HR’s Role in Banking Cyber Resilience: People Are the New Firewall

 

Introduction

As banks go more digital, cybersecurity has become a very important part of running a business. Even if technology is still important, more and more research shows that people are the weakest link in cyber protection. In this situation, Human Resource Management (HRM) is becoming more important for making systems more resistant to cyber attacks. However, in Sri Lanka's banking sector, cybersecurity is still mostly seen as an IT job, with little help from HR.

How to move from Cybersecurity to Cyber Resilience? - TEHTRIS

Global Debate

Banks all across the world are realising that cyber dangers frequently take use of people's flaws instead of technical ones. Employee behaviour often makes it easier for phishing attempts, social engineering, and insider threats to happen. DBS Bank in Singapore and Barclays in the UK are two of the most important banks that have responded by making cybersecurity a part of their HR processes.
These practices include thorough background checks during hiring, ongoing training on cyber awareness, and including cybersecurity behaviours in performance reviews. Also, established offboarding protocols make sure that employees' access to the system is quickly taken away when they leave the company (Hadnagy, 2023).

Despite these advancements, many organisations continue to treat cybersecurity as a purely technical issue, neglecting the human dimension. This fragmented approach limits the effectiveness of cyber defence strategies.

What is Cyber Resilience? Definition & Overview | Flexential

Sri Lankan Context

Cyber fraud has been on the rise in Sri Lanka's banking sector, especially phishing assaults that target both customers and workers. These events show how financial institutions are becoming more and more vulnerable as the world becomes more digital.
But HR's role in solving these problems is still restricted. Most of the time, hiring processes only look at basic background checks and don't put much weight on how well candidates know about cybersecurity. Most of the time, training programs happen once a year and people think of them as more about following the rules than real learning.
Also, offboarding procedures are sometimes not very strict, which makes it quite dangerous to wait too long to revoke system access. The Central Bank of Sri Lanka has put out instructions on how to be cyber resilient, although HR is only a small part of these frameworks.

Theoretical Perspective: Social Cognitive Theory

Bandura's (1986) Social Cognitive Theory offers a significant paradigm for comprehending cybersecurity conduct. This theory posits that behaviour is influenced by the interplay of individual factors, environmental variables, and behavioural reinforcement.
In the realm of cybersecurity, personnel acquire suitable habits via observation, feedback, and repercussions. If businesses don't encourage safe behaviours or deal with risky ones, workers are less likely to adopt safe habits.
HR is a very important part in making this atmosphere what it is. HR can affect how confident and motivated employees are to act safely through training, performance management, and the culture of the workplace.

Repositioning HR as a Cybersecurity Partner

To enhance cyber resilience, Sri Lankan banks must integrate HR into their cybersecurity strategies. This begins with embedding cybersecurity competencies into recruitment processes, ensuring that new hires possess a baseline level of awareness.

Training programmes should be continuous and interactive, focusing on real-world scenarios rather than theoretical knowledge. Incorporating cybersecurity behaviours into performance evaluations can further reinforce their importance.

Additionally, HR must ensure robust offboarding procedures, including immediate revocation of system access and monitoring of potential insider threats.

Conclusion

In a time when cyber dangers are getting more advanced, it's not enough to only use technology to protect yourself. People are the new firewall, and HR is very important in determining how people act when it comes to cybersecurity. Sri Lankan banks must include HR in their cyber resilience plans in order to protect their assets and keep their customers' trust.

References

Bandura, A. (1986) Social Foundations of Thought and Action. Prentice-Hall.
Hadnagy, C. (2023) Social Engineering: The Science of Human Hacking. Wiley.
Central Bank of Sri Lanka (2026) Annual Report.

Comments

  1. Rashmi Senarath15 April 2026 at 10:23

    This was a very thought-provoking and timely read. I was especially interested in how you repositioned HR as a cybersecurity partner rather than just an administrative function, because it clearly shows that employee behaviour, awareness, and culture are just as important as technology in protecting banks from cyber threats. Your points on continuous cyber awareness training, secure recruitment practices, and strict offboarding procedures really stood out to me and showed how HR can directly strengthen organisational resilience. It also made me reflect on how Sri Lankan banks need to move beyond seeing cybersecurity as only an IT responsibility and instead build a stronger people-centred defence strategy for long-term trust and stability.

    ReplyDelete
  2. Hashini Dhanasekara -E29672220 April 2026 at 03:54

    This is a very engaging perspective on HR’s role in banking cyber resilience that clearly shows how people-focused strategies, such as awareness, training, and behavioral change, are essential in strengthening organizational security in the digital age.
    However, how can HR ensure continuous employee vigilance against cyber threats without creating fear, resistance, or excessive control within the workplace?

    ReplyDelete
  3. Inoka Dassanayake20 April 2026 at 09:42

    This blog highlights an important point—cybersecurity is not just about technology, but also about people. Many banks still treat it as an IT issue, but employee behaviour plays a big role in cyber risks, especially with threats like phishing.

    The lack of continuous training and limited HR involvement in Sri Lanka shows there is still a gap in building true cyber resilience. A more people-focused approach, supported by both HR and leadership, seems necessary to address this effective

    ReplyDelete
  4. MOHAMMED RIFSAN MOHAMMED RIMZAN20 April 2026 at 14:01

    This is a very engaging and well-articulated blog! I really like the idea that “people are the new firewall” — it’s a powerful way to highlight the human side of cybersecurity. Your connection between HRM and cyber resilience, especially using Social Cognitive Theory, adds strong depth to the discussion. The Sri Lankan context makes it even more relevant and practical. Overall, it’s insightful, clear, and highly relevant to today’s digital banking environment—great work!💥💪

    ReplyDelete
  5. E.M Sampath20 April 2026 at 23:43

    Although the article emphasizes the significance of HR in enhancing cyber resilience, it should also be observed that HR plays an indirect role in cybersecurity. For instance, in most firms, particularly banks, it is mostly the IT department and the risk management team that work towards cybersecurity. However, the HR department can only contribute to this process indirectly through recruiting, providing training, and enforcing policies.

    ReplyDelete
  6. Sanjeewa Rathnayake21 April 2026 at 00:34

    It’s a common misconception that cybersecurity is only an IT issue. You’ve rightly pointed out that the human element is often the weakest link. In your opinion, how can HR effectively transition from just providing 'mandatory training' to actually creating a 'security-first culture' where employees take ownership of cyber-resilience?

    ReplyDelete
  7. Sandeepa Nethmini21 April 2026 at 00:37

    Well-written and insightful, especially the way you connect HR practices with cyber resilience and employee behavior. How can banks practically measure whether HR-led cybersecurity training is actually changing employee behavior, not just awareness?

    ReplyDelete
  8. Dinusha Aluthwatta21 April 2026 at 04:21

    This is a very insightful blog highlighting the important role of HR in cyber resilience. I like how you explained that cyber security is not only technical but also depends on employee behaviour. The focus on training and building a security culture is very relevant. Overall, a clear and well-presented discussion.

    ReplyDelete
  9. Nadun Heeraluarachchige21 April 2026 at 06:21

    This is a compelling and timely outlook that rightly shifts the focus from purely technical defenses to the human element in cybersecurity. I particularly like how you used Social Cognitive Theory to explain employee behavior, it clearly shows why HR must go beyond compliance-driven training to actively shape a security-conscious culture.
    However, it would strengthen the discussion to include how Sri Lankan banks can practically overcome resistance or lack of awareness within HR teams to take on this expanded cybersecurity role.

    ReplyDelete

Post a Comment

Popular posts from this blog

Beyond Compliance: Can Agile HR Save Sri Lankan Banks from the Next Economic Shock?

Image
  Introduction The banking industry in Sri Lanka has traditionally operated in a highly regulated setting where risk management and compliance have been given top priority. Although stability has been guaranteed by this strategy, its shortcomings were made clear during the 2022 financial crisis. Traditional compliance-driven HR procedures may not be enough to handle future uncertainties as the industry recovers. Agile HR appears as a viable remedy in this situation. Limitations of Traditional HR Models Rigid policies, sluggish decision-making, and hierarchical structures are characteristics of Sri Lankan banks' traditional HR systems. Although these systems are meant to reduce risk and guarantee compliance with regulations, they frequently lack the adaptability needed during emergencies. Many banks found it difficult to react swiftly to shifting employee demands during the recession, which led to lower employee morale and more plans to leave. In a setting characterised by ...
Read more

Gig Economy Meets Banking – Can Sri Lankan Banks Hire ‘Bankers on Demand’?

Image
  Introduction The gig economy has changed the way businesses hire people in many fields, making it possible for them to find workers on a flexible, project-by-project basis. This concept has been adopted by several fields, like technology and the arts, but it's still not clear if it will work in banking, especially in Sri Lanka. The idea of "bankers on demand" presents both potential and challenges due to the sector's complicated rules and focus on trust. The Rise of the Gig Economy Short-term contracts, freelance work, and platform-based jobs are all common in the gig economy. Companies all across the world are using gig workers more and more to save money and be more flexible. The gig economy is becoming more popular in Sri Lanka, especially among younger workers who want more freedom and different experiences.   This concept could help banks fill talent gaps, especially in areas like digital banking, cybersecurity, and data analytics where there aren...
Read more

Employee Activism in Banking: When Staff Speak Out on Ethics, Climate, and Politics

Image
  Introduction Employee activism has been a strong force in changing how businesses work in several fields, including banking. Banks have historically suppressed criticism because they have rigorous hierarchies and strict privacy rules. But global trends show a change, with workers speaking up more about moral, environmental, and political issues. In Sri Lanka, activism is still mostly quiet, but there are signs of underlying tensions that imply employee voice is changing in more subtle but important ways. Global Debate Around the world, protests against fossil fuel finance, diversity difficulties, and return-to-office mandates have brought attention to employee activism in banking. Workers at big companies like Barclays and HSBC have publicly questioned the decisions made by their companies, calling for more environmentally friendly and ethical governance. Some banks have put in place formal "employee activism policies" that let workers speak out without fear of puni...
Read more