Involvement by CHROs is becoming more common, said HR Policy Privacy Counsel Harriet Pearson of Hogan Lovells, who set the stage for call participants. “Attacks often immobilize part of a company’s ability to operate, which is a trigger for more of the company to get involved. Further, HR data is frequently among the most sensitive held by a company and is sometimes targeted. The HR function is responsible for ensuring a company has the right talent to respond and for developing a culture that determines the strength of preparation and response.”
Pitney Bowes CHRO Johnna Torsone and Chief Information Risk Officer Ray Umerley relayed lessons learned from their experiences with ransomware attacks.
- Ms. Torsone noted, “Above all else, it’s a cultural issue. If we had focused on whose fault it was rather than coming together to fix the problem, we would have been sunk.” During the incident, the focus for the CHRO role was internal communications, she said.
- Mr. Umerley emphasized the need for an enterprise-wide response to such attacks, and pointed to HR as a critical stakeholder in communications and identifying individuals from across the company to compose the response team. He also noted the need for effectively training employees to mitigate cybersecurity risk, observing that Pitney Bowes’ culture was sensitized to the importance of good cyber hygiene after the first attack, but effort is needed prior to an attack as well.
OhioHealth CHRO Shereen Solaiman and CIO Jim Weeast gave the perspective of a health care provider, outlining their efforts in preventing an attack.
- Ms. Solaiman underlined the importance of ensuring that leadership understands and supports the steps the company takes to prevent cybersecurity attacks, even when it is inconvenient for employees.
- Mr. Weeast recommended developing a cross-company cyber risk council to run through scenarios and develop strategies and tactics that can be elevated to company leadership to educate them and more effectively respond to such an attack. He also noted the elevated risk associated with vendors and the importance of limiting access to sensitive data to a need-to-know basis.
“The increased frequency and risk associated with such attacks may represent a turning point for companies as they consider how best to respond to them,” said HR Policy CEO Tim Bartl, who moderated the call. “This is far broader than an IT issue, and companies are recognizing that.”
Click here for the call presentation.
