Date: 05/12/17 | Duration: 00:22:21
One of the biggest challenges for any organisation is managing risk and for HR professionals, their people are at the heart of creating a secure organisation. With up to 96% of cyber security breaches owing to human, rather than technological error, it is imperative that an organisation’s people, its management and its processes are well prepared.
In the first of two episodes on people risk we look at the cyber security risks facing organisations today – a threat which the UK Government estimates cost £27 billion annually. We’ll hear from representatives from CIPD, Safer Jobs, the Corsham Institute, Cyber Insider and Cifas, the UK’s largest cross-sector fraud sharing database. We’ll be discussing the key role HR professionals play in managing people risk and the steps they can take to ensure their people processes are contributing to maintaining a secure organisation.
View the full podcast transcript
Philippa Lamb: So this is the first of what’s going to be two podcasts around risk. Initially the first one specific emphasis on cyber risk and the second around recruitment and the particular risks associated again on cyberspace with recruitment. Now Warren you brought us these stories, introduce yourself.
Warren Howlett: I'm Warren Howlett head of HR content at the CIPD. So people risk has been around for a really long time. It’s actually as a concept nothing new but what we want to do is focus on two really emergent areas where we’re seeing significant change.
PL: So in this first episode we’re going to be looking at cyber risk and specifically how people play into that. The big breaches at organisations like Uber, Sony and the NHS, they all hit the headlines but we never actually hear about countless other breaches.
WH: 90% of large organisations have experienced some kind of breach, around 75% of SMEs and a lot of that is coming from the insider threat so those are employees which are within the organisation and are intentionally or unintentionally causing a breach for that organisation. So that's the first area that I think is really interesting and one where we want to raise awareness, both in terms of t he risk itself but also as organisations how can we most effectively tackle that risk.
PL: And in the second episode we’ll be focusing on the people risk, specifically around recruitment where fraud is becoming a major issue.
WH: There is a significant amount of fraud that's happening in the recruiting space and particular for candidates and they’ll be encouraged to apply for a job from a well-known brand and all of a sudden someone from the organisation who is purporting to be from that organisation is asking them for some money for a visa or asking them to pay for a work permit. The candidate gets sucked into the cycle of paying into a fraudulent activity.
PL: So this time we’re going to look at organisational cyber risks and what HR can do to combat them. And we are approaching a key deadline on this, between now and May 25th next year all companies have to formulate a policy on the EU General Data Protection Regulation, that's the GDPR. Now this is one of the biggest changes to data protection legislation in the past 20 years. The intention is to give everyone living in the EU greater control over their personal data and that is creating a seismic shift in the IT landscape too.
We all know that digital systems are potentially vulnerable to failure or even attack. You'll remember WannaCry that ransomware attack which created chaos in the NHS, and the Golden Eye attack which directly targeted data held by HR teams. But most cyber breaches aren’t created by IT failings, 96% of cyber breaches are down to humans and that is the message that many organisations are being very slow to grasp.
Which department looks after cyber security in your organisation?
FV1: IT yeah IT.
PL: Just IT?
FV2: HR and IT together.
MV: I would say it was the IT department.
PL: Do you think you’re up to speed with cyber security at work?
MV1: 100% yes.
FV3: Um, well I think our IT team is taking good care of that.
PL: So do you see it just as a tech issue then or a people issue?
FV4: I think it’s a people issue.
MV2: That's a difficult question.
MV3: Cyber security, um, I've only been at my current workplace for the past four months and it’s not really been a topic that's been considered.
PL: Here are some scary figures, 47% of HR departments have no idea when cyber resilience was last reviewed in their organisation and just 22% have looked at people risks in the past year. Cifas is the largest cross sector fraud sharing organisation in the UK. It maintains a national database of confirmed fraud cases which it shares with its members, that's businesses, charities, public bodies and individuals too. It also maintains an internal fraud database to combat insider threats. Lee D’Arcy is Director of Engagement and he told me what we all know to be true.
Lee D’Arcy: Fraud is on the increase we know from our numbers, if you talk to the Office of National Statistics, everybody, the police, they’re all saying fraud is a major issue and it’s so much more easier now for people to commit a crime in their bedroom with their laptop than it is to actually do it physically with all the CCTV cameras that are around. In the old days people would put a stocking over their head wouldn’t they and go into a shop with a cucumber and a plastic bag. Now they just stay in their bedroom, get their laptop out and pretend to be someone else. So unfortunately there are organised criminal gangs who will infiltrate organisations. There was an interesting advertisement on Craig’s Lists for postmen to earn up to £1,000 for stealing the mail. It really does happen on a regular basis. And
Keith Rosser: We see all the time more and more intricate and innovative ways that people are finding to defraud organisations which means that last year’s controls may not be adequate for next year’s fraud.
PL: Keith Rosser is chair and board director at Safer Jobs, it’s another non-profit, a joint industry and law enforcement organisation, it supports job seekers, agency staff and contractors with any suspected fraud. It’s backed by government and the Metropolitan Police and I asked Keith to tell me where these fraudsters are coming from.
KR: Unfortunately it’s global. So we’ve had a look at some of the organised elements to see where they’re based and we’ve found them all over the world – Eastern Europe, Asia, all over the world, certainly in parts of Africa too we’ve found that actually fraudsters can set up with a computer and operate anywhere globally and facilitate fraud in the UK.
PL: But it does highlight the issue doesn’t it of the whole clicking on a link, an unknown link from them that's such an issue for everyone in their private and professional lives, when do you click, when do you not?
KR: Yeah that's right and we’re seeing a lot of targeted activities against HR directors and chief executives where fake emails are going to genuine people’s accounts because fraudsters are getting real names and working out their email addresses and are sending them all kinds of ransomware, click through from email issues, but also targeting them to try and get a response of any sort from those people so they can use that response in future to then say to the company that their CEO has authorised some payment or transfer. So we see that as well. We’ve advised a lot of CEOs and HR directors etc. just not to reply at all because people take any reply, change the wording and use it as, here your chief executive has authorised you to pay this money into our account for services.
PL: Criminal gangs and fraudsters targeting companies for money or data or sometimes purportedly moral crusades of one sort or another, that is the stuff that hits the headlines. But Rob Campbell CIPD’s own cybersecurity expert says that although that threat is on the rise it’s better understood and there are protective products in place so the bigger threat is actually already inside your organisation.
Rob Campbell: Because that stuff is so much better understood there's tools in place that you can use to try and mitigate that. I think most of the real threat these days and I think there's been a lot of studies done most of that's going to come from what we call internal threat and that's typically going to be people who are already inside your organisation, so crossing the threshold to get inside has already been done so that's why that threat is a little more visceral.
PL: Keith Rosser says he's seen a steep increase in the number of people actively looking to defraud organisations.
KR: People are deliberately trying to get into organisations just to commit fraud. It used to be financial services in particular that people target but actually these days we find people are targeting a whole range of sectors, particularly those sectors that have fewer controls because they're easier for fraudsters to target.
PL: Which is an unsettling thought but not surprising given there are broader drivers of organisational risk. Here’s Warren Howlett again.
WH: The amount of data and information has grown exponentially but so has how employees interact with that data and each other. So seven out of ten employees interact with more folks than they have done in the past. The impact of the technology in augmenting the workplace has been proficient and we’ve seen the growth of bring your own devices and linked to technology then we get into things like wellbeing where we’re seeing four in ten employees reporting having extra stress at work and the reason why that’s important is when people are more stressed they tend to make poorer decisions, they tend to demonstrate the kinds of behaviours that you wouldn’t necessarily want to see in the workplace so wellbeing in itself is important. And we also have seen big shifts in terms of the workforce. So there is a big growth in the contingent workforce and for managers at the same time their spans of control have increased. So HBR report that the spans of control for senior execs have doubled. So then you've got the situation where managers are trying to keep an eye on all of these different things but the number of people that they actually have to manage has significantly increased.
PL: Given that most threats are internal if we strip out people just making mistakes who are the actual perpetrators? Well there seem to be three main categories.
LD’A: There's a guy called Professor Martin Gill at Portsmouth University who spoke at the Cifas Conference last year and he interviewed people who had been convicted of employment fraud. So he went into the prisons and had a chat with these people and wanted to understand why did you do this?
PL: Because these are not career criminals are they; they don't start out that way?
LD’A: Exactly right and what he was really interested in was that most people said, “Do you know what I did it because I could.”
LD’A: I did it because I could. It was easy to and it became too easy not to do it.
PL: So those are the opportunists. Bill Windle identified the second type of cybercriminal for us, He's director of the cybersecurity consultancy Cyber Insider.
Bill Windle: I was at a speaker from a global technology company stood up and said, “We are having the graduates running against us and after nine months they have acquired what they want, what they’ve been briefed to gather, and they then leave and after a time join a competitor.”
PL: So graduates or other employees who just take off with a raft of valuable data tucked away on a memory stick.
BW: Very often we see almost the highest proportion of malicious actions are just among leavers. Leavers from organisations, a low percentage might be about 10%, take information, sensitive data, intellectual property with them, and they think that's fine.
PL: And what do they do with it because thinking about someone walking off with data from the role they had in one organisation before they look for a job in another and I don't think most people would know what to do with the data they'd taken would they? Do they take it as a power play or do they actively take it as something they think they can sell?
BW: Typically it’s not for sale; typically it’s for them to use to support them in the next job. It might not even be as clear as that, sometimes they just think well I've been working on this, in a sense I have ownership of it.
PL: So it’s kind of mine.
BW: It’s kind of mine, which of course it isn’t.
PL: But the biggest group of malicious cybercriminal insiders is something altogether different.
BW: The main malicious risk comes from a formerly completely loyal and committed employee, long-standing typically, who decides that they are right in taking action against their employer.
PL: And that of course is a people management issue. Here’s Lee D’Arcy again.
LD’A: I believe Amazon had an interesting situation recently where they had one of their depots burnt down by a disgruntled employee. Morrison’s have suffered a data loss from a disgruntled employee. So it happens quite a lot. Often people are facing difficulties with maybe family issues, lifestyle issues; maybe they have addictions to gambling, drugs, alcohol, all these sorts of things. Maybe they are being approached by nefarious organisations or people outside trying to bribe them; you know can you get me some information. Ultimately you need to be aware of these things so you can deal with it.
PL: Yes because at heart it’s about people making choices isn’t it?
LD’A: It is about people making choices and unfortunately there are individuals who have worked with an organisation for 25 years, 26 years and then suddenly commit an internal fraud and you think well why, how, what made you do that? Had something changed in their life? Maybe their partner died, they’re finding it very difficult to make ends meet financially.
PL: Or just the pace of change in the organisation…
LD’A: Or just the pace of change in the organisation.
PL: …we’re constantly told about you need to be agile, you need to be changeable, everything is different from the way it was last year, that's challenging isn’t it?
LD’A: It is all challenging absolutely and there are lots of challenges, both internally and externally from people’s lives.
PL: So from HR’s point of view it’s around understanding this is obviously first and foremost a people issue rather than an IT issue so it’s around how you’re managing people as well as the systems you’re putting in place to actually actively defend yourself from fraud.
LD’A: Yeah absolutely. My CEO has a good way of putting it, years ago when people threw a brick through a window they didn’t call it brick crime, you know cybercrime it’s just a crime, it’s theft, it’s dishonest acts, so in reality we’re dealing with criminals so we have to treat people and do all the kind of things we need to do around risk management to make sure criminals can't have access to the things they want to have access to.
PL: Okay enough scare stories, what can HR do about this?
LD’A: The first part is the new people so vetting new applicants if you like; I'm staggered how many organisations don't do it effectively.
PL: And Keith Rosser reckons that just to be seen to be doing it is often enough to deter criminals from trying.
KR: Whether it’s people who really are intent at doing harm or just the fact that they know you do vetting, actually is a deterrent.
PL: But how thorough does a check need to be?
LD’A: You want to check that they’ve got the results, they’ve got the qualifications they’ve got, the background they’ve got, you don't want to just take the CV as being what it says. You need to check.
PL: So CVs and references are just a starting point.
LD’A: I often do say, “Lies, damn lies and CVs,” unfortunately yes it’s too easy to put what you like on a CV isn’t it really?
PL: So would you advocate vetting for every role however junior?
LD’A: It’s a really interesting challenge actually. You could easily say, “Well this is a low level risk role,” but you know even a cleaner at night wandering around your office it’s surprising what they might find. It’s surprising what they might do. Just vetting to make sure that they are the people they say they are, that they’ve got the background they say they’ve got.
PL: And given this is a global issue your take on this would be that pretending it hasn’t happened, keeping it to yourselves organisationally, none of this is a good idea, the defences will be much more effective if organisations are collaborative and share.
LD’A: There are a couple of issues around this. First of all there aren’t harsh enough penalties. The consequences really I think for most employees who commit these offences they think they can get away with it, they think do you know what will happen is if you find it and you investigate me I’ll just resign and I’ll go somewhere else and you'll just write a nice little bland reference and I’ll go and work somewhere else and maybe I’ll do it again, maybe I won't, but there will be very little punishment. They may not get reported to the police, when it is reported to the police the police are absolutely up to their eyeballs, they’re probably going to say, “Well actually you’re a big organisation we’re not going to investigate this.” So it doesn’t go all the way through to a conviction. So we have to kind of collaborate and because we’re not talking about people who don't do their job well, we’re talking about people who commit crimes and some of these people do it again and again and again and again.
PL: So vetting people on the way in and sharing fraud information are two good defensive moves but what about systems and practices are there things you can do to minimise the risk?
KR: It’s about making sure that the HR department works really closely with the risk function and finance to ensure that all of the necessary controls that are appropriate to that organisation are in place. It should have really good procedures around things like whistleblowings to make sure that the sign off and control mechanisms are appropriate to the organisation they work in. We often say that where you've got sole dependencies where one person has this ability to kind of be creator, master and authoriser of one piece of work we find actually that often fraud persists.
PL: That was Keith Rosser and according to Bill Windle it’s also vital that every organisation, big or small, designates one single person to be the accountable owner of fraud risk.
BW: Unless you have a single point of accountability you end up with it being disaggregated. That coherent approach to control, to strategy, to capability, to investment, to efficiency, all the good things that from a business point of view you have to achieve, tend to be much less well done. If the CEO has someone they can ask, let’s say once a month, “Tell me about the top three risks we discussed last month? How have they changed? What are the implications for our strategy? Does this mean we need to invest more or invest less?” and immediately you start to drive down both the risk and you can absolutely get a team-based approach.
PL: Bill recommends the HOMER framework as a useful tool, that's Holistic Management of Employee Risk. It’s a guide produced by the government authority The Centre from the Protection of National Infrastructure.
BW: Well first of all I’d say that the brief from CPNI was to produce something that was close to being fun to read, a playbook if you like, and bearing in mind it’s security guidance that was something that we took to heart.
PL: It’s designed to help you figure out your own organisation’s risks.
BW: It has a series of questions and exercises and it’s intended very much to be something that's interactive and meant to stimulate through a set of, what I would call, universal principles, for example what are your organisation’s top three people risks right now? If the chief HR officer doesn’t know the answer to that question it probably means that that hasn’t been formally identified and defined and therefore it means it’s not really being managed.
PL: The challenge here is to maximise protection without undermining relations with your employees and suppliers. It’s not that difficult for organisations to put up barriers and monitor people’s activity but you're dicing with a loss of trust there. So how to be secure without making people feel spied upon or even misled. Here’s Rachel Neaman she's CEO at the Caution Institute.
Rachel Neaman: I don't think it’s about being spied upon I think it is again about openness and transparency over the responsibilities of the company and of the individual workforce within that company vis-à-vis the data and the information the organisation holds. The data we have in an organisation belongs to other people, that's other people’s data, we need to protect that, we wouldn’t necessarily shout people’s telephone numbers or bank details from the rooftops. It’s the same kind of thing. We need to understand that unless we are protecting the data in the right way it’s as if we were shouting these figures from the rooftop. I think what is more important is to train your workforce to feel a responsibility towards the data that they handle and a responsibility towards the brand, towards the organisation that they are part of not to let this happen.
PL: So vigilance, collaboration and transparency, they all play key roles here as does education.
LD’A: I know it’s a silly thing to say but actually reminding people and communicating with people that it’s an important aspect of protecting jobs, of protecting the profitability of the organisation.
PL: So it’s part of the culture that you’re protecting each other?
LD’A: It has to be part of the culture absolutely. Secondly if you’re attacked from outside, if organisations do lose money to fraudsters, so if you lose £50,000, a large organisation, you could say, “Well we’ll suffer the £50,000 loss,” if from an employment point of view someone takes all of my customer data or all of my sensitive commercial information on my recipes or my industrial plans or whatever it might be and takes them to a competitor or puts them on the net or something that could damage my reputation as an organisation so much that I may not be able to carry on being in business I may have to lay people off, it may cost jobs. So actually the cost of internal fraud become immeasurable.
PL: Lee D’Arcy ending this month’s episode for us and thanks to our other guests: Rachel Neaman, Bill Windle, Keith Rosser and Warren Howlett.
Our second episode on cyber, the one focusing on recruitment fraud will air in February and that sort of fraud is big business. Jobseekers, employers and the recruitment industry all lose out. We’ll be looking at why that fraud is on the rise and what organisations, individuals and indeed HR can all do to protect themselves and others.
In between on the first Tuesday in January we’ll be bringing you the annual look ahead episode where we’ll hear HRs from Microsoft and the Police and the Home Office all predicting the big challenges for 2018.
First though a year-end thank you from all of us for listening to the podcast this year. We love making them and it’s really good to know that you enjoy them too. Happy Christmas.