The digital revolution opened up a new world, but it has also opened the world up to new dangers: cyber attacks. The volume and severity of cyber attacks have been increasing year on year throughout the last decade, with no sign of abatement. Just last year, billions of records were released through various kinds of data breach: from direct attacks to accidental publishing to insider jobs. There is one ransomware attack every 14 seconds; out of every 320 emails the average person receives, one malicious email gets through the spam filter or antivirus. The average cost of a data breach is US$3.2 million; one estimate by Cybersecurity Ventures suggests that by 2021, cyber attacks will cause US$6 trillion in damage annually.
In this world of hidden but ubiquitous dangers, it is not the technology alone, but the people who are the greatest weakness of an organization. “People are the biggest risk,” said Gaurav Keerthi, the assistant chief executive of the Cyber Security Agency of Singapore. “They are excited about using the latest thing, but they never think about the risk associated with it.”
The human element is the riskiest
“Do not be surprised that careless workers create problems for you,” warned Ivan Lee, the founder of cybersecurity firm Tegasus International. “People trust things even though they shouldn’t. Even with training, they will do it. Even though they know the link is malicious, somehow, somebody will still move the mouse cursor over and click it.”
When a cybersecurity breach happens because of something done by someone within the organization, it is known as an insider threat. Maxine Holt, research director at Ovum Consulting, described the insider threat as “real and significant”, falling into three categories: the malicious, the sloppy, and the unintentional. The latter two pose a significant risk simply because so many people are either sloppy—cognizant of secure practices but cannot be bothered to follow the rules—or unintentionally risky, meaning that they do not even know about secure practices.
And of course there are the deliberate breaches, committed by disgruntled employees or those who have been bribed or coerced into it. Even the person who cleans the office could inadvertently be the source of a security breach, said Lee: “Someone might offer the cleaning lady 500 dollars to plug in a USB drive [loaded with malicious software], and then? She doesn’t even know what cybersecurity is, she just takes the money and does it, and there go all your security measures.”
What does HR have to do with this?
Organizations critically need to hire IT people who are cybersecurity-savvy. A recent survey of IT decision makers by the Centre for Strategic and International Studies found that 82 percent of employers lack the cybersecurity skills they need—and 71 percent are suffering direct and measurable damage to their organizations as a result.
Unfortunately, the shortage of such people is just as critical. A 2017 estimate by Cybersecurity Ventures suggested that there will be 3.5 million unfilled cybersecurity jobs by 2021, and this number has not decreased at all in the intervening years.
“We are one of the few industries globally experiencing zero-percent unemployment,” said Robert Herjavec, the CEO of security advisory firm Herjavec Group. ”Unfortunately the pipeline of security talent isn’t where it needs to be to help curb the cybercrime epidemic. Until we can rectify the quality of education and training that our new cyber experts receive, we will continue to be outpaced by the Black Hats.”
In this extremely tight market, HR professionals who deal with recruitment and retention need to educate themselves on cybersecurity, so that they know how to recognize appropriate candidates; to even find those candidates in the first place, they may need to look in venues less commonly frequented by HR, such as specialized cybersecurity industry events, local technology venues, or even hacker groups.
HR needs to help build a security-conscious culture
“Organizational culture is the top indicator of security maturity,” said Jarad Carleton, the cybersecurity global program leader for Frost & Sullivan. It comes above even technology and security operations, he pointed out; and right below those two are people. Organizations that lead in cybersecurity, he explained, follow three people-centric principles: they have best practices in organizational preparedness, they fully brief all their employees on what should be done and why, and they have designated individuals who are responsible for ensuring that practices and processes are followed.
As a shaper and enabler of organizational culture, HR can definitely play a role in creating a culture where employees are educated about cybersecurity and do not become complacent about threats. Carleton made several recommendations which HR is well positioned to carry out: firstly, having formal training for all departments, not just the IT department, so that employees are better able to recognize and respond to cybersecurity threats.
Secondly, creating an incident response procedure which must be disseminated, again to all departments, so that everyone in the organization knows what to do if something should go wrong one day. And thirdly, appointing a Chief Information Security Officer who coordinates cybersecurity strategy for the entire organization.
One thing to absolutely avoid, however, according to the experts, is imposing ever heavier restrictions on employees’ use of devices and the Internet.
“Simply applying overly stringent security controls to eliminate the insider threat is likely to stop individuals from being able to perform their roles efficiently,” said Holt. “People will find ways of circumventing controls so that they can still perform their day-to-day tasks and achieve targets – thus encouraging the sloppy insider.”
But how do you actually get people to behave in a cyber-safe way?
“That’s the million-dollar question!” said Lee. “It has to start at the top. Senior management needs to take a stand, let it trickle from the top down. Don’t try to do it yourself. If you think that one man alone can defend the company, you will end up being the one who leaves the company.”