HR: the critical business function nobody talks about

HR is one of the most critical yet consistently underestimated pillars of business resilience. Most people look first to IT, finance or operations when thinking about continuity, but the truth is this: if HR went offline tomorrow, your business would feel the impact instantly and painfully.

When HR stops, payroll halts. Recruitment freezes. Compliance slips. Decisions stall. And perhaps most importantly, your people lose the human support they rely on every single day – the reassurance, the guidance, the conflict resolution, the welfare checks, the difficult conversations managed with care. HR isn’t just a process engine; it’s a lifeline for the organisation’s culture, stability, and wellbeing.

Then there’s the reality of what HR manages: the most sensitive information about each and every one of us.Our pay, our addresses, our NI numbers, our performance, our personal concerns, our grievances, our health notes, our family circumstances: all the data we expect to be protected without question. It’s the sort of information that, if exposed or inaccessible, doesn’t just create operational risk, but breaks trust at the most human level.

HR also manages disciplinary processes, investigations, grievances, and the governance that keeps fairness, accountability, and legal compliance intact. These aren’t just admin tasks; they’re fundamental to workplace integrity. Without HR, there is no neutral process, no documented oversight, no safeguarded way to resolve conflict or protect people.

Outsourced HR, payroll, and back-office providers have increasingly been linked to several major UK data breaches. These incidents highlight the growing third-party risk facing organisations that rely on external partners to process sensitive employee data.

A recent UK example is the cyberattack on outsourcing provider Capita plc in 2023. Attackers gained access to the company’s systems, exfiltrating large volumes of sensitive personal data linked to businesses that relied on its services.

The breach exposed information relating to around 6.6 million individuals, including employee and pension data held on behalf of multiple organisations. The UK Information Commissioner’s Office later fined Capita £14 million after finding serious failures in its security controls.

Breaches involving outsourced providers also expose a wider issue: HR-related incidents are rarely categorised or reported as formal ‘HR breaches’. As a result, official statistics often underestimate the scale of the risk. Whether HR data is managed internally or through third-party providers, it remains a prime target for attackers due to the volume of sensitive personal information it contains, and the critical role HR systems play in keeping organisations operational.

So, I’ll say what many avoid saying out loud: If HR goes down, the business stutters. People, processes, decisions, compliance, culture – all paused.

That’s why I treat HR not as a service function, but as critical infrastructure. Protect it well, and the entire organisation keeps moving.

How is your HR service being targeted?

Phishing & social engineering targeting HR

• HR receives high volumes of CVs, attachments, and external emails, making it a prime target for phishing attacks designed to steal credentials or deliver malware.
• Phishing frequently targets payroll and HR operations.
• Employee data breaches are increasingly driven by human errors exploited by attackers.

Misdirected emails containing employee data

• One of the most common HR data breaches: sending employee information (e.g. payslips, P45s, absence notes) to the wrong recipient.
• ICO reportable breaches often involve misdirected HR emails.
• These incidents significantly contribute to the rise in employee data breaches year on year.

‘Snooping’ in HR systems (unauthorised internal access)

• Employees sometimes access HR or colleague records without a legitimate reason, creating a GDPR breach.
• This is documented as a common internal HR breach type.
• ICO guidance classifies any unauthorised access as a reportable personal data breach.

Storage of HR data in insecure channels (spreadsheets, chat apps)

• HR teams often store or transmit sensitive data via spreadsheets, Teams/Slack messages, or shared drives, causing exposure.
• Sharing HR documents over chat apps is a listed real world breach scenario.

Loss or theft of HR devices or paper records

• Physical files and unencrypted laptops containing HR data create high-risk exposure if lost or stolen.
• Lost/stolen devices and paper mishandling are common employee-data breach types.
• ICO emphasises personal data breaches include loss of data, not just hacking.

HR data highly targeted in cyber attacks

• HR related data (payroll files, CVs, ID documents) appears disproportionately in cyber breaches.
• 82% of cyber breaches include HR data, according to recent HR sector analysis.

Manipulated payroll change requests (fraud & impersonation scams)

• Attackers impersonate employees or managers to redirect salary payments or change bank account details.
• Phishing and payroll focused attacks are highlighted as common employee-data breach vectors.

Human error in handling sensitive HR spreadsheets

• A single error, such as emailing an Excel file to the wrong distribution list, can expose thousands of employee records.
• A notable internal example is the 2023 Ministry of Defence spreadsheet incident, where a staff member accidentally emailed personal data of thousands of Afghan nationals supporting UK forces, an error with national-level consequences.

Failure to follow ICO required HR breach protocols

• Missing escalation procedures, delayed reporting, or lack of HR staff training increases regulatory and financial risk.
• ICO requires robust internal breach detection and HR involvement in escalation.
• Many breaches occur because staff do not recognise or escalate incidents correctly.

Insider threats (disgruntled or careless employees)

• HR data’s sensitivity makes it attractive for misuse by insiders, whether intentional or accidental.
• Internal breaches such as inappropriate sharing or poor document handling are widely documented.
• Employee stress and operational disruption following breaches indicate internal impact is often overlooked.

If there’s one takeaway from this discussion, it’s that protecting HR data is not simply a compliance exercise. When employee information is mishandled or exposed, the consequences reach far beyond a regulatory issue. It affects operational stability, organisational credibility, and the trust your workforce places in how their information is handled.

Strengthening resilience in this area is not about alarmism; it’s about building safeguards before problems arise. The organisations that manage these risks well tend to do so quietly, by reviewing processes, tightening controls, and ensuring the right oversight is in place long before an incident occurs.

Take the opportunity to step back and assess how your HR data is managed. Examine where sensitive information is stored, who can access it and how incidents would be detected and escalated. Even a short resilience review can uncover dependencies or vulnerabilities that would otherwise go unnoticed.

Many organisations are already rethinking how they protect HR systems and employee data as part of their wider resilience strategy.

At Net‑Defence, our focus is on helping organisations strengthen that protection in practical, operational ways. The goal is simple: ensuring the systems and data your people rely on remain secure, reliable, and resilient.