HR plays key role in cyber security: Report

Should cultivate risk-aware culture

HR can play a key role in securing an organization’s cyber security, according to IBM’s 2015 Cyber Security Intelligence Index, which pulled information from more than 8,000 client devices in over 100 countries.

More than one-half (55 per cent) of all cyber attacks are carried out by insiders. These insiders can be malicious — employees or third parties with physical or remote access to an employer’s assets with the intention to attack an organization’s cyber security — or “inadvertent actors.” 

And the breaches can pose a significant threat, resulting in substantial financial and reputational losses, said IBM.

More than 95 per cent of the breaches by insiders are caused by human error. They can include the accidental posting of confidential information, the sending of confidential information to the wrong party via email, fax or mail, or the improper disposal of clients’ records.

The breaches can be mitigated through proper hiring, onboarding and training practices, according to IBM, and human resources professionals need to be an essential part of any company’s cyber security. 

“Traditional security solutions, such as anti-virus and anti-spyware software, aren’t equipped for 24-7 compliance with consideration to the increasingly sophisticated and evolving cyber attacks,” said Paul Eisner, director of development, security intelligence and MSS for IBM Security in Fredericton. 

Instead, employers need to embrace a more active role when it comes to the cyber security realm and work towards cultivating a cyber risk-aware culture, he said.

“Providing effective user education is a good start,” said Eisner. “Cyber security is crucial right from the very beginning of onboarding a new employee.” 

Workflows, processes
Policy-based workflows and authorization processes should be introduced to employees as part of their initiation to the workplace, and these programs should be backed by behavioural analytics and security intelligence tools with automated monitoring services, said Eisner.

“In addition, employers should always monitor and audit what’s going on within the barriers of the company, such as looking out for any suspicious and out-of-the-ordinary behaviour.” 

Integrating an organization’s cyber security and HR assets is the best way to protect confidential information, said Kevin Wennekes, chief business officer for the Ottawa-based Canadian Advanced Technology Alliance.

“There’s almost a need for cyber security to be in the DNA of an organization and its structure,” said Wennekes. “Every role, every position, has to be considered from a cyber security risk perspective and every employee needs a basic understanding of how to protect and uphold the company’s cyber security strategies, mandates and requirements.” 

Human resources professionals are often an organization’s greatest asset in strengthening cyber security because they have a unique understanding of the workforce, he said.

“All employers face the challenge of addressing the weakest link in the cyber security chain, which is the human factor. It’s generally going to be a human error which impacts an organization,” said Wennekes. 

HR professionals are in a position to ensure cyber security speaks to the specific needs of an organization, and that cyber security is integrated into the company’s culture, he said, recommending cyber security be assessed as part of employees’ performance in the same way sales numbers might be. 

Cyber security is worth the investment of both an organization’s money and its time, said Janet Salopek, Calgary-based partner and senior consultant for Salopek & Associates. HR professionals are an integral part of that investment, she said, because they have the greatest understanding of a company’s culture and the people who create it.

“A large number of people in the workforce are millennials,” said Salopek. “Our millennials rely very heavily on their personal devices, either their cellphones or their computers, while they work. They strive for that work-life balance and so they often work from home and use their personal devices.” 

Understanding these types of workplace dynamics is an integral part of developing appropriate policies and programs to address cyber security, she said, and that understanding also ensures employees are trained in the most effective and efficient manner possible.  

“It’s critical right now because of who we have in our workforce and how they like to do their work,” said Salopek. 

When cyber security is integrated into an organization’s culture, she said, that security follows employees as they work remotely from home or abroad. 

“You have to talk about it, make it part of the culture of your organization. Organizations benefit from the fact that millennials willingly take work home with them or work from wherever they are to meet deadlines,” said Salopek. 

“When you create that type of work environment with those expectations and the desire for people to go that extra mile, that becomes part of your culture. When that happens, it’s really important to talk to your people about what they need to do to make sure they’re protecting themselves and also your organization.” 

Employers are often reluctant to discuss cyber security as it relates to employees working from home, said Salopek, because they fear it will lead to conversations about company-provided personal devices. 

“Sometimes, we’re reluctant to talk about this and put the topic on the table because we’re not sure where the conversation is going to go,” she said. “But I truly believe this is the way the majority of our people want to work and it allows them to have that work-life balance so we really need to be courageous and have these conversations.” 

To read the full story, login below.

Not a subscriber?

Start your subscription today!