With the risk of cyberattacks on the rise due to the war in Ukraine, experts say HR teams should be increasingly vigilant for threats that will disrupt operations.
Beyond phishing trainings and ransomware education, HR may feel divorced from cybersecurity concerns. In the event of an outage or attack, however, people operations managers will be the ones to put their companies back on track, serving as a key liaison between the IT department and company staff at large, so preparation is key.
"HR has historically been responsible for communicating policies and work expectations even if they aren't produced through a written policy. That's really what's necessary for cybersecurity to be effective," Elizabeth Chilcoat, an associate at Sherman & Howard, said.
It's HR's job to break down post-attack protocol into layman's terms, both to keep the peace internally and for compliance reasons, she said.
Chilcoat and Kevin Jackson, senior counsel at Foley & Lardner LLP, told HR Dive there are a few things HR pros should keep in mind as emergency protocols are reassessed and revamped, in light of the increased risk presented by the Russian-Ukrainian war.
Have a Plan B
"As a lawyer, it's very easy to sit in my ivory tower and say what employers should do is be totally risk-averse. 'Let's go back to the old days, where we did paper time cards and manual calculation.' That's not realistic," Chilcoat said, adding that risk is a reality of business. "The best thing a company can do is be prepared for how it is going to deal with the worst-case scenario."
HR departments braved a worst-case scenario in December 2021 when a UKG-related ransomware attack brought down Kronos, a timekeeping software.
"That proved to be extremely disruptive to companies with respect to their payroll practices. You have a system that exists on a cloud that is now out, and the times that employees have entered are no longer accessible," Jackson said.
"It's led to the realization that maybe [companies] need to be making a daily or weekly backup archive of things as simple as time clock punches, having that stored on the cloud," he said. If a crucial vendor is attacked, HR must still keep critical operations rolling.
Know how you'll get employees up to speed
If an attack happens, "you won't know exactly what you need to do" in the immediate aftermath, Chilcoat said, but companies should determine what data was impacted and what is the business obligation for reporting data impact.
HR departments should determine the triggering event and if it's possible to take action. Additionally, HR teams should know the window post-attack in which they are obligated to alert employees.
Sometimes, only affected employees must be notified and other times, all staff need to be clued in. Some states also require employers to contact a government entity, such as an attorney general's office.
Be mindful of varying rules from state to state, Chilcoat said. The geographically dispersed nature of pandemic-era workforces can create compliance questions.
Generally, these laws were passed with consumer protection in mind, Jackson said. The security breach notification rules tend to be geared toward consumers in a specific state. In the context of remote work, he said, typically an employer would fulfill obligations from the worker's home state and where the business is operating.
Before making any moves, Jackson urged employers to reach out to legal counsel that specializes in data privacy.
Triage the situation and proceed from there
HR teams should then figure out just how sensitive the data was in the breach, and how much of it hackers compromised.
"It's very different for a hacker to find out that my name is Elizabeth and that I'm an attorney, than it is for a hacker to find out my first name, middle name, last name, my address, my social security number and my bank routing information," Chilcoat said.
The range of information that falls under HR is wide: along with personal data, trade secrets, business records and other confidential information is at-risk, especially as employees can access it through their personal devices.
Still, Chilcoat told HR Dive, "the only way to attack-proof the system is to make sure that nobody can access it. And that's just not practical."
That's why a response plan is so crucial. For example, if social security numbers have been lost, perhaps employers can provide workers with free auditor services. Chilcoat also recommended hiring forensics professionals to parse out the details. Once the company has a good grasp on the situation, people operations teams can help their employees pick up the pieces.
Keep a cool head
This is where the "human" part of human resources comes in. As employees start to understand the scope of a data breach, HR departments should be prepared to manage workers' emotional responses — "so that it does not turn into panic and it does not become acrimonious," Chilcoat said.
In times of crisis, it's important to be clear and honest. "Be sure that you maintain your credibility. You're letting employees know that you don't know the answer to some of these questions and that you will answer them as soon as you can," Chilcoat said, adding that HR should avoid speculation.
Broadly speaking, Jackson sees the recent cybersecurity conversations as a catalyst for lasting change.
"Even if we're not concerned specifically about Russian cyberattacks — which is probably less of a concern in the context of this current crisis — this is a reminder. This is the way war can be waged in the modern economy," he said.
"This is just a reminder that these issues need to be prioritized by businesses' HR and IT teams, so they do have processes, training and policies in place to protect their systems — before it's too late," Jackson said.
Correction: An earlier version of this story incorrectly described Kevin Jackson’s credentials. Jackson is senior counsel at Foley & Lardner LLP.