• Six things HR needs to know about cyber security

  • 17 Sep 2015
  • Comments 1 comments

Information protection is no longer just IT’s responsibility

From Sony to Ashley Madison, hacks are making headlines. But protecting your company’s data is not just an IT issue. In January, People Management revealed that 76 per cent of security threats originate internally, with employees usually at the frontline of the breach.

According to a survey by data loss prevention company Clearswift, 76 per cent of employees believe it is time HR stepped up and became more involved with IT security. 

So here it is: Six digestible things HR should know about cyber security

Forewarned is forearmed

“Training for all employees is critical and doing it once for new joiners isn’t sufficient – it is an ongoing process,” says Jacqui Summons, group HR director, Clearswift. “Making it ‘real’ is another point. Sitting through cyber security training because you have been told it’s a necessity is less powerful than understanding what would happen if there was a breach.”

Jeremy Bergsman, IT practice leader at consultancy CEB, agrees that practical approaches, such as mock ‘phishing’ campaigns, work better than Powerpoint presentations.

“HR has a key role to play by gathering data on which approaches really change employee behaviour,” he says.

HR, train thyself

HR isn’t exempt from training: “Many organisations have systems that spot suspicious activity. If HR is trained to use these, they will quickly build up a better view of how information flows around the organisation and what activities are causing problems. This will be invaluable in pre-empting problems,” says Summons.

Know who’s doing what

Professor Mark Skilton, digital expert, PA Consulting and professor of practice, Warwick Business School, says that HR professionals must be able to identify and track workers who have access to confidential information, and social media has made sharing information easier.

A clear, well-communicated, policy, can go a long way: “Employee contract terms must recognise responsibilities when using public websites,” says Skilton.

Don’t skimp on skills

Skilled IT staff carry a hefty price tag but, according to Skilton, they’re essential for getting you through a serious attack. 

“The complexity of threats such as silent malware and ‘zero day’ attacks that occur suddenly require strong technical skills and appropriate escalation and handling,” he explains. “This is not trivial or something that a cloud provider ‘does as a service’. It needs a focus on security audit skills, which requires a skilled specialist.”

Attract the best

With hotshot IT staff in high demand, how can HR make sure their job offer stands out?

Charles Sweeney, chief executive of IT security company Bloxx, says: “To attract employees with cyber security skills or knowledge, HR needs to let it be known that such insights are valued across the whole organisation – not just in IT or network security.”

“Businesses must demonstrate that they can provide the right mix of challenge and reward,” explains Gary McCloskey, senior manager, cyber risk services, Deloitte UK. “Strong training and professional development budgets are distinguishing features. An open and accommodating culture is important to attract some of the more deeply technical cyber specialists, who may not arguably be attracted to strongly conservative or traditional organisations.”

And if the worst does happen…

Alastair Paterson, CEO of cyber security awareness company Digital Shadows warns that in the event of a breach, it is likely that highly confidential or personal information will be exposed.

“HR needs to notify those affected individuals as soon as possible, and the company should adhere to its crisis policies (for instance, credit protection for employees) to determine appropriate action,” he adds.

Summons adds: “Firms need to support employees impacted by the data loss. Fluent communications combined with a strong understanding of the process will be fundamental to a good reactive strategy.”

Add Comment
Comment List
Comments (1)
  • I think that there is an important seventh point around cultural change. Training won't be sufficient even if you provide practical demonstrations to bring the threat to life. An effort needs to be made to change culture so that every member of an organisation from the intern to the CEO accepts that they are in part responsible for cyber security. People should feel empowered to question the behaviour of others (ideally irrespective of level) if it appears to be putting the organisation at risk. However because of the constantly changing nature of the threat, breaches (unless they involve obvious negligence or are malicious) should be treated as an opportunity for learning: a blame culture is likely to drive the problem under ground.