The UK government considers cyber security as a tier-one national security priority alongside international terrorism, with an annual cost of around £27 billion. Yet research shows that 96 per cent of all cyber crime could be addressed through adherence to the basic security policies that already exist in many organisations. In order for these policies to be effective, however, employees must understand their value and demonstrate their commitment to improved security by consistently applying them in the way they think and behave.
Human resources directors can play a key role in keeping organisations safe in cyberspace by:
taking ownership of the security risk posed by employees
ensuring security measures are both practical and ethical
helping identify employees who may present a particular risk.
Taking ownership of the security risk posed by employees
Most employees assume that cyber security is a technical issue and it is not until after a successful attack that they start taking personal responsibility for security. Attitudes like this make an organisation vulnerable. To improve their chances of success, hackers are now searching out the organisations that are likely to be less aware of the cyber threat: those that have not been attacked yet, such as smaller companies or those with a lower public profile. HR has a vital role to play in educating employees about the impact their attitudes and behaviour have on the organisation's security.
Ensuring that security measures are practical and ethical
Controls can stop people acting in a way that places the organisation at risk, but they must be consistent with the way people behave and think. For example, randomly generated passwords are hard to crack, but most people have to write them down, which defeats their purpose. Monitoring can allow organisations to examine what employees are doing but often raises questions of trust and crosses the boundary between private life and business. The HR team is best placed to advise on whether policies are likely to work and whether they are appropriate.
Identifying employees who may present a particular risk
Breaking into a network takes minutes. However, finding and safely extracting what they want may take criminals months or even years of research and planning. To shorten this process, cyber criminals are getting help from insiders (whether knowing or manipulated) in more than half of all advanced attacks.
Attackers use social media to identify a useful target and to create a relationship with them. They target people with a pre-disposition to break security controls such as those with strong views, who do not react well to authority. They look for a trigger event which will break the employee's psychological contract with their employer – such as a demotion, change in role, redundancy or dismissal. Employees who take action against their employer are most likely to do so within 30 days of such an event. This gives the HR team a chance to intervene, including taking steps to increase monitoring and deter them. Managing an employee's exit with a view to security is also one of the most critical of all the contributions the HR team can make.
PA has worked with the UK government’s Centre for the Protection of National Infrastructure (CPNI) to help define, develop and deliver new national guidance on managing people, physical and cyber risk. The guidance will ensure the UK is at the forefront of enabling organisations across its national infrastructure to reduce counterproductive behaviour.
Read more about managing people risk and the insider threat.
To find out more about the role of HR in an effective cyber security strategy, please contact us now.