- Security TWENTY
- Women in Security Awards
The human resources (HR) department has an increasingly active part to play in cyber-security, it was suggested at a webinar yesterday.
HR can address the risk caused by human behaviour, besides ensuring that the workforce is ‘cyber aware’. Behavioural psychologist Mark Sirkin of ACP (Advanced Cyber Protection) said: “It isn’t just about technology any more; it’s about people.”
He began the webinar, hosted and sponsored by the trade body MAKE UK, with the point that most successful cyber attacks are caused by human error. Some of those ‘human factors’ include lack of information (people just don’t know what they are doing), and lack of awareness and attention. Whether through unprotected devices or pressing the wrong button, people are putting themselves in danger online, and yet IT users are the first line of defence for most companies, particularly in times of the Covid-19 pandemic, when people are in lockdown and some working from home.
Hence another cause of human error can be lack of focus; workers are distracted and worried. And, he went on, there’s a growing body of research that personality factors that make a difference. If you aren’t an honest and careful person, you may leave your employer open to cyber attacks. Someone with attention to detail does make for more ‘cyber immunity’, although as he did point out, ‘there’s no such things as complete immunity’.
As cyber crime becomes more sophisticated, so does human behaviour become more vulnerable to cyber attack. In other words, the people carrying out cyber attacks know of these human vulnerabilities and evolve their methods to get around protections.
Mark Sirkin spoke of how we are in ‘a new VUCA world’, VUCA being an American military term standing for – volatile, uncertain, complex and ambiguous. Add VUCA to cyber, ‘and we have the ultimate HR challenge’. He repeated his theme: “It isn’t about hardware, it isn’t about technology it’s about people,” who interact with machinery.
Often people are the weakest link, such as against phishing emails; different people are vulnerable for different reasons. If you’re a president or a treasurer of an organisation, cyber-attackers may target you with personalised mail, with the aim of getting money switched to bank accounts for the attackers’ benefit. Whole villages, he went on, are dedicated to cyber crime, doing research on social media posts, to craft very specific messages. If for example you posted that a relative has been hospitalised for Covid-19; you may be mailed with an appeal from someone whose mother cannot afford hospital treatment. You might be more susceptible to such an attack. If you are a gambler, you may click on a mail offering a ‘hot tip’ on the stock market or sports.
As Mark said, more and more information is coming at us, and the demand is on us to respond quickly; and added to that are the emotional pressures of Covid-19.
He described what he called ‘an overall cyber defence strategy’, that does have proper hardware and updated software as essential; and top-down support from leadership; but has HR responsible for policy (what people are permitted or encouraged to do online); process (how things get done); and HR input on specifics through an employee’s time with a business, from selection and on-boarding to development and promotion, and last but not least off-boarding (revoking IT privileges, because if not terminated, employees if inclined could carry out havoc).
Cyber immunity, he said, is not an IT or just a HR problem: “It’s a corporate problem, a company problem, and it requires that leadership is aligned, that leadership provides top-down support for all the immunity efforts.”
Policy covers for instance whether to allow flash drives into company computers that you take home. Processes include firewalls in the home office IT besides in the actual office. If you do put something in place, it’s meaningless, he said, without assessing how it’s doing. At on-boarding, the employee needs to understand that cyber is important. Whether the newcomer is given basic or advanced training depends on their role. That training shouldn’t just be passive, but have testing with phishing emails.
If a new employee when tested is particularly impulsive, they are going to be more likely to press a button and cause danger online, or respond to an ‘urgent’ email; those employees will require more help, about how their personality may make them more vulnerable to cyber-attack. All parts of a co-ordinated plan needs measuring and renewing, as the cyber threat is evolving. People may not fall for the ‘Nigerian princess’ email appeal any more, but even well-trained people may fall for something more sophisticated.