By Mike Loginov, CEO, Ascot Barclay Group and co-founder, Executive Risk Magazine
Certified Chief Information Security Officer and cyber security advisor to the UK Government, Department for Work and Pensions, G4S, Vodafone and the Metropolitan Police, among many others
Workshop leader – Cyber Security: The Essential Role of HR on 24 September, part of HR Change & Transformation 2013, London
Cyber Security in HR – Who Cares?
Every senior manager in every UK organisation, as far as we’re concerned. According to the National Audit Office, the UK is 20 years away from having the skills required to improve cyber security. So when it comes to individual companies, HR should be highly involved in ensuring that employees have the knowledge and abilities to prevent cyber crime.
There’s really no getting away from the risks that cyber insecurity can create. 91% of UK businesses and 73% of households have internet access, which makes them potential targets for cyber criminals. If you think ‘well, it won’t happen to us’, consider the following statistics produced by the Government:
- Cyber crime costs UK businesses £21 billion each year, with £9.2 billion lost through intellectual property theft
- Espionage accounts for £7.6 billion, with companies involved in tendering activities and large volumes of financial transactions being particularly vulnerable
- Online theft costs £1.3 billion, with financial services, construction, support services and the voluntary sector being targeted
- Large companies are susceptible to losing customer data, which costs £1 billion each year.
And don’t think that cyber criminals always target the big boys. The Federation of Small Businesses reports that 41% of its members were victims of cyber crime in the last year; common problems were viruses, hacking and security breaches.
Why HR Should Care More
So we’ve established that cyber crime could be coming to a portal near you. If you work in HR, you could be forgiven for thinking that cyber security is a technical issue that’s best left to the IT experts. However, it’s essential that everyone in HR understands that an IT system is only as good as the people who use it.
That means every employee who emails data, processes information or uses work smartphones, tablets or laptops within their jobs is part of the problem and solution. A staff member who is ignorant of safe IT working practices is a risk whom cyber criminals will target. A staff member who is cyber crime savvy is an asset in preventing anything untoward happening.
If you ask any expert in the cyber security field about the best ways to combat criminal activity, they will all include the provision of training and awareness sessions to employees. Enter the HR function, which can devise the appropriate training and development opportunities for its organisation.
Here’s a useful checklist that HR can adopt when recommending a programme of upskilling in cyber security to the executive team:
- Research the risk to your specific organisation. Quantifying it in monetary terms always grabs more attention than theoretical concepts.
- Identify which employees need to be trained at which levels. If you don’t know where to start, a cyber security cultural audit should steer you in the right direction. Ascot Barclay Group offers this assessment free to qualifying organisations.
- Devise an appropriate training programme that covers the gaps. This should encompass general awareness sessions through to specialist qualifications such as Ascot Barclay Group’s Cyber Security Awareness Certification Programme for IT Professionals. From there, it will be possible to cost the training and compare it with the potential losses involved in doing nothing.
- Check that existing policies and procedures are robust enough. If they don’t specify problem behaviour in relation to IT, they should be revised and reinforced. A YouGov survey suggested that as much as 25% of people transfer work files between office and home so it’s up to HR to clarify what behaviour is and isn’t acceptable.
- Include refresher information within the action plan. While it’s easy for bad habits to return after a certain period of time, timely reminders should help to keep employees on track.
- Support the IT department to make the IT policy a live one that is discussed at team meetings and between managers. For example, employees are notorious for selecting easy passwords or even sharing passwords when they shouldn’t so the policy should be as specific as possible on actions that will put the organisation at risk.
- Work in conjunction with the IT department to determine who should be able to see what on the system. User access is an important part of cyber security, and it’s worth spending time on creating protocols that state which roles can view and edit within each section.
- Develop protocols that support employees to report suspicious emails, policy breaching behaviour and weaknesses in the system. Staff should know exactly how and to whom they should speak and they should be confident that their concerns will be treated seriously – even if they come to nothing in the end.
The only department that is able to deliver on such a checklist is HR. In terms of who should care about cyber crime, it’s clear that HR must make its prevention a staff development priority.
Mike Loginov FRSA C|CISO
CEO, Ascot Barclay Group
Cyber Security: The Essential Role of HR (workshop, 24 September 2013, London)
… part of HR Change & Transformation 2013