PA’s Bill Windle, people and cyber risk expert, is extensively quoted in an article on the human aspect of cyber security. The article addresses the new guidance for employees, Holistic management of Employee Risk (HoMER), produced by the Centre for the Protection of National Infrastructure (CPNI) and PA.
The article explains how technology makes it easy for organisations to be harmed – intentionally or by accident – by its employees. Bill explains that the risk organisations face of internal personnel using their data and systems in damaging ways is high and the impact can be severely damaging to an organisation's reputation and performance. He explains: “Cyber technology places enormous power in the hands of individuals, for better or worse. Today everyone is a cyber-enabled insider.”
Bill explains that organisations need to monitor their IT more sufficiently and enough importance isn’t placed on the right tools to help do so: “To date the focus has been on technical solutions, which are important but not sufficient. It is expensive, impossible and ineffective to build a fortress. Many organisations only gain value from their monitoring tools after an incident has occurred. This is because they don't fully understand how to use monitoring to inform future-looking assessments that would enable the right interventions to be made...to help prevent the incident occurring in the first place.”
The article goes on to explain that HoMER emphasises the need to integrate the human factor into the protection of sensitive data and systems through better cultures, transparency, leadership and training. Bill, who played a leading role in the programme's development, comments: “HoMER gets people talking to each other through an operational, people risk-based lens which helps find new trade-offs, investment options and often efficiencies. HoMER's risk-based approach to monitoring strengthens an organisation's compliance with [Data Protection Act] privacy requirements and helps to expose new insights on security architecture.”
The article explains how an organisation's HR department faces particular threats as employees most often want to know how much colleagues earn and other personal information. Bill explains the crucial time when employees are most likely to steal data: “An important lesson from U.S research is that employees who have an intention of stealing from or damaging their organisations in other ways tend to carry out these actions three to four weeks before they leave, but few monitoring teams are informed of an employee's leaving status or resignation as a matter of routine.”
Bill concludes by explaining that HoMER shows the value of focusing on behaviours rather than people. “This makes all the difference since any monitoring can and should look for counter-productive behaviours regardless of the type of employee,” says Bill.