Research shows that employees are often the reason for the success of cyberattacks on a company. Learn how building a cybersecurity culture and engaging HR can solve this problem.
In the digital age, everything is changing: everyday life, habits, work, and crime. Home and organization are now infiltrated with electronic keys that open the door to new value – classified information. Cyberattacks are far from new cause for concern, however, it still lacks a universal, decent solution to this problem. The irony is that the more technologies that provide cybersecurity development, the more new ways to bypass protection in the form of firewalls and complex layered systems appear.
Moreover, the weakest and most vulnerable link is still the user. Often, a hacker does not even need to write a line of code to gain access to information; it is enough to trick the user into installing a phishing program or clicking on a link.
Most often, a chief information security officer (CISO) bears responsibility for the cybersecurity of an organization, which is quite logical. And basically, measures to ensure protection against cyberattacks are associated with technological solutions and the implementation of software security tools. However, as mentioned above, the human factor cannot be excluded and the involvement of the HR department is required here.
According to Chubb SME Cyber Preparedness Report, 53% of cyber incidents are caused by intentional or unintentional actions of company employees. How can a people manager help in such a situation and why he should be involved at all?
The authority of human resource managers has long gone beyond the search, hiring, and firing of employees. Now, this department is an integral part of the internal processes of the company, taking care of the motivation, education, and development of each employee. It is logical that these people can influence the formation of the correct behavior of employees to avoid possible concerns about cybersecurity. The main influence is carried out through culture and the introduction of certain norms.
Any organization, small, medium, or large business, government agency, non-profit organization can be subjected to cyberattacks. When applying the most modern data security solutions, it is important to minimize the possibility of hacking from the inside, that is, through employees. Here are five top tips for people managers to better understand their role in cybersecurity and protect the organization.
1. Terrible Security Habits
A data breach is a double-edged blade that can easily cut through the reputation and budget of a company, regardless of its size or specialization. On average, a data breach can cost a company from several hundred thousand to several million. However, it is rather difficult to carry out calculations to assess the loss of reputation and trust in the company, both from partners and stakeholders, and from consumers.
Quite often, employees with poor security habits are the cause of internal enterprise data leaks. Social media is one of the ways that hackers can reach such employees. And this is where special alertness is required from the human resources department. The main task is to identify the employee who is potentially a threat to the company and take timely action. Sounds like a pretty challenging task, which it is. But in close cooperation with the IT department, it is quite possible to find a way to identify the biggest threat to the company.
2. Educate the Newbie
The responsibilities of a human resources department go far beyond hiring employees. Today it is a full-fledged system within the company, which responsibilities include personnel management, organization of training and leisure, providing comfortable working conditions, and much more. One of the stages of work on finding and hiring an employee is his welcome in the company: acquaintance with the internal charter and culture, basic rules, and peculiarities of work.
What is obvious to an experienced co-worker may be completely unexpected information for a beginner. The task of the people manager is to provide additional training for the new employee, to warn about the danger of break-ins, the consequences of information leakage, and give advice on how to avoid this. Incorporating "cybersecurity hygiene" practices into a company's culture is one of the best ways to do this.
If necessary, it is possible to develop additional instructions or a memo for employees. Collaborating with the cybersecurity department will allow taking into account all the nuances. Such instructions need to be updated over time since the methods of hacking employee accounts are also constantly changing.
3. Inspect Potential Cyberattacks
This rule is especially crucial for a software development company. The IBM threat report claims that 60% of attacks are caused by intentional or unintentional actions of employees. This may mean that either the employee acted as a hacker's tool and did not suspect the consequences of his actions, or vice versa - deliberately used an unsecured connection or opened access to sensitive data for the attacker.
Of course, such cases should be investigated by the chief information security officer and cybersecurity department, however, the Human Resources department also has something to do in this situation. Potential threats can be identified based on employee behavior. And it is not about total surveillance of every step in the office, but rather of the actions and manipulations with the gadget. Using modern methods and technologies for analysis, it is possible to identify behavioral features and prevent data leakage on time.
It shouldn't turn into a spy game or a witch hunt, but it will allow for additional training for a not-too-cautious employee or identify an unscrupulous worker. And by analyzing the mistakes, it is possible to avoid them in the future.
4. Aware While Hiring Cybersecurity Experts
And this is the very domain where HR specialists should be chiefly careful. The search for high-quality specialists requires from the people manager a deep understanding of the responsibilities of each position in a particular department. It is not enough just to list the basic and additional requirements for an expert; you need to understand what they are for. This cannot be done without full involvement in the cybersecurity of the company and beyond.
This means that HRs should keep their finger on the pulse of new ways of cyberattacks and infiltrations into databases. This will help create a more detailed job description and weed out incompetent candidates at the first stage of interviews. Besides, it is necessary to understand the difference between IT positions in the cybersecurity department to select specialists for them as accurately as possible.
To do this, it is possible to enlist the support of other specialists in the company who will be able to test the skills of the candidate, however, if there is no such person, this responsibility completely falls on the shoulder of the people manager.
5. Take Care of The Cybersecurity Department
Sounds obvious, especially considering the previous point. And yet, there is an important caveat for the human resources department when hiring cybersecurity professionals. It is common practice to check skills and education, but this area has its own specifics. For example, additional training and certification. Having identified the necessary skills required from a candidate for a position in the information security department, the people manager must check their availability. Originally on paper. Finding out if the candidate has certificates is only the first step. The second is to make sure that they are obtained from accredited and competent organizations that not only have the right to issue certificates but also specialize in training the required profile.
Further, it is necessary from time to time to check whether the department and its specialists are in need to enhance: new software, refreshing courses, or new training in modern practices of countering cyberattacks. Some companies are introducing mandatory exams for their cybersecurity department employees to motivate them to constantly update their knowledge and train their skills. It is a good practice to help identify gaps in employee knowledge and address them on time.
So, as mentioned above, the HR department is the main influencer in introducing cybersecurity education into a company's culture. This means that the initiative must come from this department, which requires people managers to have a deep understanding of the problem.
The main way to successfully build and implement a cybersecurity culture is through close collaboration or even partnership of HR and CISO.
The main building blocks of a strong cybersecurity culture in an organization are people, process, technology, and external partners. Thus, active participation and interaction of several groups and departments, including the HR, are required. While it is only people and the process that directly relate to culture, technology and external partners also have a strong impact. To date, three-quarters of the companies surveyed are engaging managers in cybersecurity. Following the hierarchical model, information and decisions go down from the top tier to the bottom tier, and feedback from each employee goes to a higher-level specialist, which creates a closed ecosystem.
The gaps of this system can be in two places: too infrequent communication about the importance of adherence to cybersecurity rules (for example, an annual meeting) and a poorly constructed communication system. It is the HR department that is responsible for effective internal communication. That's why it should be highly involved in building a cybersecurity culture.
Another important rule is to constantly improve cybersecurity. There is no one-size-fits-all solution or shelf life for it. The cybersecurity culture must constantly grow and develop in all directions: from the implementation of technological solutions to the improvement of the effectiveness of risk management.
One of the barriers to the continuous improvement of risk management programs is the speed of change and the willingness of people to accept these changes. Also, critical data, which has an indirect effect and can cause the whole strategy to fall, is often not taken into account. To avoid this, AI and Big Data algorithms are applied, however, HR is best equipped to understand the human challenges that prevent effective organizational change.
The process of building a cybersecurity culture is a set of behaviors that help ensure that an organization protects its information, be it employee records, customer data, or intellectual property. Together, HR and the CISO are able to streamline and monitor this process. Cybersecurity culture is very similar to any other culture, and well-established processes of cultural transformation can be used to promote cybersecurity. HR specialists are always involved in changing or reviving the company's culture, their skills are sufficient to innovate and take part in creating a cybersecurity culture.