Is Your HR Department the Weakest Link in Cybersecurity?

Cybersecurity isn’t just an IT issue anymore. With the rise of phishing attacks designed to bypass multi-factor authentication (MFA), HR teams are increasingly becoming prime targets. Why? Because HR professionals handle some of the most sensitive data in an organisation, making them a lucrative entry point for hackers.

October is Cyber Security Month, and a new report from the North East Business Resilience Centre (NEBRC) reveals some eye-opening statistics. Shockingly, over a third of HR workers (77%) have fallen victim to phishing incidents, compared to just over half (54%) of the general workforce.

If you think this is something your IT department can handle, think again. As businesses become more connected and employees handle more data than ever, we must ask ourselves: Is HR the weakest link in our cybersecurity chain?

Why Phishing Emails Are a Bigger Threat Than You Think

Phishing attacks have become incredibly sophisticated. No longer are we dealing with the obvious, poorly written emails from “royal princes” offering fortunes. Today’s phishing emails are polished, professional, and often come from what appears to be a legitimate contact within your network.

So, what is phishing exactly? It’s a cyberattack where hackers send fraudulent emails, hoping to deceive recipients into one of three actions:

  • Clicking on a malicious link
  • Opening a dangerous attachment
  • Sharing sensitive information, such as login details

These attacks are becoming more targeted, and HR teams are right in the crosshairs. Why? Because you handle employee data, payroll details, and sensitive contracts—everything a hacker needs to wreak havoc.

MFA Isn’t Foolproof—Here’s Why

Many businesses have adopted multi-factor authentication (MFA) as a solution to boost security. And yes, it’s a great start. But the hard truth is that MFA alone isn’t enough. Hackers have found ways to bypass it, particularly when MFA relies on SMS codes or authenticator apps.

Here’s how they do it:

  1. OTP Interception: When you enter the MFA code sent to your phone or app, hackers can steal it in real-time.
  2. SIM Swapping: This involves tricking your mobile carrier into transferring your phone number to the hacker’s device, allowing them to receive the MFA code.
  3. Phishing Malware: Malware on your device can intercept your MFA codes and send them straight to the hacker.

Once inside your account, the hacker can exploit the compromised account to send phishing emails to other contacts, set up hidden email rules, and continue their attack undetected—until someone spots suspicious activity.

What Can HR Teams Do to Strengthen Their Defences?

This is where HR has to step up. It’s not enough to rely on IT teams to handle cybersecurity—HR has a role to play too. The NEBRC report shows that many workers (53%) haven’t received any recent cybersecurity training, or worse, they can’t remember if they’ve had any at all. That’s a significant gap, and it’s one we need to fill urgently.

Here are some practical steps you can take today:

  1. Invest in Regular Training: Keep your team up to date with the latest phishing tactics and cybersecurity risks. The threat landscape is constantly changing, so your training should too.
  2. Strengthen Your MFA: Consider using more secure methods like on-screen codes or physical MFA keys, which are harder for hackers to bypass. Avoid relying on SMS or email-based MFA codes.
  3. Monitor for Suspicious Activity: If you see unexpected MFA prompts or login attempts, don’t brush them off. Investigate immediately—this could be the early sign of an attack.
  4. Review Your Email Rules Regularly: Hackers often create hidden email rules to keep their activity under the radar. Regularly check and remove any suspicious rules that you didn’t set up.
  5. Set Geolocation Rules: If your business operates primarily in the UK, you can set MFA requests to only be approved from UK-based locations. This adds an extra layer of protection against foreign phishing attempts.

Don’t Let Cybersecurity Training Become an Afterthought

It’s easy to fall into the trap of thinking, “This won’t happen to us.” But the reality is that businesses of all sizes are vulnerable. The NEBRC’s research found that two-thirds of business owners haven’t received any cybersecurity training in the past year, with 50% admitting they’ve never had training on phishing or MFA.

For HR leaders, this is an alarming statistic. If your team doesn’t know how to spot a phishing email or respond to an MFA bypass attack, you’re leaving the door wide open for hackers. But there’s good news—it’s never too late to improve.

Let’s challenge the traditional thinking that cybersecurity is solely an IT responsibility. HR teams are the gatekeepers of sensitive employee data, making it crucial that we’re at the forefront of protecting it.

Time for a Mindset Shift

Cybersecurity isn’t just about technology—it’s about behaviour. As HR professionals, we need to lead by example. This means prioritising engaging, practical training that resonates with your team. When cybersecurity feels like just another box to tick, it’s easy to see why training doesn’t stick. But when you create a culture where everyone understands their role in protecting the organisation, you’ll see lasting change.

So, let’s stop thinking of phishing emails and MFA as someone else’s problem. They’re ours. And with the right approach, we can turn HR from the weakest link into the strongest defence.

The Bottom Line

Phishing attacks and MFA bypasses are becoming more sophisticated, and HR departments are prime targets. But you’re not powerless. By adopting stronger MFA methods, providing regular training, and monitoring for suspicious activity, you can build a more resilient team—and a more secure business.

Let’s stop treating cybersecurity as an IT issue and start viewing it as a collective responsibility. Your people are your biggest asset, and they deserve the best protection you can give them.

Ready to take the next step? WINC HR is here to help. We work with businesses across the UK to implement strategies that promote flexibility, freedom, and resilience—essential components in today’s fast-evolving digital landscape. Let’s work together to ensure your HR team becomes a cybersecurity asset, not a liability.

Our team of experienced HR consultants is ready to assist you in bridging the gap between HR and cybersecurity. From designing up-to-date training programmes to helping you adopt stronger security measures, we ensure your organisation is protected against modern threats. Whether you’re looking to enhance resilience, safeguard sensitive employee data, or integrate cybersecurity into your HR strategy, WINC HR has the expertise to guide you. Reach out to us today for more information on how we can support you in creating a safer, more secure workplace.

Share these insights

Facebook
Twitter
LinkedIn

About the author

Portrait of Karl Wood with circle frame.

Karl Wood is a global HR and employment professional who has an impeccable record in delivering HR solutions for industry leading firms. Known for his characteristic creativity, Karl champions ideas that promote growth, profit and a positive organisational identity.