1) Bank-detail changes = out-of-band
No changes via email or chat. Require a verified self-service portal plus a live voice/video callback to a known number. Log and dual-approve each change.
2) Email hygiene & DLP
Enable “warn before sending externally,” auto-detect PII in attachments, block auto-forwarding to personal inboxes, and default to BCC for bulk comms.
3) Recruitment sandboxing
Only accept applications through a portal that scans uploads. Open CVs in a cloud viewer. Block Office macros by policy. Train recruiters on phishing tells.
4) Least privilege, always
Tight, role-based access in HRIS/ATS/Payroll. Remove shared inbox credentials. Quarterly access reviews. Immediate de-provisioning at offboarding.
5) Vendor due diligence that actually bites
Data Processing Agreements, security questionnaires, mandatory MFA, encryption at rest, breach-notice SLAs, and data-retention limits. Review annually.
6) AI guardrails for HR
Clear policy: no employee PII in consumer AI tools. Use an enterprise AI environment with SSO, logging, and retention controls.
7) Phishing-resistant MFA
Adopt passkeys/FIDO2 for mailboxes and HR platforms. Rotate vendor API keys. Monitor for leaked credentials.
8) Data minimization & retention
Purge old CVs, IDs, and background docs on a fixed schedule. Keep only what compliance truly requires.
9) Incident runbooks for HR scenarios
Short, specific playbooks for: misdirected email, payroll diversion attempts, malware-in-CV, and vendor breach notification. Who does what within 60 minutes?
10) Role-specific training
Ditch generic “cyber awareness.” Train HR on their scenarios: fake bank-change requests, executive impersonation, recruitment lures, and offboarding timing.
Signals you’re getting it right
• Bank-detail changes are only processed through a controlled, dual-verified flow.
• Fewer external-send warnings are being overridden, and attachment recalls have dropped.
• Recruiters routinely use a safe viewer for résumés, and macro-laden files get blocked.
• Quarterly access reviews are completed on time, and ex-staff access is revoked same-day.
• Vendors have current security attestations, and your DPA library is up to date.
• Your incident playbooks are tested in tabletop exercises, not just sitting in a folder.
A one-page checklist you can copy into your policy
• Require portal + callback for salary/bank changes
• Turn on DLP, external-send warnings, and block personal auto-forwarding
• Route CVs via a scanning portal; cloud-view by default
• Enforce least-privilege and quarterly access reviews
• Offboard accounts immediately
• Sign DPAs; verify vendor MFA, encryption, SLAs, and retention
• Use enterprise AI with SSO and logging; prohibit PII in consumer AI
• Adopt passkeys/FIDO2 for HR platforms and mailboxes
• Purge old candidate/employee documents on a fixed schedule
• Maintain HR-specific incident runbooks and run tabletop drills