[BreachExchange] Cybersecurity Is Too Important To Leave To IT

[Destry Winant]

https://www.cybersecurityintelligence.com/blog/cybersecurity-is-too-important-to-leave-to-it-2572.html

As hackers increasingly exploit human vulnerability, HR has a vital
role to play, not least in ensuring businesses have the technical
talent to fight back

They say crime doesn’t pay but, when it comes to cybercrime, it
certainly costs. Oxford Economics reports that the average large
business loses £120m when it is hit by a hacking attack; averaged out
across the economy, it means around £4m per business, per year, is
attributed directly to hacking.

And that doesn’t include reputational damage, or the price of
defending against cyber assaults. Executives still wake up in terror
at the prospect of suffering an email leak as widespread as the one
Sony endured in 2014, when the spats of the Hollywood elite were laid
bare alongside a trove of almost 50,000 employees’ details.

TalkTalk’s reputation is still recovering after 150,000 customer
records were compromised in 2015.

More recently, the NHS was crippled in May after a widespread
ransomware attack, nicknamed WannaCry, locked staff out of computer
systems unless they forked out a bitcoin ransom. Relatively few paid
up and a workaround was found in days, but the cost of cancelled
operations was incalculable, and experts still cannot agree on how the
attack spread. To assume such events are primarily solved by better
software and a more empowered IT department is to neglect an important
detail, say experts: HR must be central to educating employees and
addressing organisational vulnerabilities.

As Claire Logan head of people and talent at PA Consulting Group,
says: “HR has a critical role in cyber-security. Too often, IT teams
care passionately about it, but don’t know how to communicate that
passion to other employees.”
“We cannot protect organisations only through technology,” adds Peter
Cheese, chief executive of the CIPD, which last year teamed up with
the Department for Culture, Media and Sport to launch an e-learning
tool to help the HR profession tackle cyber threats. “An awful lot of
it is human behaviour and action.”

Government research discovered that, while almost two-thirds (65 per
cent) of large UK businesses had fallen victim to a cyber-security
breach in the space of a year, just 17 per cent were training staff on
the issue.

The National Cyber Security Centre in London was launched, in part, to
increase awareness of this issue. And the broadening scale and
complexity of threats illustrates why such action is necessary. While
WannaCry most likely spread via a ‘worm’ that hunted down and
exploited vulnerabilities in corporate networks, there are equally
pressing issues around targeted hacking, malware in the form of spam
emails, or fraudulent, convincingly crafted messages aimed at
persuading finance departments to authorise payments.

‘Phishing’, meanwhile, often involves researching individuals via
social media to write emails or direct messages that they are more
likely to respond to, as opposed to the primitive spam of days gone
by. And the threat doesn’t even have to be virtual: a cyber
consultancy recently revealed that a major London law firm had
discovered that the TV in its boardroom was secretly relaying an audio
feed to an external source in a different country.

New figures from Willis Towers Watson suggest that 46 per cent of UK
employees spent half an hour or less on cybersecurity training in
2016, with 27 per cent having done none at all. A new mindset to
learning may be required in this area. “We’ve got to move beyond this
compliance tick-box approach, which has been used in various contexts
over the years to say: ‘Well, we’ve done our training because we’ve
ticked a box and everybody’s done their e-learning course on
anti-bribery or corruption or modern slavery’ or whatever it might
be,” says Cheese.

Consultancy firm PwC, for example, recently launched Game of Threats,
a digital game designed to mimic a cyber-attack on an organisation, as
a learning tool for clients. “Game of Threats engages people in a
scenario, in a playful, gamification of cybersecurity,” says Anthony
Bruce, HR consulting partner at PwC.
“It’s about engaging people in a way that is stimulating, fun, not
traditional, not sitting in front of a screen pressing buttons.”
Cheese believes the trick to creating training that lands is to link
it to how cybercrime could affect staff in their personal lives. “Make
them feel: ‘Gosh, this affects me just as much as it affects the
organisation’, then you create that buy-in and engagement much more
strongly than just presenting this as a rather dull corporate thing,”
he says.

However, even the most awe-inspiring training programme won’t help
protect an organisation if the wider company culture is not geared
towards cyber threats.
“To really make a difference to cybersecurity, the HR team needs to
think and act as though it’s a culture change activity,” says Logan.

Studies suggests cyber awareness among the public at large is still
low. In 2016, researchers at the University of Illinois dropped USB
sticks around their campus, 98 per cent were picked up and people
opened files on 45 per cent of the sticks, sometimes within six
minutes of the device being planted. When asked why they had accessed
the files, the majority (68 per cent) said they were trying to locate
the drive’s owner, although 18 per cent admitted they had given in to
curiosity.
Bruce says: “We’ll know we’re getting there when, if you’re in a
meeting and there’s a USB stick on the table and you want to return it
to the owner and go to stick it in your computer, somebody says: ‘Hang
on. Do you know where that came from and do we know what’s on it?’”

Building that strong cyber culture involves HR not just in improving
learning outcomes, but in sourcing expertise. Recruiter Robert Half
Technology says 77 per cent of CIOs fear they will face more security
threats over the next five years because of a lack of skilled staff.
IT security vacancies increased by 6.2 per cent in the year to April
2017, as businesses scrambled to protect themselves from hacks.
“HR must take an active role in ensuring businesses have access to
expertise to protect against cyber-attacks,” says Ann Swain, chief
executive of the Association of Professional Staffing Companies.
“This includes the recruitment of IT specialists to ensure systems are
secure. HR directors must communicate the need for resource in this
area and advise on the potential consequences if adequate skills are
not in place.”
Of course, not every staff member is on the organisation’s side in the
battle against cyber attacks. An increasing number can be attributed
to malicious insiders. “In most cases, there were warning signs before
they happened and those signs were ignored.

It’s a case of: ‘I always thought this individual was acting
strangely, but I didn’t think I could tell anyone,’” says Nick Seaver,
information and technology risk partner at Deloitte. “HR are great at
being the people who can both look for the flags that indicate someone
is a risk to the organisation, and help create a culture where people
feel empowered to raise a suspicion.”
Throw in the large number of contractors and contingent workers who
supplement full-time employees and this vigilance becomes even
trickier. “Ensuring contingent workers have completed the same
training, that we know who they are and have the same amount of
confidence that they don’t have malicious intent is important,” says
Bruce. “Because of the turnover in that kind of work, it can be a
crucial back door into organisations.” With experts warning it is a
question of when, not if, a WannaCry-scale attack is repeated,
breaking down the siloes that keep IT and HR apart is a matter of
urgency.