[BreachExchange] What HR Can Do to Protect Against Cyber Threats
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Jun 27 19:21:49 EDT 2017
https://www.cebglobal.com/blogs/what-hr-can-do-to-
protect-against-cyber-threats/
The WannaCry attacks last month may have been the most high-profile case of
ransomware being used to extort money from companies, governments, and
individuals but it is nowhere near the only one. Ransomware is now used
thousands of times a day, according to the US government (pdf), which means
that all employees should be well aware of the threat and how to combat it.
And this is where HR comes in. Ransomware is — and should be — a major
concern for HR departments; HR professionals are particularly vulnerable to
such attacks, as they are often accustomed to receiving and opening
innocuous emails from outside the company. Cybercriminals know this and
often target firms through their HR departments with malicious software
disguised as a job application, résumé, or invoice. A recent phishing
attack that compromised thousands of current and former employees at the
newspaper publisher Gannett, for example, exploited this vulnerability.
The other reason HR needs to pay attention to cybersecurity is that
rank-and-file employees are one of a company’s foremost lines of defense
against hacking.
While executives may think of cybersecurity as primarily an IT issue,
cybercriminals also know that one of the easiest ways to penetrate a
company’s digital defenses is through employee error. Phishing is
particularly frustrating because even the most advanced, state-of-the-art
security controls can be circumvented if employees make the avoidable
mistake of something as simple as opening an email attachment they
shouldn’t.
How HR Can Help
The key to preventing attacks is to bring about behavior change and tailor
campaigns to specific employee segments. Many employees who fall victim to
ransomware attacks have already completed mandatory cybersecurity training,
but had they truly learned the lessons of that training, it’s more likely
they wouldn’t have opened the suspicious email that got them and their firm
into all that trouble.
Promoting employee awareness of information security is thus a perennial
challenge for information security teams, who are hopefully coordinating
their employee training programs with their colleagues in Learning and
Development. L&D teams, who specialize in changing employee behavior, can
collaborate with the Information Security to figure out how to make these
cybersecurity training more compelling and memorable.
Part of the challenge here is convincing employees to really care about
cybersecurity. It’s one thing to explain the consequences of a data breach
to the company, and quite another to get employees to understand what’s at
stake for them.
Some companies use negative incentives or punishments (e.g., revocation of
IT privileges, formal or informal warnings, or even marking them down on
performance scores), but this tactic comes with many problems. It’s often
hard to identify whose at fault for a breach, negative incentives won’t
work in all corporate cultures, and revoking IT privileges from certain
types of workers (like researchers who need email and internet access to do
their jobs) would be extremely counterproductive. Of course, positive
incentives exist as well, but usually have less of an impact than
punishments.
There is no easy solution to this challenge, unfortunately, but the most
successful approaches center around embedding respect for cyber and
information security into an organization’s culture — a more daunting task
than simply establishing protocols. Team “climate” is most likely to
determine good behavior on data privacy among employees. Specifically,
employees tend to look at their peers to decide how difficult such behavior
is and whether they should engage in it.
Facilitating a team climate that supports privacy behaviors is much more
effective than focusing on awareness or controls.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170627/eee1664a/attachment.html>
More information about the BreachExchange
mailing list