Clearly cybersecurity is on the world’s stage, especially here in America. Made more visible to the general public through the concerns over Russia’s alleged influence over our presidential election, and the proliferation of “tax filing scams” reported in the general news media.
Even before our election, the hacking of records maintained by TARGET, BEST BUY and YAHOO with almost 1.5 billion records stolen have created great concerns, interest and hopefully awareness of the American public as individuals go about their business transactions.
At the same time, in corporate life, it has been often stated that the greatest point of vulnerability to an organizations data files is as a result of the behavior and lack of mindfulness of the employees themselves. A recent VERIZON data breach investigations report (2015) stated “an organization’s greatest vulnerability remains it’s own workforce”.
According to the Council on Cyber Security (within the Department of Homeland Security) HR must play a critical role. Their report (2015) states that “HR has always had an important role in managing RISKs – from natural disasters to layoff, lawsuits, and workplace violence – and cyber risk is no different – HR has an important role to play.”
Employees and others working for or within any organization, including consultants and contractors can now work from almost anywhere, bring their own devices (BYOD), use cloud-based applications and access work files on their mobile devices. The result? A profound increase in threats to cybersecurity.
A major way of mitigating these threats rests with the mindset of the employee population. Among other reasons, this is one situation where HR is best positioned to take a needed role.
The HR department has the organizational role and communications and messaging skills necessary, and with effective HR Systems, can mitigate at least some of the known causes of any “insider” cyber attack.
One known cause of an “insider” attack is the result of a well-intentioned employee who makes a mistake, such as using a personal email rather than a work email or accidentally shares something classified on social media. HR can deal with these cases by making sure employees are properly trained and educating them on a regular and continuous basis. Effective HR Technology already has access security based on individual employee roles “need to know”.
Another known cause is strongly linked to disaffected employees who have ill will toward the company. Because HR is typically tasked with implementing programs dealing with the workforce’s health and well being, in effect, tasked with understanding employee behavior, HR is the best Department to notice early warning signs that an employee could be disloyal or prone to acting in that manner, experts say.
Attackers use social media to identify a useful target and to create a relationship with them. They target people with a pre-disposition to break security controls such as those with strong views, who do not react well to authority. They look for a trigger event which will break the employee’s psychological contract with their employer – such as a demotion, change in role, redundancy or dismissal. Employees who take action against their employer are most likely to do so within 30 days of such an event. This gives the HR team a chance to intervene, including taking steps to increase monitoring and deter them. Managing an employee’s exit from a company is facilitated by an effective HRMS which can provide workflow, email triggers and alerts to all appropriate departments. Passwords and email accounts must be disabled in minutes not days, and hardware must be returned before the employee leaves the premises – or has to be shipped (and closely tracked) from remote locations.
Keeping the HRMS master files and relevant documentation safe and up to date is one of the most critical of all the contributions the HR function can make. Homeland Security’s research report finds that nearly 60 percent of fired employees steal important corporate data after departing their position. Furthermore, malicious intent aside, an IBM study found that well over 20 percent of breaches at work can be attributed to careless employee mistakes.
“The connection between HR professionals and security professionals needs to be the closest it’s ever been in history”, said Pete Metzger, Vice Chairman at executive search firm DHR International. He goes on to say that “the Chief Human Resources Officer and the Chief Information Security officer, for example, should communicate with each other about important security issues, like securing mobile devices, hiring trustworthy people (more of an HR issue) and implementing effective of authentication (more of a technical issue). Moreover, he added, HR and IT should brief all the company leadership on important security issues, keeping everyone updated on any potential risks.”
Once HR and IT team up, they can work together to build an effective cybersecurity training program encompassing policy, procedures and penalties.
HR should educate employees beginning with the onboarding of new hires and then with frequent follow up communications relating the in-place cyber awareness policies and procedures. No one should be exempt from this needed education, and the need for strong adherence and enforcement. Formal training must be continuous. It is not enough to publish a document and get a written “I agree” check mark.
Additional authentication must also be added. Remote access must be strengthened at the moment of logon. So called “2 factor” authentication such as biometric authentication now needs to be delivered out of the box by HRMS providers (who will have to integrate strong third party functionality to accomplish this). But it is a new “must have”. In general, current password and access controls must be strengthened. HR must publish and deseminate formal password administration policies and must work closely with internal IT and Security to make sure there is corporate-wide adherence and governance.
HR must strive to educate the workforce on how to recognize cyber threats before they become attacks.
A majority of companies have sophisticated software systems in place to help curtail the risk of a cyber attack from an external source, such as a virus. Consequently, some of the biggest cyber threats that companies face are from groups of hackers that purposely target a company through a process known as “phishing”. The scamming technique can take an array of forms, but typically involves an impersonator that tricks an employee to surrender valuable information, usually via email: Hackers are able to imitate emails from seemingly trustworthy sources, which employees will then open while at work. The emails can carry malicious malware that hackers can then use to access sensitive data.
Alongside “phishing,” other common threats include careless mistakes from employees, such as emailing or losing valuable data, logging onto insecure internet networks while out of the office, and conscious malicious attacks from employees or former employees.
HR must collaborate with IT and Security in building cyber awareness as HR has the expertise and experience in communicating and delivering training to the workforce.
Specifically, HR must co-lead all efforts in support of instilling workforce cyber awareness in these areas:
- knowledge of the workforce
- support in cyber security hiring
- management of HRMS and protecting HR data
- understanding and administration of workforce legal rights – especially privacy
- ongoing delivery of cyber awareness training to the workforce
While the threat of a cyber security attack can never be completely eliminated, the risk can be curtailed through effective employee workforce management. After all, as current statistics reveal, the biggest threat to a company’s cyber security is usually its own workforce.
