Cybersecurity and HR

HR and Cybersecurity Best Practices for Small Businesses

Technology is vital to business operations. It’s used for everything: daily communications, processing customer payments, storing files, and human resources functions like payroll. While technology optimizes operations, reliance on it exposes organizations to vulnerabilities, such as cyberattacks. A 2023 study by MasterCard found that only 16 percent of small businesses are confident about what steps to take following a cyberattack. The initial response often emphasizes IT concerns, but human resources functions should not be overlooked. This is why, in the digital age, it is important to make sure you understand role of HR during cybersecurity crises.

In this article, we cover what a cyberattack is and share some cybersecurity best practices to ensure small businesses like yours can respond effectively, rather than reactively, in the event of a cyberattack.

What is a cyberattack?

Cyberattacks are intentional actions designed to steal, expose, disable, or destroy data, applications, or other assets by gaining unauthorized access to a network, computer system, or digital device.

The different types of cyberattacks

Cyberattacks come in various forms, including:

  • Phishing: Fraudulent attempts to obtain sensitive information, such as usernames, passwords, and credit card details, by disguising as a trustworthy entity in electronic communications. 
  • Malware: Malicious software, such as viruses, worms, ransomware, and spyware can damage, disrupt, or gain unauthorized access to computer systems. 
  • Ransomware: A type of malware that encrypts a victim’s files and demands a ransom payment to restore access to the data. 
  • DDoS (Distributed Denial of Service) Attacks: Overwhelming a network, service, or website with a flood of Internet traffic, causing it to slow down or become completely inaccessible. 
  • Man-in-the-Middle Attacks: Intercepting and altering communication between two parties without their knowledge, often to steal personal information or inject malicious content. 
  • SQL Injection: Inserting malicious SQL code into a web application’s database query, allowing attackers to access and manipulate the database. 
  • Zero-Day Exploits: This type of cyberattack occurs on the same day a weakness is discovered in software before the developer has an opportunity to fix the vulnerability. 

What is the effect of cyberattacks on small businesses?

Small businesses may think they don’t need to worry about cyberattacks, but businesses of all sizes can be targeted. In fact, small businesses are increasingly vulnerable to cyberattacks because they often have limited resources allocated to cybersecurity and are seen as easy targets. IBC’s 2023 Cyber Security Survey found that 25% of employees don’t feel they have the necessary tools and training to identify potential cyberthreats at work.

If cyberattacks on small businesses are not responded to properly, the consequences can be severe. They can cause operational disruptions, data loss, and damage to the business’s reputation. These attacks can also have significant compliance and legal implications, be expensive to resolve, and result in loss of revenue.

Tips for small businesses to bring HR and Cybersecurity together

While businesses should have measures in place to prevent these attacks, it’s important to be prepared and implement cybersecurity best practices to protect your assets and ensure resilience against potential threats.

Know whom to contact

Many small businesses don’t have IT professionals on staff, but they can work with third-party IT experts. Partnering with an IT vendor or acquiring cyber-insurance can help your business respond to a cyberattack. Cyber-insurance is a specialized form of insurance that can help manage data loss, cyber-extortion, technological disruption, costs of legal representation, and notifying affected parties in the event of a cyberattack. When acquiring these services, vendors and insurance companies will want to know what cybersecurity measures you have in place.

Ensure you have implemented fundamental measures, such as assigning IT Risk and Cybersecurity Training for Employees so workers can take appropriate cybersecurity measures and recognize cyberthreats. You can also implement a Data Security Policy, outlining measures in place to protect digital data. In the event of a cyberattack, contact your IT vendor or cyber-insurance provider promptly so they can assess the situation and help you make an informed decision on how to proceed.

It is also important to report the cyberattack to the appropriate authorities. Cyberattacks are a type of cybercrime and should be reported to your local police department within 24 hours of detection. Law enforcement will then investigate the incident. You can also report the incident to the Canadian Centre for Cyber Security to help the government develop advice, guidance, and services on cybersecurity. Once you report the incident to the required parties, you can determine the extent of the impact on your business.

Determine the extent of the impact

After a cyberattack occurs, you need to determine what is affected and whether any data has been compromised. This information is crucial to determine the feasibility of ongoing operations and identify potential obligations under privacy legislation. Privacy legislation requires breaches of personal information be reported and disclosed in specific circumstances. If data has been compromised, review the applicable legislation to understand your obligations. For example, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires employers to report data breaches to the privacy commissioner of Canada and notify affected individuals. Your PIPEDA Compliance Policy or equivalent privacy policy should outline such obligations. Work with your IT vendor or cyber-insurance provider to assess the impact on business functions and identify mitigation strategies if possible.

Once you assess the extent of the attack, determine whether the business can continue to operate. Cyberattacks on small businesses can leave them inoperable until they are effectively addressed. For instance, in ransomware attacks, data is encrypted, stolen, or deleted, and a ransom is demanded for its retrieval. In such cases, vital data and systems may become inaccessible, and the business may have to close temporarily. Employees may have specific legal entitlements during a temporary closure. It is vital you understand these entitlements so you can administer them properly. Our Live HR Advice service has a team of HR experts ready to help you determine your obligations. If operations can persist, you will need to identify and implement alternative workflows to minimize disruption.

Identify alternative workflows

Experiencing a cyberattack means it will not be business as usual. Workflows will be affected, and alternative workflows need to be developed based on the scope of the cyberattack. Consult your IT vendor or cyber-insurance provider to identify alternative workflows based on the systems and data affected. Evaluate any Project Plans in progress to determine whether they need to be put on hold or can proceed unaffected.

If you have remote employees, consider how workflows will differ for in-person employees versus those who work remotely. If alternative workflows are unfeasible, the business may need to close temporarily, or certain employees may not be able to work until the cyberattack is resolved. As previously mentioned, it is vital to understand your legal obligations to employees in such circumstances, and you should seek advice as necessary. Where you have developed alternative workflows, you can then inform employees and customers of the situation.

Communicate with employees and customers

Employees and customers need to be informed of the cyberattack and provided with relevant information. Completing a Change Communication Form can help you tailor messages for these distinct groups. Messaging should be specific to the audience and only include information they need to know. Employees need to be informed of alternative workflows, whereas customers need to know what services are available or unavailable. Also, remember that there are additional notification requirements if personal data is compromised, which need to be handled per the applicable privacy legislation.

Different communication methods may be required for in-person and remote workers, especially if the usual work communication platforms are unavailable. Therefore, it is important to ensure your employees’ personal contact information is up to date. Send employees a Change of Personal Information Memo annually to remind them to keep their contact information up to date. Streamline your HR process with HRdownloads’ customizable human resources information system (HRIS), including HRdrive.

Fortunately, HRdrive can be accessed from any Internet-connected device, ensuring continued access to this vital information during a cyberattack. All employees should be informed before you share the news with customers. Once you share this information, you should look at other HR functions that may have been affected, like payroll.

Administer payroll

During cyberattacks on small businesses, a vital and time-sensitive HR function that may be affected is payroll. Payroll disruptions can harm employees’ wellbeing. Finances are an ongoing source of worry for employees, with 57% of those surveyed in PWC’s 2023 Employee Financial Wellness Survey citing money worries as their greatest source of stress. It’s always a good idea to switch from manual time tracking and use some digital means to track employees’ hours of work.

All HRdownloads clients receive free and unlimited access to Timetastic, an easy-to-use time-tracking tool perfect for small and medium-sized organizations. When using Timetastic, you can continue processing employee time-off requests as usual by accessing the platform through any Internet-connected device. Otherwise, you can use a Time Off Request Form to manage these requests. This approach ensures you have continued access to relevant data going forward.

Employees rely on consistent paydays, and legislation also requires it, specifying timelines for payments and payment methods. If your payroll process is affected by a cyberattack, ensure you are aware of your payroll obligations. Review the applicable employment standards legislation to determine when and how employees can be paid. Managing your payroll process may be more complex if payroll data is not backed up or inaccessible, as you may not be able to access critical information like employees’ pay rates. This is a technical and tricky situation. Seek advice as necessary to ensure employees are paid properly.

Help protect your business from cyber threats with HRdownloads

While technology optimizes business operations, it can also create significant disruptions when it fails. Small businesses are increasingly susceptible to cyberattacks and need to be prepared for such events. Being prepared means not only having a plan to address IT considerations but ensuring the continuity of HR functions as well. This is where having a partner that knows what they’re doing makes a difference.

Although achieving perfect cybersecurity isn’t feasible, every organization and employee can mitigate common vulnerabilities by taking some essential steps. Enroll your team in our featured online training course, and equip them with the skills and tools to recognize and respond to cyber threats effectively.

Additionally, access our FREE Cybersecurity 101 Guide to learn about the fundamental aspects crucial for protecting your organization against potential threats. While you’re at it, explore our range of solutions for HR software, HR policies, HR compliance, and HR support.

Need further insights? Request a demo now and let us tailor a solution suited to your business and budget.