Employees are the lifeblood of an organisation, technology helps facilitate ways in which they can work at their optimum. But is this always the case? According to 56% of nearly 2,000 information security experts worldwide in EY’s latest Global Information Security Survey 2015, employees are considered to be the most likely source of cyber attacks within organisations. What’s more, in Hong Kong and China, current and Breaking down the Hollywood stereotype While most would associate cyber-attacks with dramatic malfunctions or a rogue employee conducting a spectacular theft of valuable assets seen in Hollywood crime thrillers, the reality is actually more subtle and low-key. When defining cyber-attacks exclusively to HR Magazine, Ken Allan, Global Cybersecurity Leader, EY explained, “A cyber attack is any malicious activity that relates to an organisation’s systems, data, business processes—and I say malicious but actually we include in the category ‘stupidity’ because it is possible for people to make mistakes and create vulnerabilities and risks that then relate to cyber-related losses.” Such mistakes are humble and seem harmless in the beginning. Allan elaborated, “The best example of that is receiving an email that says ‘go click on this link’ and that link will download a piece of malware that then starts to listen to your key strokes—and we call that phishing.” This is only one type of attack—such actions may lead to lots of interconnected, seemingly harmless attacks which are in fact diverting security officers’ former employees make up 50% of the main cited source of security incidents, according to PwC’s The Global State of Information Security® Survey 2015.
While it may not be of comfort for HR to learn that employees are regarded as one of the highest sources of risk, the solutions are not as complex or technical as they may first seem—but they do require a strong HR input.
Breaking down the Hollywood stereotype While most would associate cyber-attacks with dramatic malfunctions or a rogue employee conducting a spectacular theft of valuable assets seen in Hollywood crime thrillers, the reality is actually more subtle and low-key.
When defining cyber-attacks exclusively to HR Magazine, Ken Allan, Global Cybersecurity Leader, EY explained, “A cyber attack is any malicious activity that relates to an organisation’s systems, data, business processes—and I say malicious but actually we include in the category ‘stupidity’ because it is possible for people to make mistakes and create vulnerabilities and risks that then relate to cyber-related losses.”
Such mistakes are humble and seem harmless in the beginning. Allan elaborated, “The best example of that is receiving an email that says ‘go click on this link’ and that link will download a piece of malware that then starts to listen to your key strokes—and we call that phishing.” This is only one type of attack—such actions may lead to lots of interconnected, seemingly harmless attacks which are in fact diverting security officers’ attention away from another major attack. In other cases, malware may find its way into a system and lie dormant until triggered by another event. There are numerous possibilities and the attacks are becoming more sophisticated.
Cost of security breaches
For their part, the boards largely get it. In Hong Kong and China, the issue has certainly been taken seriously with budgets for cyber-security averaging around USD 7.9 million in 2015 compared with USD 5.1 million globally, according to PwC. However, despite this, security incidents in Hong Kong and China saw a rapid increase in 2015 by 417% and the average total financial loss because of that was USD 2.63 million—higher than the global average. It is an incentive to get more strategic—as Allan added, “My encouragement is for boardrooms to be bolder in allocating resources, including human resources, to get ahead of the problem.”
To some extent this is already happening. According to business and IT security executives in Hong Kong and China who PwC surveyed, 95% of them adopted information security frameworks, 81% collaborate with others to improve information security and 72% employed a Chief Privacy Officer (CPO) or similar.
Security sophistication is one solution but if boardrooms are to be bolder, they need to tackle the real elephant in the room—the cause of the attack. According to information security experts who spoke to EY, 44% of them ranked careless or unaware employees as one of the vulnerabilities which has increased their risk exposure over the last year. Allan commented, “You need an aware group of employees that know what the vulnerabilities, the risks and attacks look like—a lot of it is common sense.”
Inculcating common sense
It is in this respect that Human Resources can thrive in its element. As the entity that ensures employee performance and training, HR needs to be on the frontline of ensuring common-sense practice against cyber-attacks.
Attacks are becoming more sophisticated by the day and so HR needs to firstly raise awareness. Allan suggested, “Organisations need an awareness programme, an education programme and they need people to be vigilant. Employees need to understand what these attacks look like so then they can help to defend the organisation.”
One innovative cyber-security training solution for employees that have recently been launched by PwC in Hong Kong in December is a new digital game called Game of Threats. Megan Haas, Forensic Services Partner, PwC China explained, “It lets executives experience the pressures of decision making, as well as the consequences that stem from cyber-attacks. The software gives a hands-on demonstration of the value of adequate cyber-security controls and strategies.”
Playing the game as one of the many types of hacker, whether it be a lone wolf or a nation state, players are tasked with the job of hacking a fictional computer system with the resources they are given. Dealt with a few cards, the players are rewarded for making good moves or penalised for making bad decisions. All of this can be done with the touch of an iPad and is a highly interactive activity that can be done in groups.
Future proofing
HR though should be mindful of the future. With technology advancing at such a fast pace year-on-year, in its recruitment and allocation capacity, HR should be getting certain employees to be developing solutions for the future.
Taking the example of the mobile phone, Allan said, “Mobile phones had been around a long time and smartphones for several years before we got round to understanding the security implications as they connected to our corporate systems. Only then did we apply people to solve those problems whereas we could have anticipated, or we should have anticipated, the security implications of connecting smartphones to our corporate systems and designed the security controls at the time instead of after the event. So we need people thinking about which technologies are coming next and how to secure them?”
This does not just require technical skills but it requires people with a combination of creative and analytical skills to come up with solutions for the future. Whereas EY once only recruited computer science or software engineering people, they are now open—and insist their clients also need to be open—to hiring people that have a much broader and more diverse set of skills. HR on this issue needs to avoid narrowing the selection of people to deal with this.
Spotting the obvious
Ken Allan, Global Cybersecurity Leader, EY
While cyber attacks do come from innocent mistakes—firms also need to be vigilant about malicious intent. On the subject of identifying malicious and anomalous behaviour, Allan insists, is not about spotting colleagues who are indulging in drugs and alcohol at lunchtime, but it is more to do with looking at anomalous behaviour in large data sets.
HR contributes by providing input into what the norms and behaviours are that can then be modelled using data science and analytics to spot anomalies. He explained, “HR professionals, by implication, are people who understand human behaviour. So, if you can capture that understanding and knowledge and model it in terms of what good behaviour looks like, then you can use the technology to help understand something that does not look the same as the good norm.”
Building up a big data set on this is something IT and HR should not be afraid of. Allan elaborated, “There are physical limitations to how much data you can store—but technology is solving that problem. It doesn’t matter if it cybersecurity or customer analytics or anything that requires a big data set—the larger the data set and more powerful the analytics that sit on top of the data set, the more chance you have of understanding those data flaws and anomalies.”
Cyber-attacks may be sophisticated but the origins are often not—and HR professionals should be at the frontline of providing solutions that could save millions of dollars each year.
Paul Arkwright
Publisher
