Professional Documents
Culture Documents
Much of your business literally lives on computer drives, websites, and cloud servers,
making the protection of that data critical to your firm’s survival and for maintaining the
privacy and trust of customers.
Though people have reached a seeming point of desensitization to news citing a data
breach, protecting user data has become increasingly important amid stricter regulation
implementation. Companies are no longer just required to announce that their systems
have been breached but also pay fines that can reach up to 4 percent of their annual
turnover should they deal with the data belonging to European Union (EU) citizens in
accordance with the General Data Protection Regulation (GDPR) requirements.
Just this year, big names such as Macy’s, Bloomingdale’s, and Reddit have joined the
ever-growing list of breach victims. Compromised data is a subject that needs the
public’s full attention. Data breaches can result in the loss of millions, even billions, of
private records and sensitive data, affecting not just the breached organization, but also
everyone whose personal information may have been stolen.
A data breach occurs when a cybercriminal successfully infiltrates a data source and
extracts sensitive information. This can be done physically by accessing a computer or
network to steal local files or by bypassing network security remotely. The latter is often
the method used to target companies. The following are the steps usually involved in a
typical a breach operation:
It may seem like stories of massive data breaches pop up in the news frequently these
days. But it shouldn’t be all that surprising.
As technology progresses, more and more of our information has been moving to the
digital world. As a result, cyberattacks have become increasingly common and costly.
Globally, the average total cost to a company of a data breach is $3.86 million,
according to a study by the Ponemon Institute. This means that at $148 on average per
stolen record, online crime is a real threat to anyone on the internet.
Cybercrime is a profitable industry for attackers and continues to grow. Hackers seek
personally identifiable information to steal money, compromise identities, or sell over the
dark web. Data breaches can occur for a number of reasons, including accidentally, but
targeted attacks are typically carried out in these four ways:
The following table shows the 10 biggest breach incidents reported to date:
Number of
Company/Organization Records Date of Breach
Stolen
Managing cyber security for individuals is very easy. Most of us have anti-virus
applications installed on our computers which is more than enough to protect us against
viruses and other types of attacks. This is a major reason many small businesses do not
take cyber security as seriously as they should. They assume that keeping a business
safe is similar to keeping a personal computer safe. A cursory look at the cyber
attacks that businesses have suffered through will show that the reality is quite different.
Businesses aren’t hurt or hacked through viruses – what they face is much more
sophisticated
The biggest different between normal cyber security measures and cyber security
management for businesses is that businesses are targeted by hackers. These hackers
earn money by hacking networks, encrypting data, and then demanding a ransom to
handover access to the business. This can cripple businesses – imagine having to run
your business without access to any electronic files – and many businesses end up
making the ransom payment through Bitcoin or other untraceable crypto currencies.
This is the key thing to understand – anti-virus applications and firewalls are excellent at
blocking the viruses that are spreading throughout the internet. They are not as helpful
when dealing with a targeted cyber-attack that aims to cripple the business.
What businesses need to keep their data and network safe is a holistic cyber security
management framework. It needs to be holistic because we need to go beyond just
looking at the software and the technology – we also have to look at the people in the
organization, the best practices, business processes, and the business policies that
may have cyber security vulnerabilities. Businesses need to first perform a complete
audit of their own business. Hiring an external cyber security auditor is important if the
business does not have enough cyber security specialists onboard, because knowing
about these vulnerabilities requires expertise and knowledge.
The cyber security audit will reveal surprising vulnerabilities. It will also let your business
know where it needs to improve its cyber security risk management protocols. Most
businesses end up opting for employee trainings after these audits, because that is the
most vulnerable part of your business when it comes to cyber security. Most employees
simply know how to use computers for their personal and professional uses and are not
aware of cyber security practices at all. Your network can be the most secure network
there is, and all your anti-virus applications can have the latest virus definitions, but they
will not be of any use if your employees open the door for attackers to come in.
Employees that do not have cyber security management training fall for traps which
opens up your network and data for hackers. The hackers may attack through phishing
– creating a fake website that looks like your organization’s real website to get
usernames and passwords of employees. They may spoof email headers to make it
appear like the email was coming from a colleague to ensure that the employee will
open the email attachment. The list goes on and on. All of these attacks have one thing
in common – they are very easy to prevent if your employees know about them.
We all take care of our safety. We walk on safe roads, lock up our valuables, and much
more. If businesses want better cyber security management, they will have to create a
culture where employees care just as much about cyber security software as they do
about the security of the physical assets of the business. The damage that a cyber
intruder can cause to your business goes beyond anything a thief would be able to do
within your office.
What role can Human Resouces play in mitigating cyber security threats?
1. Recruitment
Research by the technology platform Belong states that the demand for both tech and
non-tech cybersecurity professionals has boomed over the last 18 months. According
to NASSCOM, India's trade association for the IT and BPO industries, cyber security will
create one million jobs by 2025 for the country. Thus, HR has its job cut out in two
ways:
The cybersecurity job market offers many choices for job seekers, and they have
the upper hand in compensation negotiation. The average salaries for freshers in
cybersecurity are around Rs4-5 lakhs while that of top cybersecurity talent have
risen in the range of 25-35 percent and to the tune of Rs2-4 crores in the last 18
months. So, HR needs to work out a package that will not only attract the
candidates but also retain them.
The '2017 IBM X-Force Threat Intelligence Index' report states that 60 percent of cyber
attacks are the result of insider activity, either through unintentional negligence or
malicious intent. This means that employees are either inadvertently or directly involved
in the crime, endangering the digital security of the organisation. They could
accidentally end up sharing information on social media or clicking on phishing emails. If
the crime is intentional, then they could use personal ids instead of official work ids to
leak information. It is under the purview of HR to design a robust risk management
policy to prevent and monitor cybersecurity risk in the organisation. This policy usually
entails:
Looking for triggers that could induce security breach from employees. For
instance, demotions, transfers or exits.
Laying down Bring Your Own Device (BYOD) and remote working policies –
personal devices used by employees for office work or workforce located at
remote locations are highly vulnerable to cyber threats.
HR does not need to become cybersecurity experts, but it can certainly liaise with the IT
and legal teams to continuously evaluate cybersecurity needs, build cybersecurity
competencies, establish cybersecurity protocols, make cybersecurity training integral to
the on-boarding process, and take timely disciplinary actions in case of breaches.
HR professionals need to realize that they work with some of the most vulnerable data
in an organization.
This is information that applies to employees that could personally identify them if
stolen—information such as social security numbers, date of birth, banking information,
addresses, etc. Much of this information will be stored in the company’s payroll system
which can be especially targeted by hackers. HR workers need to ensure that no
personally identifiable information is stored in a way that is accessible to the public,
including via hardcopy or on unauthorized laptops or other electronic devices.
HR professionals need to understand that their most likely cyber-attacks will come from
current employees.
These attacks are mostly caused by human error and ignorance—an employee clicking
on a malicious link in an email on the company’s network, providing his login details to a
service or company external of the company’s network, or downloading malware onto a
company computer. Sometimes, however, the cyber-attack can come from a disgruntled
employee searching for a way to harm the company or another co-worker. According to
the Ponemon Institute’s 2018 Cost of Insider Threats Study, at least 60 percent of data
breaches are carried out by insiders, including current and former employees who take
information with them as they leave a job, either maliciously or not.
HR professionals need to know how to actively protect the data that comes their way.
Kasey Stevens writes in an article for MJ Insurance, “It is imperative that HR pros
understand the different ways a hacker may try to gain access to information – phishing,
ransomware, bots, Trojans, malware, spyware, etc. And it doesn’t help to just know
about these threats; it is important to be able to identify and thwart them. From an
internal perspective, HR pros should be offering training to their employees on
identifying and reporting these threats.”
Simple things like password security, logging out of a computer when finished using it,
only using company devices for company purposes, and not accessing external internet
networks from inside the company’s private network can go a long way. It is the HR
department’s responsibility to communicate these rules to employees and facilitate their
training in company security policy if necessary, so they should be involved in creating
these policies from the start. HR should not be afraid to hold employees accountable for
following established policy and revoke the privileges of those who do not abide by
those policies.
Whether they realize it or not, HR professionals play a large role in helping to maintain a
secure workplace.
References:
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/data-breach-101
https://www.thehartford.com/business-playbook/in-depth/cyber-security-data-breach
https://us.norton.com/internetsecurity-privacy-data-breaches-what-you-need-to-
know.html
https://www.shrm.org/shrm-india/pages/what-role-can-hr-play-in-mitigating-cyber-
security-threats.aspx
https://www.techfunnel.com/hr-tech/how-cybersecurity-is-beneficial-for-hr-professionals/
http://www.humanresourcestoday.com/cyber-security/?open-article-id=9561872&article-
title=why-businesses-struggle-with-cyber-security-management&blog-
domain=360factors.com&blog-title=360-factors-
Republic of the Philippines
Polytechnic University of the Philippines
Quezon City Branch
Submitted to:
Submitted by:
BSBA-HRDM 4-1