Cybersecurity Is Too Important To Leave To IT

As hackers increasingly exploit human vulnerability, HR has a vital role to play, not least in ensuring businesses have the technical talent to fight back

They say crime doesn’t pay but, when it comes to cybercrime, it certainly costs. Oxford Economics reports that the average large business loses £120m when it is hit by a hacking attack; averaged out across the economy, it means around £4m per business, per year, is attributed directly to hacking.

And that doesn’t include reputational damage, or the price of defending against cyber assaults. Executives still wake up in terror at the prospect of suffering an email leak as widespread as the one Sony endured in 2014, when the spats of the Hollywood elite were laid bare alongside a trove of almost 50,000 employees’ details. 

TalkTalk’s reputation is still recovering after 150,000 customer records were compromised in 2015.

More recently, the NHS was crippled in May after a widespread ransomware attack, nicknamed WannaCry, locked staff out of computer systems unless they forked out a bitcoin ransom. Relatively few paid up and a workaround was found in days, but the cost of cancelled operations was incalculable, and experts still cannot agree on how the attack spread. To assume such events are primarily solved by better software and a more empowered IT department is to neglect an important detail, say experts: HR must be central to educating employees and addressing organisational vulnerabilities. 

As Claire Logan head of people and talent at PA Consulting Group, says: “HR has a critical role in cyber-security. Too often, IT teams care passionately about it, but don’t know how to communicate that passion to other employees.”
“We cannot protect organisations only through technology,” adds Peter Cheese, chief executive of the CIPD, which last year teamed up with the Department for Culture, Media and Sport to launch an e-learning tool to help the HR profession tackle cyber threats. “An awful lot of it is human behaviour and action.”

Government research discovered that, while almost two-thirds (65 per cent) of large UK businesses had fallen victim to a cyber-security breach in the space of a year, just 17 per cent were training staff on the issue. 

The National Cyber Security Centre in London was launched, in part, to increase awareness of this issue. And the broadening scale and complexity of threats illustrates why such action is necessary. While WannaCry most likely spread via a ‘worm’ that hunted down and exploited vulnerabilities in corporate networks, there are equally pressing issues around targeted hacking, malware in the form of spam emails, or fraudulent, convincingly crafted messages aimed at persuading finance departments to authorise payments.

‘Phishing’, meanwhile, often involves researching individuals via social media to write emails or direct messages that they are more likely to respond to, as opposed to the primitive spam of days gone by. And the threat doesn’t even have to be virtual: a cyber consultancy recently revealed that a major London law firm had discovered that the TV in its boardroom was secretly relaying an audio feed to an external source in a different country. 

New figures from Willis Towers Watson suggest that 46 per cent of UK employees spent half an hour or less on cybersecurity training in 2016, with 27 per cent having done none at all. A new mindset to learning may be required in this area. “We’ve got to move beyond this compliance tick-box approach, which has been used in various contexts over the years to say: ‘Well, we’ve done our training because we’ve ticked a box and everybody’s done their e-learning course on anti-bribery or corruption or modern slavery’ or whatever it might be,” says Cheese.

Consultancy firm PwC, for example, recently launched Game of Threats, a digital game designed to mimic a cyber-attack on an organisation, as a learning tool for clients. “Game of Threats engages people in a scenario, in a playful, gamification of cybersecurity,” says Anthony Bruce, HR consulting partner at PwC. 
“It’s about engaging people in a way that is stimulating, fun, not traditional, not sitting in front of a screen pressing buttons.”
Cheese believes the trick to creating training that lands is to link it to how cybercrime could affect staff in their personal lives. “Make them feel: ‘Gosh, this affects me just as much as it affects the organisation’, then you create that buy-in and engagement much more strongly than just presenting this as a rather dull corporate thing,” he says.

However, even the most awe-inspiring training programme won’t help protect an organisation if the wider company culture is not geared towards cyber threats. 
“To really make a difference to cybersecurity, the HR team needs to think and act as though it’s a culture change activity,” says Logan.

Studies suggests cyber awareness among the public at large is still low. In 2016, researchers at the University of Illinois dropped USB sticks around their campus, 98 per cent were picked up and people opened files on 45 per cent of the sticks, sometimes within six minutes of the device being planted. When asked why they had accessed the files, the majority (68 per cent) said they were trying to locate the drive’s owner, although 18 per cent admitted they had given in to curiosity.
Bruce says: “We’ll know we’re getting there when, if you’re in a meeting and there’s a USB stick on the table and you want to return it to the owner and go to stick it in your computer, somebody says: ‘Hang on. Do you know where that came from and do we know what’s on it?’”

Building that strong cyber culture involves HR not just in improving learning outcomes, but in sourcing expertise. Recruiter Robert Half Technology says 77 per cent of CIOs fear they will face more security threats over the next five years because of a lack of skilled staff. IT security vacancies increased by 6.2 per cent in the year to April 2017, as businesses scrambled to protect themselves from hacks.
“HR must take an active role in ensuring businesses have access to expertise to protect against cyber-attacks,” says Ann Swain, chief executive of the Association of Professional Staffing Companies.
“This includes the recruitment of IT specialists to ensure systems are secure. HR directors must communicate the need for resource in this area and advise on the potential consequences if adequate skills are not in place.”
Of course, not every staff member is on the organisation’s side in the battle against cyber attacks. An increasing number can be attributed to malicious insiders. “In most cases, there were warning signs before they happened and those signs were ignored. 

It’s a case of: ‘I always thought this individual was acting strangely, but I didn’t think I could tell anyone,’” says Nick Seaver, information and technology risk partner at Deloitte. “HR are great at being the people who can both look for the flags that indicate someone is a risk to the organisation, and help create a culture where people feel empowered to raise a suspicion.”
Throw in the large number of contractors and contingent workers who supplement full-time employees and this vigilance becomes even trickier. “Ensuring contingent workers have completed the same training, that we know who they are and have the same amount of confidence that they don’t have malicious intent is important,” says Bruce. “Because of the turnover in that kind of work, it can be a crucial back door into organisations.” With experts warning it is a question of when, not if, a WannaCry-scale attack is repeated, breaking down the siloes that keep IT and HR apart is a matter of urgency. 

CIPD

You Might Also Read:

Cybersecurity Is A Bigger Issue Than Brexit:

 

Directors Report January 2017. Cyber Security Checklist For Management (£):

 

« Ukraine Police Trace Petya Attack Source
FBI Investigating Kaspersky »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

eco

eco

eco, with more than 950 member organizations, is the largest Internet industry association in Europe.

Lacework

Lacework

Lacework brings speed, scale, and automation to cloud security and allows security and DevOps teams to collaborate on keeping data and applications safe.

Polyrize

Polyrize

The Polyrize continuous authorization platform for SaaS and IaaS stops tomorrow's public cloud cyber threats, today.

Cyber Resilience

Cyber Resilience

Cyber Resilience offer an intensive program designed to help you create strategies to quickly become cyber resilient and to manage cyber risks in a measurable and predictable way.

Mendoza Ventures

Mendoza Ventures

Mendoza Ventures is a venture capital fund focusing on pre-seed Artificial Intelligence (AI), Fintech, and Cybersecurity startups.

In-Sec-M

In-Sec-M

In-Sec-M is a non-profit organization that brings together companies, learning and research institutions, and government actors to increase competitiveness of the Canadian cybersecurity industry.

TAC Security (TAC Infosec)

TAC Security (TAC Infosec)

TAC Security (aka TAC Infosec) is a leading and trusted cyber security consulting partner that specializes in securing the IT infrastructure and assets of enterprises.

Dataprovider.com

Dataprovider.com

Our Brand Protection Suite gives you the tools to discover trademark infringement on the Internet, such as websites selling counterfeit products, even when this is not immediately noticeable.

Cyble

Cyble

Cyble Vision enables faster detection of cyber threats and focuses on identifying and analysing the motivations, methods, capabilities and tools of adversaries.

CentricalCyber

CentricalCyber

CentricalCyber is a cyber risk consultancy and NIST CSF specialist set up to help business leaders better understand and manage cyber risk.

MorganFranklin Consulting

MorganFranklin Consulting

MorganFranklin Consulting is a management advisory firm that works with businesses and government to address complex and transformational technology and business objectives including cybersecurity.

SOOS

SOOS

SOOS is the easy-to-integrate software security solution for your whole team. Build, catch, and fix vulnerabilities with SOOS Software Composition Analysis.

Red Access

Red Access

Red Access provides the first SaaS-based platform to protect web browsing from cyber threats on any browser and any in-app while ensuring frictionless user experience.

Cyber-Security Council Germany

Cyber-Security Council Germany

The German Cyber Security Council's objective is to consult businesses, government agencies and political decision-makers and to support them against cybercrime.

AgilePQ

AgilePQ

AgilePQ visibly secures IoT devices worldwide to protect the privacy, safety, and well-being of all people.

ArmorX AI

ArmorX AI

ArmorX AI (formerly Kapalya) operates an encryption management platform designed to encrypt all data in transit and at rest on mobile end-points, corporate servers, and cloud servers.