Posts Tagged ‘Cyber Security’

By Mike Loginov, CEO, Ascot Barclay Group and co-founder, Executive Risk Magazine

Certified Chief Information Security Officer and cyber security advisor to the UK Government, Department for Work and Pensions, G4S, Vodafone and the Metropolitan Police, among many others

Workshop leader – Cyber Security: The Essential Role of HR on 24 September, part of HR Change & Transformation 2013, London

 

Cyber Security in HR – Who Cares?

Every senior manager in every UK organisation, as far as we’re concerned. According to the National Audit Office, the UK is 20 years away from having the skills required to improve cyber security. So when it comes to individual companies, HR should be highly involved in ensuring that employees have the knowledge and abilities to prevent cyber crime.

There’s really no getting away from the risks that cyber insecurity can create. 91% of UK businesses and 73% of households have internet access, which makes them potential targets for cyber criminals. If you think ‘well, it won’t happen to us’, consider the following statistics produced by the Government:

  • Cyber crime costs UK businesses £21 billion each year, with £9.2 billion lost through intellectual property theft
  • Espionage accounts for £7.6 billion, with companies involved in tendering activities and large volumes of financial transactions being particularly vulnerable
  • Online theft costs £1.3 billion, with financial services, construction, support services and the voluntary sector being targeted
  • Large companies are susceptible to losing customer data, which costs £1 billion each year.

And don’t think that cyber criminals always target the big boys. The Federation of Small Businesses reports that 41% of its members were victims of cyber crime in the last year; common problems were viruses, hacking and security breaches.

Why HR Should Care More

So we’ve established that cyber crime could be coming to a portal near you. If you work in HR, you could be forgiven for thinking that cyber security is a technical issue that’s best left to the IT experts. However, it’s essential that everyone in HR understands that an IT system is only as good as the people who use it.

That means every employee who emails data, processes information or uses work smartphones, tablets or laptops within their jobs is part of the problem and solution. A staff member who is ignorant of safe IT working practices is a risk whom cyber criminals will target. A staff member who is cyber crime savvy is an asset in preventing anything untoward happening.

If you ask any expert in the cyber security field about the best ways to combat criminal activity, they will all include the provision of training and awareness sessions to employees. Enter the HR function, which can devise the appropriate training and development opportunities for its organisation.

Here’s a useful checklist that HR can adopt when recommending a programme of upskilling in cyber security to the executive team:

  • Research the risk to your specific organisation.  Quantifying it in monetary terms always grabs more attention than theoretical concepts.
  • Identify which employees need to be trained at which levels. If you don’t know where to start, a cyber security cultural audit should steer you in the right direction. Ascot Barclay Group offers this assessment free to qualifying organisations.
  • Devise an appropriate training programme that covers the gaps. This should encompass general awareness sessions through to specialist qualifications such as Ascot Barclay Group’s Cyber Security Awareness Certification Programme for IT Professionals. From there, it will be possible to cost the training and compare it with the potential losses involved in doing nothing.
  • Check that existing policies and procedures are robust enough. If they don’t specify problem behaviour in relation to IT, they should be revised and reinforced. A YouGov survey suggested that as much as 25% of people transfer work files between office and home so it’s up to HR to clarify what behaviour is and isn’t acceptable.
  • Include refresher information within the action plan. While it’s easy for bad habits to return after a certain period of time, timely reminders should help to keep employees on track.
  • Support the IT department to make the IT policy a live one that is discussed at team meetings and between managers. For example, employees are notorious for selecting easy passwords or even sharing passwords when they shouldn’t so the policy should be as specific as possible on actions that will put the organisation at risk.
  • Work in conjunction with the IT department to determine who should be able to see what on the system. User access is an important part of cyber security, and it’s worth spending time on creating protocols that state which roles can view and edit within each section.
  • Develop protocols that support employees to report suspicious emails, policy breaching behaviour and weaknesses in the system. Staff should know exactly how and to whom they should speak and they should be confident that their concerns will be treated seriously – even if they come to nothing in the end.

The only department that is able to deliver on such a checklist is HR. In terms of who should care about cyber crime, it’s clear that HR must make its prevention a staff development priority.

Mike Loginov FRSA C|CISO

CEO, Ascot Barclay Group

www.ascotbarclay.com

Cyber Security: The Essential Role of HR (workshop, 24 September 2013, London)

… part of HR Change & Transformation 2013

Download the brochureVisit the website

.

Advertisements

The Impact of Cyber Security and Social Media on the Global HR Community

Mike Loginov, Ascot Barclay, 27 June 2013

As the internet increases global trading opportunities for business, so it also leaves the door wide open for cyber criminals to exploit the systems of organisations across the world. That includes yours. If you’ve been following the story of Bradley Manning – who passed US classified material to Wikileaks – and thinking that data leaks are a government problem, you’re very wrong.

Do you remember the case of the broker who incurred millions of pounds of losses for his investment bank employer by making unauthorised trades? You may have filed it in the ‘That’s the banks for you’ folder in your brain but it’s a perfect example of the dangers that lurk within the organisation. In other words, the employees.

The big problem is that cyber crime just isn’t being discussed enough within or outside the HR community. We Googled ‘top commercial challenges for global organisations’ and nothing on page one of the results so much as mentioned cyber crime. They covered sustainability, regulation, emerging technologies, economic recovery and pricing pressures, but nothing on data security. With such poor coverage, it’s no wonder that the subject isn’t on the HR radar.

There’s definitely a disconnect between cyber crime’s prominence and its prevalence. According to a report by the ACCA, cyber crime is now one of the top four global economic crimes. Its survey revealed that almost as many organisations were a victim of cyber crime in the previous year as accounting fraud and bribery or corruption.

Why HR Matters

So why should the global HR community sit up and take note? In the past, HR and legal departments were seen as fairly low risk but it’s clear that they contain a lot of confidential information that is a treasure trove to cyber criminals. Just consider the issue of indentify theft alone; those electronic records contain everything that a criminal needs to steal the identity of your employees. And just think what that would do to the organisation’s reputation.

As we mentioned above, the threat cuts both ways. Criminals from outside the organisation can use the weaknesses in your systems and the people who use them to their advantage. And staff within the organisation are capable of misusing confidential data. The common denominator is the employee, which makes cyber crime a high priority within the HR strategy.

On top of this, there’s the issue of social media. Businesses of all shapes and sizes use sites like Facebook, YouTube and Twitter to market their brand. With these online communications channels available 24 hours a day, social media represents an easy way for cyber criminals to access your information systems. So, while you may not have thought that the Marketing function needed much training in cyber crime, it’s clear that they need to be alert to the most common security dangers within internet marketing.

Employees should be regarded as high value assets and potential liabilities. Unless staff understand their responsibilities regarding the storage and use of confidential information, they will remain a risk to the organisation’s reputation. It’s also important that HR understands the interdependencies across the organisation and closes the gaps between functions and countries.

What the Global HR Community Needs to Do

To combat the dangers of cyber crime, HR professionals should undertake the following actions:

  • Develop ‘situational awareness’ of cyber crime threats in the locations in which your organisation operates and where confidential data is stored. A cyber security cultural audit will tell you what the current levels of knowledge of cyber crime are.
  • From this information, a training programme can be devised and delivered, focusing on the greatest areas of risk. Even if some staff have low access levels to company information, they should be made aware of problems and dangers that can exist. For those who have major information management responsibilities, consider investing in a Cyber Security Awareness Certification Programme for IT Professionals.
  • Ensure that cyber crime is placed firmly within the organisation’s risk identification protocols. While the CEO needs to lead on this, it’s essential that HR is able to work with IT to deploy personnel to manage any incidents that do occur. Furthermore, these actions must be consistent and efficient, regardless of where the problem originated.
  • Launch an induction programme that includes cyber crime awareness at the appropriate level. Only HR has the information to discern roles and their relevant user access so it’s their responsibility to lead the way.
  • Give staff clear instructions on the use of portable equipment such as laptops, tablets and smartphones and include the types of behaviour that will result in disciplinary action.
  • Above all, ensure that these actions are carried out at all the organisation’s offices and locations, no matter whether you work in a regional business or a global business that operates on different continents.

— Mike will be running a non-technical workshop specifically designed for HR professionals, to address all these areas, as part of a larger HR summit in London.

 

Cyber Security: The Essential Role of HR, 24 September, London

Part of HR Change & Transformation 2013

Visit the websiteDownload the brochure