it, make sure there is a purpose for it. The more data you have the more risk because there is more opportunity because there is more of it. So I don't track anything that I don’t need. I think ahead about what I do and do not need. Then I design the instrument (how it is collected). As you mentioned Caroline one of the risk periods is the transference of the instrument (survey, paper, web form) to a digital system or Database.

If you don’t need it then don't collect it. The quicker you get the data transferred from instruments to safe databases, the less opportunity for it to end up in the wrong hands.

How do you use data in your day to day as an HR professional? What are some of the most common ways that you hear of other HR professionals interacting with data?

Lighthouse Labs Cybersecurity For HR

Bronwyn: Sometimes you don’t realize you’re doing it but I use data daily to solve problems, predict trends and be proactive. It can be used to assess any of the functional areas of HR, from engagement to workforce planning, talent management or L&D. Common ways to use data once it’s collected is to model it in a way where trends can be identified or areas of opportunities can be found.

One example: we are continuously recruiting for skilled trades professionals. After taking a deep dive into the data, I can go to the management team with a prediction of when we will reach complement if everything remains constant. When you tell the management team that if we keep doing things as is it’s going to be 1 year before we’re at complement. We can then take action on what things can be tweaked. Maybe the hiring manager needs to respond more quickly, or we need to increase the number of candidates that we’re presenting to the team. Some examples of using data everyday ini HR for me are to assess:

  • Turnover
  • Disability days lost
  • Absenteeism rates
  • Apprenticeship ratios

How do you determine what data you’re collecting and the sources etc. What are your processes?

Bronwyn: It’s a difficult question, because you can easily get bogged down with data and you don’t want to collect data (as we talked about ) unless you’re going to use it, and especially if it is qualitative data you are collecting from your workforce because if you're asking for input from your employees then you need to address what you receive. It can be very disengaging if you do absolutely nothing with the data you are collecting.

Start somewhere. Look at your organization's KPIs, personal KPIs or identify opportunities in your workforce and think about what data points can help you in making those right decisions.

Examples:

  • I once worked with a company that never had HR, and had zero data. We had piles of sick slips calling in everyday, 10-15 people calling in sick everyday, It was the norm. So I used Excel to track absenteeism and after a few months we could identify the trends such as specific shifts or people with the higher absenteeism rates and then from there we implemented an attendance management program.
  • If Diversity & Inclusion is a focus for your organization, you’ll want to have self-identification forms from your employees and you’ll want to start tracking those results.
  • If you're in recruitment you’ll want to look at retention rates, exit surveys, engagement surveys, number of applicants and so on.
  • We have higher turnover up North, so we look at the details of another layer of that turnover (who is turning over). So if we lost six people this month, is it a specific generation? gender? etc.. That helps us in coming up with different actions we can take to rectify it.

What does the process look like to collect that data?

Bronwyn: If they didn’t have any system in place, I just opened an excel and started building my own database: Who’s calling in sick? What days?, I tracked it myself. They had the data coming in, they just weren't doing anything with it, and it was on paper and you couldn't identify trends that way. So I just took the slips, created a process from that. For the self identification forms, if that’s something you want to track you need to explain to your workforce why you want to track this. It is voluntary information (you cannot force people to fill those out). Then start entering them into your spreadsheet.

Matt: Exactly. early in my career I was doing the training and development orientation sessions and I just did what Bronwyn did. I used Excel. When the data begins to flow it takes time, but then you can look back at months, quarters, compare seasons, turnover, when we get new hires, dips, etc. Excel is a pretty simple way to do it without fancy tools.

Can you tell us about your knowledge coming into the Data for HR program course, what you learned, and how you’ve applied it after the course?

Bronwyn: Prior to taking the course, I had no idea there were any data analytics courses specific to HR. My excel skills are medium, I’m not an advanced user but the company I work for does collect an incredible amount of data. So the course was a great intro for HR professionals to expose you to different HR metrics. We are put in breakout rooms, we can network and talk to other HR professionals about what data they’re collecting. The course dives into collecting that data, cleaning it, forecasting it, and shows you how to use data visualization and dashboards which I hadn’t had very much experience with, so it was a really great course, I would recommend it.

Matt: We start with information. We make it into data points. But for your stakeholders, numbers don’t resonate if they don’t tell a story. Part of your job is storytelling.

In an example from my world, I have all sorts of stats on crimes like human trafficking. I can put the numbers out there, but they’re just statistics. Now if I plot those same numbers on a map and show heat signatures for density of the activity, then I get a lot of attention because it’s been made understandable and it’s got some flair to it.

I also used to do presentations in Healthcare. I didn’t go and show physicians, board of directors and ministry the numbers. I had graphs, charts,and pictorial tools like Tableau can do. So if you need a decision, like Bronwyn said, tell them a story they won’t forget and empower them to make the decision you feel the organization needs.

What do you think are some common misconceptions about Data for HR professionals? And Cyber for HR professionals?

Bronwyn: Two things:

  • Collecting data is enough is a misconception. We tend to collect data but not use it as much as we should to make evidence based changes.
  • Accountants will analyze the data for us. We don’t need to be accountants to identify meaningful trends, we can do that ourselves.

Matt: Exactly. Why do it (collect data) if you’re not going to do anything with it? Having it means nothing. Especially if it impacts morale in a negative way because people give you their end of it and they don’t see anything happen. You need to be actioning data to create intelligence. If you want evidence-based informed decision-making, you have to work with the data to craft the story.

  • What do I need?
  • How do I get it?
  • What am I going to do with it? If you don’t have this answer, then WAIT. Don’t collect it.

On the Cyber side, you are not expected to be Cyber experts, maybe you have an IT department or person, depending on the size of your company. You are an HR professional, so you can be guilty of thinking “it’s not my responsibility”, “that’s not what I took in school”, “it’s not my problem”. Yes it is your problem and responsibilities. You are the HR professional so you are the face, gatekeepers and leaders of the organization. You are not expected to be experts in Tech. You are expected to understand and appreciate your responsibilities within the organizational structure to do your diligence, practice strong cyber hygiene practices, adhering to those policies and in our minds knowing “Yes, this is our responsibility”.

Where people get lost is in thinking “it’s too techy and geeky, there are others who do that”. But it’s important to understand the basics because the basics get the job done. It’s the day-to-day activities like passwords, password manager tool, multi factor authentication, a VPN, policies on how to share information (ex. Ex. a shared environment instead of email). Your role is to appreciate and follow and adhere to those best practices.

If you’re ever breached, and it happens to everyone - It’s not even IF, it’s almost “WHEN” you get breached, to some extent, you’re not going to look bad. When you can show you did your diligence, you protect yourself and 9 times out of 10 you protect your employees and companies from breeches just by showing you have a role to play in following suit.

And If you get breached. It’s a very different matter if you are doing everything right and using the right tools to protect. But if you do still get breached again or are socially engineered, that is defensible. If however you get breached because you used “password123” on all your accounts, then you will not win that one in a court of law. So where I leave that is - know your role in the equation.

Bronwyn: Just to speak to the fact that we are a support service and we are there to ensure our employees are understanding all of the things coming at them. So while our Tech dept. has developed cybersecurity training we need to ensure it’s resonating with the employees and follow-up up with them.

Can you talk a little about how or when you share data with employees that matter to them?

Bronwyn: In this instance I was referring to qualitative data such as engagement, exit or other qualitative surveys. We need to show employees that we are doing something with this data so as to not disengage with them. So when we have an engagement survey for example, we look at how we have scored and then we present those scores to our teams and hold focus groups to go over areas of opportunities and collect suggestions on how to improve.

How do you think HR professionals can stay ahead of the curve and prioritize their professional development at a time when so much is being thrown at them throughout the pandemic and now that we’re navigating to returning back to some sense of normalcy?

Matt: Big picture: COVID-19 changed our working world and otherwise; how we socialize, shop, date, work, etc.. with an increased reliance on technology that is unprecedented in human history. And I doubt we’ll see such a drastic pivot again for a substantial amount of time. The world turned on its head. The pressures that you surely had to face to keep up with that, as well as looking after your people…. It’s a LOT of work and a lot of responsibility. You’ve got to look after them before you can look after yourselves.

I’ll take a step back and assess:

What do we know? We know that this creates opportunities professionally. It also creates opportunities for the people who want to compromise our systems.

As an HR professional, I need to be the gatekeeper, the custodian of the data, to always act with the best intentions of my employees and lead by example. I cannot ask anyone to do anything I haven’t done myself. Lead the way. If there is a mistake, disclose that. Show them it’s OK to report a mistake. Lead the way. With the data collection part of it, one thing I always did was explain why we’re doing it and then also communicate clearly what came of it, so they knew the 15 minutes they took was time well spent. Also if you’re adhering to those security practices within the organization they feel secure that you’re looking after them and their private info.

Bronwyn: Some ways that I try to stay ahead of the curve are attending webinars such as this one. Labour law updates are a priority for me so I do attend these annually to ensure we are meeting minimum standards. I read HR magazines to see what trends are hitting headlines such as the transformation to the digital workforce. I also follow different groups on Linkedin.

Matt: That’s great advice. I work in a sphere of intelligence and tech, I learn more from my Linkedin and Twitter feeds, from people in my networks. But there is no shortage of practical free or inexpensive opportunities available to learn online. Check out some websites like ZNET where they frequently publish really good stuff. There is no shortage of really good information, groups and people to learn from in a practical way.

Lastly, technology in my world is focused on heavily but as HR professionals what you bring to that table is substantial as you are the behavioural experts, you know your employees, you know how people think you know behaviour and that’s why you’ve been successful in HR.

90% of cybersecurity is social engineering. It’s human behaviours, vulnerabilities and knowing how to spot people who are ill intended and educating people around you on those behavioural aspects because the weak link is the human element, but you are NOT weak there because you know human behaviour. Give yourself the credit you deserve.

My advice:

  • Don’t let a snake in the garden.
  • Verify those who try to connect with me cause if I let them in, it’s my fault.

Also, Lighthouse Labs has a fantastic program, Data Analytics for HR - 101, is very progressive and quite frankly overdue in my opinion.

On the Cybersecurity side I’ve also reviewed the Cybersecurity for HR Training curriculum delivered by Lighthouse Labs. I wouldn’t attach my name to anything sub par in quality because my entire living is based on my reputation and trust. I do recommend that you stay tuned to that program.

It will be HR-focused tailored to your needs and your roles. I’m very impressed with what I’ve seen and I don’t say that lightly.