[BreachExchange] No place for HR to hide from cybercrime

[Audrey McNeil]

http://www.hrreview.co.uk/analysis/sarah-adams-no-place-
hr-hide-cybercrime/109297

Sharp edges can be dangerous. And HR, whether it’s in- or out-of-house, is
at the sharp end of cyber-security in two major ways.

First, the kind of data HR personnel handle makes them a prime target for
cyber-attacks. Things like addresses, dates of birth, National Insurance
numbers and payroll details are like gold dust to cybercriminals. They’re
the perfect ingredients for identity fraud.

Second, HR wears the hat for ensuring both new and existing staff are
trained in cyber-awareness. IT can only do so much to protect the network.
The rest of the responsibility lies with network users, who must avoid
making the kind of mistakes that can open the door to hackers.

Tragi-comedy of errors

Such slip-ups can involve anything from using weak passwords, which hackers
can easily bypass, to falling for virus-infected click-bait. But they’re
key, because figures from the UK regulator, the Information Commissioner’s
Officer (ICO), suggest insiders can be blamed for 62% of cyber-attacks.

Some of those attacks are intentional. Employees on the make can
deliberately cream off data and sell it either to competitors or to
criminals on the dark web. Disgruntled ex-staffers can also mount a
vendetta against a company by stealing data and passing it on.

Whoops!

But many cyber-attacks and data breaches have a more innocent origin.
Employees can send data to the wrong person by mistake ­– simply by
attaching the wrong file to an email. Or they can log onto insecure
networks on laptops while out of the office, unknowingly letting the
hackers in.

Then there’s phishing.

Far too easily, employees can be persuaded to click on links in bogus
emails or to download attachments – especially when the attachment is
disguised as a job application. But one simple click can unleash a torrent
of file-locking malware or ransomware that quickly spreads across your
network.

Clear and present danger

A combination of up-to-date IT security, good staff training, and
board-level co-operation give you your best chance of avoiding a hacker
attack or data breach. But cyber-attacks are everywhere, and the Department
of Culture, Media and Sport reports nearly half of the UK’s 5.5 million
businesses suffered an attack or a breach last year.

That number only stands to grow as the hackers get ever more devious, while
being prepared for an attack is more relevant now than ever. That’s because
there are hefty new fines for data breaches on the horizon, once the new
General Data Protection Regulation (GDPR) comes in next May.

GDPR

GDPR affects anyone who handles personal data for EU citizens and aims to
standardise the way it’s collected, processed and stored. It shines a light
directly on HR departments and consultants, because a lot of the employee
info they gather and keep is ‘sensitive’, and could be used for ID fraud.

Oh, and fines for not playing by the new rules, which also include telling
the ICO about a breach within 72 hours, plus informing everyone affected,
are eye-watering: up to €2 million or 4% of annual turnover, whichever is
more. A fine that big could put a huge dent in the bottom line of any
company, or even finish it altogether.

Fully prepped?

As with most things, the key to riding out the storm is being prepared. You
need a well-drilled recovery plan in place that will kick into action as
soon as an attack is discovered. Not only to stop it, but to clear up the
mess left behind, and to get you back up and running again as quickly as
possible.

That’s because time means money, and any time that a business is unable to
trade as normal spells lost revenue.

Think about it: if a customer website has been taken down by hackers,
no-one can buy or even browse the product range. Or if files across a
network have been infected and encrypted, staff won’t be able to access
information, process orders, or do anything much at all. Business will
grind to a halt.

What if your system has been infected with ransomware and cybercriminals
are demanding a ransom of £1750 in Bitcoin? Does anyone know how to
negotiate with hackers? Do you simply pay up, trusting their promise that
they’ll decrypt your files once the money is transferred? Do you take the
risk?

Data danger

Data breaches can throw up a different set of problems, with equally
devastating consequences. And that should throw up a red flag for HR. Once
sensitive data is in the hands of criminals, they can use it for a string
of illegal activities.

Losing bank payment and card details is probably at the worst end of the
scale, because it can lead to large-scale financial losses. But any
personal information can be used by criminals to commit crimes in an
individual’s name. Money laundering and drug smuggling, for example.

 Pay-back time

The bad news, of course, is that any type of cyber-attack or data breach
involves pay-back – no matter how it came about or where it came from. It
affects any organisation from top to bottom.

One of the biggest costs for business is lost revenue while their normal
way of doing business is compromised. The fall-out from an attack can go on
for days and if you’re losing sales and customers during that time, your
profits can take a big hit.

Paying for the expertise to sort out damaged IT can be expensive, too.
Things are easier if you have a crack in-house IT team who can get to work
quickly. But most businesses rely on contractors. What if they’re tied up?
And how much will they charge to make things good…even if they can?

Name and shame

Then there’s the cost to your reputation. If you’re unable to fulfil
contracts or deliver as promised because your system is in lock-down,
clients might be tempted to take their business elsewhere. Word gets out
quickly when people feel they’ve been let down and can do lasting damage.

That damage can be even worse if private data’s been lost. No-one likes the
thought of their confidential information being in the hands of criminals,
and they’re quite likely to come after you with a law suit for
compensation. An expensive law suit, at that.

And then there’s the regulator to deal with. If the ICO considers the
breach is significant enough, or that you haven’t been operating within the
GDPR rules post-May 25, they’ll launch an investigation. And that means
lawyers, paperwork, potential fines, the lot.

Taking stock

We all operate within a complex and increasingly technologically driven
business environment. And with time at a premium, anything that takes the
strain, reduces risk and helps businesses through a potentially ruinous
period has value.

If you’ve already got a fail-safe cyber-attack recovery plan, and feel sure
your business could cope with the added pressure, then you’re one of the
lucky ones. Pressure in terms of lost revenue, lost reputation, and the
sheer time, effort and expertise it takes to sort things out, that is.

If not, cyber insurance can provide a good solution. Here’s what it does.

- It pays for rapid IT forensics to crawl over your systems, find the
source of the attack, and fix any damage. It covers re-installing software,
recovering data, getting websites back up and running, and re-establishing
networks.
- It pays for replacement IT kit, if necessary, while yours is being
mended. That means you can keep doing business in the meantime.
- It pays for any lost revenue while you can’t operate as usual. That’s
really handy, since it can take several days or even weeks to recover form
a cyber-attack.
- If you’ve lost personal data, it pays to inform everyone affected, as
required by the ICO, and stumps up for credit monitoring. It also buys
legal expertise and covers court costs plus compensation if victims make
claims for damages against you.
- It takes care of informing the ICO when there’s been a data breach –
within 72 hours under the new GDPR. It also pays for the know-how to handle
a follow-on investigation, and covers any fines – with the ICO’s say-so.
- It helps to defend and restore your battered reputation after a
cyber-attack by paying for crisis management and PR.



Future thinking

Plenty to think about, then. It’s an unfortunate 21st-century fact of life
that a simple click of a mouse can unleash a tidal wave of unwanted
consequences. And that’s especially relevant for HR, considering the volume
of sensitive personal data at stake, plus the new demands of GDPR

Time to plan ahead for a cyber-attack?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171208/307328b6/attachment.html>