Back to all

Cybersecurity Best Practices Every HR Professional Should Know

Cybersecurity Best Practices


The modern workplace is filled with people using a variety of different devices and software programs to get their jobs done. In fact, research shows that the average employee now uses about 20 different digital tools for work every single day. With all these different technologies being used, it’s more important than ever to implement cybersecurity best practices to keep unauthorized users from accessing business systems and data.

Threat of cyberattacks continues to grow at an alarming rate. In 2020, 61 percent of organizations experienced malware activity that spread from one employee to another. In 2021, that number rose to 74 percent, and in 2022, it hit 75 percent — the highest rate of infection recorded.

What is a cyber attack?

A cyberattack is any kind of malicious attempt to disrupt computer networks, websites, or internet-connected devices. These attacks can take the form of Distributed Denial of Service (DDoS) attacks, security breaches, password theft, data breaches, ransomware, or other malware that is designed to wreak havoc on your business network and systems.

Cyberattacks are often motivated by financial gain. Hackers attempt to steal money or sensitive information like passwords, credit card information, or Social Security numbers. If they’re successful, they can use this information to steal money from bank accounts or make fraudulent purchases.

The cost of data breaches rose from $3.86 million to $4.24 million in 2021, the highest average total cost in the 17-year history of IBM's annual security report.

Reasons Why Cyber Attacks Target Work Computers, Devices, and Networks

Employees who regularly access their work computers, devices, and networks from home are at an increased risk of a cyberattack due to poor cybersecurity practices or lack of cybersecurity protocols when accessing their work data remotely. Personal computers and mobile devices used for work and not set up to run via a virtual private network (VPN) lack a layer of security.

A VPN can help protect your data from third party access by giving small businesses the ability to deploy security policies and security software across their entire network. This form of security system helps distribute the latest software updates for security software like anti malware, update firewall settings, and set strong password and multi factor authentication requirements for all the devices in the network.

Installing malware or ransomware on computers, devices, and organization’s networks lets cybercriminals engage in a number of activities, ranging from annoying to devastating. These include, but are not limited to:

  • Slowing down computers and networks
  • Taking down company websites and business systems offline
  • Spying on individuals in the organization
  • Stealing passwords and other sensitive data from an organization’s computers and networks
  • Destroying data on an organization’s computers and networks
  • Releasing an organization’s sensitive data to the public unless large sums of money are paid
  • Disabling an organization’s systems until large sums of money are paid

Cybersecurity Best Practices for Passwords

Types of Cyber Attacks Used on Businesses

Cybercriminals often attempt to steal sensitive information like passwords or Social Security numbers by tricking people into clicking on malicious links or downloading malicious files. They can also access this information by hacking into computers or networks.


This popular cybersecurity attack method attempts to obtain sensitive information or install malware on an individual’s computer or device by impersonating a trustworthy organization. Phishing attacks account for more than 75% of reported cybersecurity incidents worldwide and are frequently carried out by security hackers sending fraudulent emails, but may also take place via social media, instant messaging or texting.

These suspicious emails describe a situation designed to get victims upset, worried, anxious or excited, and then explain the consequences of delay or inaction. Typically, the victim is tricked into providing personal information on a counterfeit web page that looks like a legitimate web page from a known organization. Sometimes these messages will have an attachment, which recipients are tricked into saving and opening.

If companies are taken in by this type of cybersecurity attack, cybercriminals may be able to:

  • Get employee work passwords
  • Access personal information such as online banking passwords, Social Security/Social Insurance Numbers
  • Access sensitive files
  • Install malware such as spyware or ransomware

As a general rule, employees should be aware when receiving communications from unknown senders asking to click a link or view an attachment. Setting up multi factor authentication for passwords is one of the best known security best practices.

Hacking Passwords

Password security can be easily compromised by manually guessing common passwords or using brute-force attacks. A brute-force attack consists of using automated software to submit a large number of passwords or phrases with the hope of eventually guessing a combination correctly. This approach systematically checks all possible combinations until the correct one is found.

It's critical that every department in the company prevents security threats by setting up strong passwords and multi factor authentication across all business systems to prevent unauthorized users. Most business software now requires multi factor authentication to provide a layer of security and protection to users.

Business Email Compromise (BEC)

Business Email Compromise (BEC) is an increasingly popular type of cybersecurity email scam that is costing businesses literally billions of dollars every year. In a BEC attack, hackers compromise a corporate email account and impersonate the email account’s owner to deceive the company, its customers, partners and/or employees into sending money or sensitive data to the attacker’s account. Some BEC attacks are intended to extract money and others are targeting sensitive information such as tax statements and Personally Identifiable Information (PII). Cybercriminals use PII and tax information for identity theft. Two of the most common types of BEC attacks are:

Spear Phishing

The practice of sending emails that appear to be from someone inside an organization who has a right to ask for confidential information. It might be an HR person, a system administrator, a manager in another department, etc. At first glance, these messages look legitimate, but they are suspicious.


Also known as CEO Fraud, whaling is a form of phishing where a hacker gains access to the computer of a senior official in the organization such as the Chief Executive Officer (CEO) and learns their behavior and writing style. When the CEO is away on vacation or on a work trip, the hacker sends a message masquerading as the CEO to another employee, asking for sensitive information or money to be sent to them. A whaling example would be the CEO-impersonator emailing the Chief Financial Officer (CFO), asking them to send them money to pay a newly acquired supplier.

Once cybercriminals know who to target within an organization, they will either attempt to hack into the target’s email account or spoof it.

Intercepting Unencrypted Data from Emails

Cybercriminals can intercept email messages in transit and read the content. If there is any sensitive or personal information — addresses, phone numbers, Social Security/Social Insurance Numbers, banking information, etc. — they can get it.

If your employees notice that their work computer, system or network are running slowly, they should be aware that this could be an attempted cyber attack. Another sign that you might be under a security attack is if you start receiving strange emails from colleagues or receive warnings from antivirus software. If your employees notice these signs, they should report it right away so that IT can investigate.

"Man-in-the-Middle” Attacks on Public WiFi

Public WiFi is often unencrypted and unsecured. This type of attack exploits security flaws in these systems to intercept everything that passes between your computer or mobile device and the services you connect to, such as account usernames and passwords, online purchase records, financial information, emails, etc.

Cybersecurity Best Practices for Networks

Strategies to Mitigate Risks to Personal Information, Networks, Systems, and Data

The best way to mitigate the risk of cyberattacks is to implement IT security best practices that keep your company safe from cybercriminals.

Integrate IT Security and Culture

Establishing a work culture that keeps IT cyber security best practices top of mind will help keep your company's infrastructure secure by making sure users follow secure protocols that prevent unauthorized access, and helping your IT department monitor security threats.

A culture of security encourages employees to report potential cyber threats. Businesses should also regularly audit their systems to look for potential vulnerabilities that could allow cybercriminals to access their network and data. Once vulnerabilities are identified, businesses can use cybersecurity best practices to patch them up so that hackers can’t get in.

Conduct Regular Auditing

You should regularly audit all of your business systems to look for potential vulnerabilities that could allow cybercriminals to access your data. You can do this by conducting a cyber risk assessment, which involves examining your business to find any potential weak points that could be exploited by hackers. Software solutions enable a company's IT team to automate checking for vulnerabilities in user accounts, password protection, keeping upper management secure, detect ransomware

Employee Training and Resources

One of the best ways to combat cyberattacks is by educating your employees on how they can better protect themselves online. You can do this by providing cybersecurity training, sending out security bulletins with security tips like how to create a safe password, or creating cybersecurity policies that outline what each user (including management) is expected to do to avoid a data breach, how to follow password creation requirements, and how to secure their devices.

You can also create a policy for employees to report any cyberthreats they see or experience. If any employee thinks their password manager was compromised, they should be encouraged to let IT know. Make sure to follow up with employees on whether they’ve reported any threats so that IT can troubleshoot for security issues.

Finally, you can also provide tools to help employees better protect themselves online. For example, you can provide your employees with antivirus software, password manager access, two-factor authentication tools for password protection, and a secure VPN service.

Update Existing Company Policies with Cybersecurity Best Practices

Companies should incorporate cybersecurity best practices into existing business policies. Having cybersecurity policies ensures management and employees are aware of what's required of them as users when it comes to cyber practices, solutions, and protection. Organizations need to enable every user with ways to protect their internet network system, information on how to set up strong passwords, how to store sensitive data like credit card numbers and Social Security numbers.

Write a comment Close
Only registered users can leave comments.