First published on Thursday, June 19, 2025
Last updated on Thursday, June 19, 2025
When you picture “cybersecurity”, is it: blinking servers, digital fortresses, or a hooded hacker whispering “I’m in”?
What you probably don’t picture is Karen from HR reminding Dave to update his email or how to spot phishing emails. But maybe you should.
As Sarah Armstrong-Smith, Microsoft’s chief security adviser, said at this year’s CIPD Festival of Work: the strongest defence against crisis and uncertainty doesn’t start with firewalls. It starts with people. And who’s responsible for your people? That’s right—your HR team.
So let’s talk about what really protects a business.
How hackers exploit your people to make your business vulnerable
It’s not just software updates or continuity plans. There’s trust to consider, and empathy. The kind of culture where someone can say “I think I just clicked something I shouldn’t have”, without being (metaphorically) thrown under a bus. Or marched to IT in handcuffs.
We often hear that employees are the “weakest link” in cybersecurity. But as Armstrong-Smith rightly asked, if you constantly frame staff as the problem, what kind of culture might you be creating? A culture built on fear or blame, or one built on support and responsibility?
Because the kicker here is that attackers are not just hackers. They’re often manipulative. They don’t just sneak in through your firewall. They walk right in through the front door of human error, disguised as a trusted contact or a tempting freebie.
Take the 2018 BEC Scam, where scammer impersonated the Pathé CEO and requested wire transfers for a fake acquisition. Leading to a €19.2 million loss. They exploited habits. Emotions. Seniority.
Does any of this sound familiar?
How staff make or break a business’s cybersecurity
Phishing emails aren’t the only threat. Insider risks, unhappy staff, weak access controls, or just simple process workarounds can be just as damaging. And when something goes wrong, too many organisations default to a good old-fashioned witch hunt. Light the torches, find the culprit, fire them, and move on.
But if your processes are flawed, or your culture silences people instead of supporting them, nothing really changes. The threat just mutates and waits for its next opportunity.
That’s where HR comes in. HR has the power to transform that anxiety into a culture of openness. That’s real protection.
As Armstrong-Smith put it, transformational leadership begins with real empathy. Not “Thanks for flagging it, champ” while quietly drafting up a disciplinary letter. But listening, understanding, and creating a chance for people to admit when something’s wrong? Well, that’s far better than becoming a headline.
And look—don’t be tempted to think that this is purely about data breaches. HR is on the frontline of everything from workplace wellbeing to whistleblowing. You write the policies, shape the culture, and, ideally, stop your Paul’s downloading anything that ends in ‘.exe’ again.
How HR can boost cybersecurity in your business
HR needs the tools, time, and confidence to help you make smart decisions. Especially long term ones like building a culture of transparency and trust. That means systems that keep your policies current, your documentation secure and tight, and your people informed when something goes wrong.
BrightHR’s software helps you do all that, and more. Protect your people, processes, and policies, without drowning in the admin or legalese. Because in the end, cybersecurity isn’t just about lines of code, it’s about culture too.
Want to learn more about how we can help? Book a free demo or call us for a chat on 0800 470 2432.
