Five Ways HR Can Improve Cyber Security

Uploaded on 2019-07-15 in NEWS-News Analysis, JOBS-Careers, FREE TO VIEW

Security breaches are becoming more targeted and costly. The UK government’s Cyber Security Breaches Survey 2019 shows that one in three businesses (32%) suffered an attack or breach in the previous 12 months. 

These attacks had an average cost of £4,180 to each smaller business and nearly £10k for charities that were attacked, but medium and larger businesses some paid a lot more.

Around a third (32%) of businesses and two in ten charities (22%) report having cyber security breaches or attacks in the last 12 months. As in previous years, this is much higher specifically among medium businesses (60%), large businesses (61%) and high-income charities (52%). 

As companies ramp up their cyber defences with more sophisticated technology, attackers are choosing softer targets. Attacks that rely on human error, such as phishing (identified by 80% of respondents) and impersonating an organisation (28%) now outnumber viruses, spyware or malware attacks (27%).

Incidents can result in loss of data or even large sums of money. Last year holiday company Butlin’s admitted that up to 34,000 guests may have had their personal details compromised as a result of a phishing attack. 

Meanwhile, the financial director of film company Pathe’s Dutch arm was sacked after paying over €19m into a bank account in Dubai, along with the CEO Edwin Slutter who had authorised him to do so. The two men believed they were acting on instructions emailed from the Paris headquarters and that the funds related to a company acquisition. Both later filed for unfair dismissal.

Cyber security has traditionally been seen as a job for IT departments, but as threats change they are unable to hold the line alone. It has become a company-wide challenge and HR professionals have a key role to play in minimising it. 
Malware protection and anti-virus software are vital, but technology will not deter intruders if poor staff awareness or access policies effectively leave the door wide open.

HR professionals need to ensure employees’ skills are updated to encompass cyber security. Most have already taken the first steps by increasing data protection measures in light of the General Data Protection Regulation, and the Cyber Security Breaches Survey found the regulation had raised awareness of security, but the focus has largely been on data. 

There is still more that organisations can do to protect themselves from cyber risks. This includes taking important actions that are still relatively uncommon, around board-level involvement in cyber security, monitoring suppliers and planning incident response. 

Organisations now need to consider cyber security as a whole.

Here are five step HR teams can take to minimise threats:

1. Collaborate with IT
HR and other departments need to work closely with IT departments to manage cyber security. Ideally there should be a company-wide framework that brings different elements together, including technology and policies and procedures, and ensures that everyone understands their roles and responsibilities.

2. Understand the basics
While HR professionals do not need to know all the technical details, it will be useful to learn the basics of cyber security. The government’s Cyber Essentials guide outlines the key principles. The most relevant for HR is the need to control user access, the key principle being that “staff should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them”.

3. Put the right policies and procedures in place
Access rights should be outlined in a user access control policy, granted as part of the onboarding process, reviewed regularly, then revoked when an employee leaves the organisation. There should also be appropriate password controls in place and a process to allocate secret authentication information to users.

The use of mobile devices and remote working must also be considered. Companies should have a policy detailing the acceptable use of mobile devices, along with a policy on security measures to protect the information accessed, processed or stored outside the office. Social media is another risk.

Policies and procedures will be determined by the organisation’s circumstances and whether it simply wants to meet its legal obligations or achieve a recognised standard such as Cyber Essentials or ISO/IEC 27001:2013.

Employers should also complete background checks as part of staff-vetting procedures and have a disciplinary process for those who breach security rules. 

In 2014 a disgruntled Morrisons employee deliberately leaked staff salaries, bank details and national insurance numbers of 100,000 staff numbers to newspapers and data-sharing websites. Although he was sentenced to eight years in prison, Morrisons was also found vicariously liable for his actions. The retailer has been given permission to appeal the decision in the British Supreme Court.

4. Carry out staff training
All staff should have some type of cyber security training to make them aware of security and data protection rules, policies and procedures, plus any particular threats they may encounter. Cyber security training should be part of the onboarding process, but in any case employees need to receive updates regularly.
While staff at all levels have a responsibility to protect their employer’s data, directors have a particular duty of care. Regulators have made clear that it is a board-level issue and are willing to hold directors liable for any breaches. The National Cyber Security Centre says cyber security should be part of a manager’s skill set and its guidance states that “executive staff should be as aware of the major vulnerabilities in their IT estate as they are of their financial status”.

 5. Put monitoring in place
Companies need to be able to detect threats at an early stage. While breach detection might normally be outside the HR remit, HR teams do need to know if procedures have not been carried out by staff. An emergency plan also needs to be in place in case a data breach or other incident occurs.

Employers should keep records for compliance purposes too. Not every incident can be prevented, but they should be able to demonstrate that steps have been taken to minimise security risk.

While much of the responsibility for cyber security lies with IT departments, an organisation’s systems will not be watertight unless human error or malpractice is tackled with HR’s input. 

Personel Today:         DCMS Cyber Breach Survey

You Might Also Read: 

Five Reasons To Learn Cyber Security:

 
« Cyber Essentials For Board Directors
India & Japan In Cyber Security Pact »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Mielabelo

Mielabelo

Belgian consulting firm providing services in the security and compliance of information systems and IT service management.

UL

UL

UL is a safety, security and compliance consulting and certification company. Areas covered include cyber security.

Secnology

Secnology

Secnology is dedicated to developing and providing the most powerful and user friendly event analysis and security management solution.

Secure Decisions

Secure Decisions

Secure Decisions focus on research and product development related to national security including information assurance, computer network defense, cyber security education, and application security.

Inogesis

Inogesis

IDnow

IDnow

IDnow is the world’s fastest, most flexible and most secure identity verification platform, delivering instant verification of the identity documents used by 7 billion people.

Real Random

Real Random

Real Random is on a mission to enhance existing and new crypto-systems with its revolutionary solution to generating numbers that are Truly Random.

Gulf Computer Services Co (GCSC)

Gulf Computer Services Co (GCSC)

Gulf Computer Services is a major player in the field of networking & Communication solutions for emerging industries such as Internet Services and Information Technology in Saudi Arabia.

Awake Security

Awake Security

Awake Security offer a security solution built on an AI platform that acts like the human brain to sense, detect, and respond to threats you may not even know exist.

SafeHouse Technologies

SafeHouse Technologies

SafeHouse is a cloud-based, high-end cybersecurity platform that can secure and insure any device that is connected to it.

Google for Startups

Google for Startups

Google for Startups is Google’s initiative to help startups thrive across every corner of the world.

Flix11

Flix11

Flix11 is a Cyber Security & ICT Solutions focused company. We provide a range of products and services in Cyber Security, Internet of Things (IoT) and infrastructure solutions.

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

CSRI solves the cyber security threats of tomorrow, today. We work with industry and government leaders on innovative research that has real-world impact.

MainNerve

MainNerve

MainNerve helps secure networks, applications, people, and facilities… enabling businesses to reduce risk and increase their cybersecurity posture.

Cider Security

Cider Security

Cider Security - It’s time to revolutionize the way Security, Dev and DevOps teams work together to supercharge security at the speed of engineering.

StrongBox.Academy

StrongBox.Academy

StrongBox.Academy provides cybersecurity training courses that are tailored to the specific needs and challenges of the industry.