The Role of Human Resources in Data Breach and Cyber Security

Much of your business literally lives on computer drives, websites, and cloud servers,
making the protection of that data critical to your firm’s survival and for maintaining the
privacy and trust of customers.

Though people have reached a seeming point of desensitization to news citing a data
breach, protecting user data has become increasingly important amid stricter regulation
implementation. Companies are no longer just required to announce that their systems
have been breached but also pay fines that can reach up to 4 percent of their annual
turnover should they deal with the data belonging to European Union (EU) citizens in
accordance with the General Data Protection Regulation (GDPR) requirements.

Just this year, big names such as Macy’s, Bloomingdale’s, and Reddit have joined the
ever-growing list of breach victims. Compromised data is a subject that needs the
public’s full attention. Data breaches can result in the loss of millions, even billions, of
private records and sensitive data, affecting not just the breached organization, but also
everyone whose personal information may have been stolen.

What is Data Breach?

A data breach occurs when a cybercriminal successfully infiltrates a data source and
extracts sensitive information. This can be done physically by accessing a computer or
network to steal local files or by bypassing network security remotely. The latter is often
the method used to target companies. The following are the steps usually involved in a
typical a breach operation:

1. Research: The cybercriminal looks for weaknesses in the company’s security

(people, systems, or network).
2. Attack: The cybercriminal makes initial contact using either a network or social
attack.
3. Network/Social attack: A network attack occurs when a cybercriminal uses
infrastructure, system, and application weaknesses to infiltrate an organization’s
network. Social attacks involve tricking or baiting employees into giving access to
the company’s network. An employee can be duped into giving his/her login
credentials or may be fooled into opening a malicious attachment.
4. Exfiltration: Once the cybercriminal gets into one computer, he/she can then
attack the network and tunnel his/her way to confidential company data. Once
the hacker extracts the data, the attack is considered successful.

It may seem like stories of massive data breaches pop up in the news frequently these
days. But it shouldn’t be all that surprising.
As technology progresses, more and more of our information has been moving to the
digital world. As a result, cyberattacks have become increasingly common and costly.

Globally, the average total cost to a company of a data breach is $3.86 million,
according to a study by the Ponemon Institute. This means that at $148 on average per
stolen record, online crime is a real threat to anyone on the internet.

According to Symantec, personally identifiable information — such as full names, credit

card numbers, and Social Security numbers — was the most common form of data lost
to data breaches in 2016, with personal financial information close behind.

Corporations and businesses are extremely attractive targets to cybercriminals, simply

due to the large amount of data that can be nabbed in one fell swoop.

Why do data breaches occur?

Cybercrime is a profitable industry for attackers and continues to grow. Hackers seek
personally identifiable information to steal money, compromise identities, or sell over the
dark web. Data breaches can occur for a number of reasons, including accidentally, but
targeted attacks are typically carried out in these four ways:

 Exploiting system vulnerabilities. Out-of-date software can create a hole that

allows an attacker to sneak malware onto a computer and steal data.
 Weak passwords. Weak and insecure user passwords are easier for hackers to
guess, especially if a password contains whole words or phrases. That’s why
experts advise against simple passwords, and in favor of unique, complex
passwords.
 Drive-by downloads. You could unintentionally download a virus or malware by
simply visiting a compromised web page. A drive-by download will typically take
advantage of a browser, application, or operating system that is out of date or
has a security flaw.
 Targeted malware attacks. Attackers use spam and phishing email tactics to try
to trick the user into revealing user credentials, downloading malware
attachments, or directing users to vulnerable websites. Email is a common way
for malware to end up on your computer. Avoid opening any links or attachments
in an email from an unfamiliar source. Doing so can infect your computer with
malware. And keep in mind that an email can be made to look like it comes from
a trusted source, even when it’s not.
What are the biggest data breaches to date?

The following table shows the 10 biggest breach incidents reported to date:

Number of
Company/Organization Records Date of Breach
Stolen

Yahoo 3 billion August 2013

Equifax 145.5 million July 2017

eBay 145 million May 2014

Heartland Payment 134 million March 2008

Systems

Target 110 million December 2013

TJX Companies 94 million December 2006

JP Morgan & Chase 83 million (76 July 2014

million
households
and 7 million
small
businesses)

Uber 57 million November 2017

U.S. Office of Personnel 22 million Between 2012 and 2014

Management (OPM)

Timehop 21 million July 2018

Why businesses struggle with cyber security management?

The rise of eCommerce and our dependency on information technology to conduct

business means that every business now takes cyber security seriously. Yet, the cyber
security threat keeps growing, and the number of businesses attacked also goes up
every year. Why does this happen? Why are businesses vulnerable to these attacks,
and what strategies can be used to eliminate these vulnerabilities? Let’s look at why the
cyber security management landscape is so different for businesses.
Businesses Have Very Different Cyber Security Needs

Managing cyber security for individuals is very easy. Most of us have anti-virus
applications installed on our computers which is more than enough to protect us against
viruses and other types of attacks. This is a major reason many small businesses do not
take cyber security as seriously as they should. They assume that keeping a business
safe is similar to keeping a personal computer safe. A cursory look at the cyber
attacks that businesses have suffered through will show that the reality is quite different.
Businesses aren’t hurt or hacked through viruses – what they face is much more
sophisticated

Businesses are Targeted by Hackers

The biggest different between normal cyber security measures and cyber security
management for businesses is that businesses are targeted by hackers. These hackers
earn money by hacking networks, encrypting data, and then demanding a ransom to
handover access to the business. This can cripple businesses – imagine having to run
your business without access to any electronic files – and many businesses end up
making the ransom payment through Bitcoin or other untraceable crypto currencies.

This is the key thing to understand – anti-virus applications and firewalls are excellent at
blocking the viruses that are spreading throughout the internet. They are not as helpful
when dealing with a targeted cyber-attack that aims to cripple the business.

Holistic Cyber Security for Businesses

What businesses need to keep their data and network safe is a holistic cyber security
management framework. It needs to be holistic because we need to go beyond just
looking at the software and the technology – we also have to look at the people in the
organization, the best practices, business processes, and the business policies that
may have cyber security vulnerabilities. Businesses need to first perform a complete
audit of their own business. Hiring an external cyber security auditor is important if the
business does not have enough cyber security specialists onboard, because knowing
about these vulnerabilities requires expertise and knowledge.

The cyber security audit will reveal surprising vulnerabilities. It will also let your business
know where it needs to improve its cyber security risk management protocols. Most
businesses end up opting for employee trainings after these audits, because that is the
most vulnerable part of your business when it comes to cyber security. Most employees
simply know how to use computers for their personal and professional uses and are not
aware of cyber security practices at all. Your network can be the most secure network
there is, and all your anti-virus applications can have the latest virus definitions, but they
will not be of any use if your employees open the door for attackers to come in.
Employees that do not have cyber security management training fall for traps which
opens up your network and data for hackers. The hackers may attack through phishing
– creating a fake website that looks like your organization’s real website to get
usernames and passwords of employees. They may spoof email headers to make it
appear like the email was coming from a colleague to ensure that the employee will
open the email attachment. The list goes on and on. All of these attacks have one thing
in common – they are very easy to prevent if your employees know about them.

We all take care of our safety. We walk on safe roads, lock up our valuables, and much
more. If businesses want better cyber security management, they will have to create a
culture where employees care just as much about cyber security software as they do
about the security of the physical assets of the business. The damage that a cyber
intruder can cause to your business goes beyond anything a thief would be able to do
within your office.

What role can Human Resouces play in mitigating cyber security threats?

Organisations have started implementing measures to curtail the threats. From

implementing sophisticated IT systems and availing cyber insurance to hiring
cybersecurity experts, they are taking every possible step to fight cybercrime. Now, one
school of thought believes that the IT team should have the key responsibility to tackle
cybersecurity-related concerns, but there is another school of thought which puts HR in
the forefront on this matter. So, the question the HR community has been debating is
whether HR is responsible for cybersecurity and if yes, then how.

It wouldn't be incorrect to say that HR would have to play a 'people's role' in

cybersecurity. Let's delve deeper and throw more light on this matter.

1. Recruitment

Research by the technology platform Belong states that the demand for both tech and
non-tech cybersecurity professionals has boomed over the last 18 months. According
to NASSCOM, India's trade association for the IT and BPO industries, cyber security will
create one million jobs by 2025 for the country. Thus, HR has its job cut out in two
ways:

 It needs to understand the cybersecurity requirements of the organization and

myriad job roles that exist in cybersecurity - security analyst, chief information
security officer, intrusion detection specialist, incident responder, information risk
auditors, vulnerability assessor and so forth. Only then can HR create accurate
job descriptions and identify the right fit.

 The cybersecurity job market offers many choices for job seekers, and they have
the upper hand in compensation negotiation. The average salaries for freshers in
cybersecurity are around Rs4-5 lakhs while that of top cybersecurity talent have
risen in the range of 25-35 percent and to the tune of Rs2-4 crores in the last 18
 months. So, HR needs to work out a package that will not only attract the
candidates but also retain them.

2. Risk Management Posed by and for Employees

The '2017 IBM X-Force Threat Intelligence Index' report states that 60 percent of cyber
attacks are the result of insider activity, either through unintentional negligence or
malicious intent. This means that employees are either inadvertently or directly involved
in the crime, endangering the digital security of the organisation. They could
accidentally end up sharing information on social media or clicking on phishing emails. If
the crime is intentional, then they could use personal ids instead of official work ids to
leak information. It is under the purview of HR to design a robust risk management
policy to prevent and monitor cybersecurity risk in the organisation. This policy usually
entails:

 Setting up approval and authentication workflows across hierarchies and

departments.

 Educating employees to sensitise them on cyber risks and implications of non-

adherance to security measures at the organizational as well as individual level.

 Looking for triggers that could induce security breach from employees. For
instance, demotions, transfers or exits.

 Laying down Bring Your Own Device (BYOD) and remote working policies –
personal devices used by employees for office work or workforce located at
remote locations are highly vulnerable to cyber threats.

3. Ethical Hacking and Cyber Security Measures

Thwarting threats is necessary, but overstepping ethical boundaries is uncalled for. HR

needs to take care of ethics in cyber security on two fronts:

 Employee Privacy: Most organisations monitor the telephone, mobile, email,

computer and internet usage activity of their employees to prevent inappropriate
or unlawful behaviour. While the employers do have a legal right to preserve the
security of their data, they should ensure that they do not cross the privacy of
employees. Or else, it could lead to an atmosphere of mistrust. It is here that HR
should formulate a clear and transparent policy informing employees about the
organisation's communication (digital as well as non-digital) monitoring policy.

 Hiring Ethical Hackers: Today, many organisations hire ethical hackers to

analyse the hidden vulnerabilities in the organisation's security system. Also
known as the undercover cops or white hat hackers, these professionals hack
the internal systems with company's permission. However, if the hiring of ethical
hackers goes wrong, it could have severe adverse implications for the
organisation. It is HR's responsibility to decide the terms of engagement such as
 hiring and termination dates, non-disclosure agreements and communication
protocols with hackers.

4. Anticipate Skilling Needs

The cybersecurity professionals employed by the organisation should be aware of new

technologies and cyber threats that emerge every day. They should be equipped with
necessary skills to handle such situations promptly. HR has to ensure that assessments
of organisation's cybersecurity competency and individual cybersecurity skills are
conducted at regular intervals. This will ensure that both organisations and cyber
security teams are ready to respond to cyber attacks when they take place. If the
existing cybersecurity staff needs re-skilling or upskilling, HR should design tailor-made
training programs and also ensure that its curricula stay updated. If the capability cannot
be built in-house, then HR needs to anticipate the cyber skill requirements and hire
externally.

HR does not need to become cybersecurity experts, but it can certainly liaise with the IT
and legal teams to continuously evaluate cybersecurity needs, build cybersecurity
competencies, establish cybersecurity protocols, make cybersecurity training integral to
the on-boarding process, and take timely disciplinary actions in case of breaches.

What should every HR worker know about cybersecurity?

HR professionals need to realize that they work with some of the most vulnerable data
in an organization.

This is information that applies to employees that could personally identify them if
stolen—information such as social security numbers, date of birth, banking information,
addresses, etc. Much of this information will be stored in the company’s payroll system
which can be especially targeted by hackers. HR workers need to ensure that no
personally identifiable information is stored in a way that is accessible to the public,
including via hardcopy or on unauthorized laptops or other electronic devices.

HR professionals need to understand that their most likely cyber-attacks will come from
current employees.

These attacks are mostly caused by human error and ignorance—an employee clicking
on a malicious link in an email on the company’s network, providing his login details to a
service or company external of the company’s network, or downloading malware onto a
company computer. Sometimes, however, the cyber-attack can come from a disgruntled
employee searching for a way to harm the company or another co-worker. According to
the Ponemon Institute’s 2018 Cost of Insider Threats Study, at least 60 percent of data
breaches are carried out by insiders, including current and former employees who take
information with them as they leave a job, either maliciously or not.

HR professionals need to know how to actively protect the data that comes their way.
Kasey Stevens writes in an article for MJ Insurance, “It is imperative that HR pros
understand the different ways a hacker may try to gain access to information – phishing,
ransomware, bots, Trojans, malware, spyware, etc. And it doesn’t help to just know
about these threats; it is important to be able to identify and thwart them. From an
internal perspective, HR pros should be offering training to their employees on
identifying and reporting these threats.”

HR professionals need to be a part of Cybersecurity efforts within the company.

Cybersecurity shouldn’t just be under the purview of the IT team. Breaches rarely occur
within the domain of those who specialize in information technology; the weak link is
usually elsewhere. While the IT department should be on hand to aid other departments
in shoring up cyber defenses, every department, including HR, should be on hand to
discuss ways to prevent breaches and defend against attacks.

HR should be heavily involved in crafting and enforcing company-wide security policies.

Simple things like password security, logging out of a computer when finished using it,
only using company devices for company purposes, and not accessing external internet
networks from inside the company’s private network can go a long way. It is the HR
department’s responsibility to communicate these rules to employees and facilitate their
training in company security policy if necessary, so they should be involved in creating
these policies from the start. HR should not be afraid to hold employees accountable for
following established policy and revoke the privileges of those who do not abide by
those policies.

Whether they realize it or not, HR professionals play a large role in helping to maintain a
secure workplace.
References:

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/data-breach-101

https://www.thehartford.com/business-playbook/in-depth/cyber-security-data-breach

https://us.norton.com/internetsecurity-privacy-data-breaches-what-you-need-to-
know.html

https://www.shrm.org/shrm-india/pages/what-role-can-hr-play-in-mitigating-cyber-
security-threats.aspx

https://www.techfunnel.com/hr-tech/how-cybersecurity-is-beneficial-for-hr-professionals/

http://www.humanresourcestoday.com/cyber-security/?open-article-id=9561872&article-
title=why-businesses-struggle-with-cyber-security-management&blog-
domain=360factors.com&blog-title=360-factors-
 Republic of the Philippines
Polytechnic University of the Philippines
Quezon City Branch

SEMINAR-WORKSHOP IN HUMAN RESOURCE MANAGEMENT TRENDS AND

ISSUES (MANA 4123)

ISSUES AND TRENDS IN HUMAN RESOURCES

THE ROLE OF HUMAN RESOURCES IN DATA BREACH AND CYBER SECURITY

Submitted to:

Professor Melanie F. Bactasa

Submitted by:

Emmanuel John E. Lacsamana

Course, Year, and Section:

BSBA-HRDM 4-1