· News

Employee data breaches hit five-year high

Reports to the Information Commissioner’s Office jumped from 2,279 in 2022 to 3,208 in 2023

Breaches of employee data increased by 41% in 2023, analysis by the law firm Nockolds found.

Nockolds' analysis of Information Commissioner's Office (ICO) data also found that ransomware attacks targeting employee data had jumped by 57% over the past year, from 352 to 554.

This followed a report on 7 May that the armed forces payroll system was hacked, which exposed the personal data of Ministry of Defence employees.

Joanna Sutton, principle associate at Nockolds, explained that HR has a legal responsibility for ensuring that employees are compliant with data protection regulations.

Speaking to HR magazine, she said: "HR departments are responsible for ensuring employees' compliance with data protection regulations, such as GDPR.

"Often there is at least some organisational responsibility for data security which falls within the purview of HR, particularly if the breach affects employee data such as payroll.

"HR teams will also have a key role to play in coordinating the response and communicating with affected employees."

Read more: Armed forces payroll hacked

Vivek Dodd, CEO of compliance platform Skillcast, explained that HR could embed learning in its culture to prevent data breaches.

He told HR magazine: “HR's role in cybersecurity goes beyond ticking boxes; it's about creating a culture where everyone understands how to protect a company's digital assets. 

“Instead of dull lectures, HR should work closely with IT and security teams to craft training modules that simulate real-world cyber threats relevant to their company's landscape.”

Dodd added that HR could use microlearning to train employees on cyber security risks.

He continued: “Short, simple training about threats, which is microlearning friendly, should be embedded into training but also the onboarding processes, as new staff are most likely to make mistakes. 

“Repetition is key; highlighting risks regularly ensures they remain front of mind and don't become neglected. This can include simple desk aids that can help reinforce key concepts, such as checklists.

“Furthermore, integrating behavioural analytics into employee monitoring can provide early indicators of potential insider threats, allowing for timely intervention and mitigation strategies.”

Read more: Manchester United sued over HR data breach

Due to how much data they store, HR teams should also receive training, noted David Emm, principal security researcher at the online security tech provider Kaspersky.

Speaking to HR magazine, he said: "HR professionals themselves should receive cybersecurity awareness training and advise the company on such matters.

"Additionally, HR should be vigilant about the formats of files sent by applicants, recognising potentially harmful executable files and establishing acceptable file formats for CVs and work samples."

Training should be backed up by cyber security policies, suggested Andrew Rose, chief security officer at human risk management platform SoSafe.

He told HR magazine: “Security policies that prioritise the training and educating of staff must be paramount. Technology is a part of the solution but it is no longer enough. 

“Secure cyber strategies will be supported with internal policies that ensure staff across all departments are up to date with the latest cyber training.”