Government figures released last year have indicated that the costs associated with the most severe online breaches of cyber security now start at £1.46 million for large businesses, up from £600,000 in 2014, and can reach up to £310,000 for small businesses, up from £115,000 in 2014. * Footnote 1
Cyber-crime, internal breaches of security, leakage of confidential information in business is making news headlines on a regular, almost daily basis.
In April 2016, for example, the Law Society Gazette reported that hackers are understood to have breached the security systems of at least one major international law firm, with reports from the USA of two London based ‘magic circle’ firms amongst the top to be targeted by attackers seeking inside security information. *Footnote 2
But what has all this got to do with Human Resources? Isn’t the prevention of cyber-crime an issue for the IT department?
Research has shown that most breaches of cyber security are staff related, resulting from employees’ inadvertent use of technology, through either not understanding risks, mistakes or lack of compliance with organisational policies.
It is no co-incidence then that in February 2016 Ed Vaizey MP, Minister for Culture and the Digital Economy, joined forces with the CIPD to officially launch a new e-learning tool to help the HR profession tackle cyber threats in the workplace. The free online course ‘Cyber Security for HR professionals’ is part of a wider partnership between the Government, senior HR, information and cyber security professionals to promote the importance of cyber security at work.
The CIPD, in its online course refers to Cyber Security as protecting yourself, your organisation and any employee or customer data when doing business in today’s interconnected world.
The role of HR in combatting cyber-crime
While recognizing the technical complexities involved in combatting cyber-crime, and the need to work closely with IT as well as security professionals, HR has a pivotal role to play in ensuring an organisation’s systems along with its policies for monitoring and protecting against cyber-crime are consistent.
The following are a few examples of areas to focus on:-
1. Recruitment and induction
HR should protect sensitive personal information by ensuring that CVs and other personal candidate information is only accessible to those individuals directly involved in the recruitment process.
Induction processes should provide new recruits with information on cyber security including the right messages, policies, risks, and risk awareness.
An ethical stance to cyber security can be demonstrated early on, ensuring that new recruits do not bring information which is clearly confidential from a previous employer.
2. Cyber security education
Employees need to understand what sorts of behaviours constitute cyber security risks and be supported and encouraged to become more cyber secure. As pointed out by the CIPDs online course, many inadvertent behaviours demonstrate a dangerous lack of awareness of good security practice including the following:-
- Sharing passwords with other employees;
- Sharing computers with other employees;
- Writing down passwords on paper/post-it notes and leaving them lying on desks;
- Use of workplace computers for personal e-mail and social media accounts;
- E-mailing confidential information without adequate protection;
- E-mailing confidential information to organisations external to the employer without adequate checks;
- Opening attachments from unreliable sources;
- Sharing inappropriate information about the employer, its clients and employees on social media sites.
3. Identifying risks - disgruntled employees
A significant threat to an organisation’s systems is that posed by disgruntled employees deliberately attacking it or stealing information and passing it to other parties. Yet HR in conjunction with management could reduce this risk in a number of ways, including:-
- Considering whether it is wise for an employee to work their notice. Other options may be more sensible such as placing them on garden leave, making a payment in lieu of notice (subject to contractual provisions);
- Observing the behaviour of employees who may be leaving your business or who have served notice – are they working unusual hours, coming in early or leaving late?
- Looking out for the appearance of USB sticks or portable hard drive devices when the practice is to access all information online through the organisation’s systems;
- Looking out for any employees asking for information that they are not authorised to access or asking for information they would not usually need to access for the performance of their duties.
4. Reviewing and updating policies
Data Protection, IT and Communications, Social Media and Homeworking policies should be reviewed to cover acceptable use of the organisation’s systems and to include information on specific risks such as hacking, phishing, banking scams, unusual attachments, and malware.
Sources of information for this blog*
- CIPD joins forces with the Department of Culture, Media and Support to tackle cyber security in the workplace, CIPD, 05 Feb 2016
- ‘M&A Hack Attach on 48 Elite Law Firms’ Law Society Gazette, 4th April 2016
The Furley Page Employment Team will examine the employment law and human aspects of cyber-security for organisations in more detail in their Employment Law Update seminar in conjunction with the Kent Invicta Chamber of Commerce on Thursday 21st April 2016.