Why do I need to know about it?
“Simply put, our lives are becoming digital by default,” says James Chappell, CTO and co-founder of cyber security awareness company Digital Shadows, regarding why being clued up is increasingly important for business professionals.
The natural consequence of this is that cybercrime is on the up. And the fall-out of failing to maintain cyber security is becoming potentially much more drastic, with the introduction of substantial penalties (up to 4% of annual worldwide turnover) through the EU General Data Protection Regulations (applicable despite the Brexit vote).
“Cyber security affects every organisation no matter their size, market or sector,” adds Susie Al-Qassab, senior associate at law firm Howard Kennedy. “SMEs are one of the main targets. Smaller businesses that supply products and services to larger organisations are used as an attack vector.”
What do I need to know?
Threats come in a number of guises, most commonly as ‘phishing emails’. The latest mutation of this is ‘whaling’, where senior management figures are researched and targeted with a specially crafted email, often masquerading as a correspondence from someone they work with.
Growth in ransom ware, where the files are encrypted and a ransom demanded for their return, is significant. Bribing rogue employees to give access is also on the up. And firms must remain vigilant to rogue employees taking data themselves to gain competitive advantage in a new business venture, or simply to sabotage an employer that has upset them in some way.
Where can HR add value?
“HR must be closely involved in cyber security measures as so many of the required measures revolve around people,” says Al-Qassab. “An organisation’s employees can be both its biggest risk and its greatest asset.” She points out that 90% of cyber-attacks begin with an email, and are successful due to human error, so technical measures such as antivirus and firewalls won’t be enough alone.
Checking credentials before someone is employed is a crucial role HR should be playing, says Gary McCloskey, senior manager in Deloitte UK’s cyber risk services team. “Make sure that as an employee’s role changes, IT systems remove access to information and systems no longer needed,” he adds. “When someone tenders resignation, limit access to sensitive systems immediately; disable access immediately once he or she leaves.”
Then it’s about, in McCloskey’s words: “Awareness, awareness, awareness… Prepare your employees and executives with the knowledge to identify and avoid a cyber scam, and how to respond.”
“Acceptable use, electronic communications and password policies are crucial,” says Al-Qassab. “Others, such as bring your own device or remote access policies, are also important.” She adds that simulated phishing campaigns allow “organisations to understand where their knowledge gaps are, and where they need to target cyber awareness training”.
Cyber security is unavoidably by its very nature a rapidly and ever-evolving field, so staying abreast of ‘what next?’ is critical. “We will likely see more attacks targeting mobile and smart devices. These are generally unmonitored systems that are connected to the internet 24/7,” says Al-Qassab, adding that attacks taking advantage of social media platforms and on cloud storage are also on the rise.
Hugh Boyes, cyber security lead at the Institution of Engineering & Technology, adds: “The evolution and adoption of the internet of things (IoT) is going to have some impact, and HR managers will need to consider the adoption of appropriate and proportionate policies, process and procedures regarding the use of IoT devices in a business context by their employees, contractors and supply chain.”