osorioartist - Fotolia
Cybersecurity education: How HR can plan for the inevitable
Cybersecurity is a major concern for any organization, but employees continue to be a top threat. HR can help mitigate insider risks by providing regular training and reminders.
CEOs perceived cybersecurity as the global economic or social trend most likely to affect their organizations in the near future, according to Mercer's "2018 Global Talent Trends" report. With this concern lies a mandate for HR professionals everywhere: If you are not regularly engaging your workforce in its responsibility for cybersecurity, you are doing your organization a disservice.
While nation-states may seem the scariest kind of attack, let's look at the cyber breaches that are closer to your control. Your organization may be more likely to be hacked through inadvertent actions by your own workers -- a threat that can be avoided with cybersecurity education and yearly reminders.
The Ponemon Institute reported that 25% of breaches are inadvertent, such as when an employee opens an infected file or email on the desktop or on his or her cellphone. With the plethora of mobile devices exposed to the corporate network while at work or outside the office, the gateway for destructive code is magnified. Ensuring that all workers with network access of any sort understand what phishing and spoofing look like is critical.
Monitoring employee sentiment
Much is made of employee engagement and sentiment, but monitoring it for cyber concerns can be overlooked by HR. A finger on the pulse of both employee and contractor sentiment can avert disaster and is increasingly considered a major step in risk management. Software that monitors mood, emotions and opinions through written text analysis -- sometimes using AI -- can forewarn behavior that could lead to a compliance, regulatory or security risk. Sentiment monitoring tools, such as Wootric or KeenCorp, are often used to gauge sentiment to determine employee engagement, but can also be applied to risk management.
In addition, some corporations today successfully use computer monitoring software to scan email and social media posts to flag disgruntled employees or aberrant behavior, such as file downloads at odd hours or excessive downloads of corporate information. Interguard, for example, provides monitoring capabilities that can record, report and alert on unusual online activities.
Cybersecurity training tips for HR
- Begin at onboarding -- cybersecurity education should be part of all new employee orientation.
- Ensure all employees know that neither valid financial institution nor one's own company will ever ask them to submit private information via email.
- Emphasize to all employees that they should never open suspicious emails, even if the message has gotten through your corporate IT spam filters. They should not click links in untrusted email or emails from someone or a company they do not know. Such links often take them to a bogus login page, and in logging in, they are surrendering their information. This can be an example of phishing, which is an attempt to fraudulently acquire sensitive information by masquerading as a trusted contact.
- Instruct employees to only access the sites they want to go to outside your internet at its www address, never through any links sent within emails or IMs.
- Run an internal test -- work with IT to create an "internal" phishing letter, alert employees after training them, and see how many fail to recognize a fraudulent request to update a password or some other seemingly legitimate request. You will be surprised.
- Urge employees to slow down a bit in opening up emails and text messages to see who they really come from and to ensure that they do not open attached files. Sometimes the need for haste inflicted on workers leads to carelessness. Yearly reminders of the cost to the company from negligence or ignorance can spur better diligence.
- Spoofing is a forged email header so that the message appears to have originated from someone or somewhere other than the actual source -- perhaps from your own corporation, or your own HR group. It is tricky because people are more likely to open an email when they think it has been sent by a legitimate source. Educate employees to look at the actual URL addresses behind the "from" to see who the sender may actually be. A good place to start is with examples of phishing emails and looking at the actual sender.
Curbing purposeful cyber malfeasance
The training tips above can alleviate inadvertent lapses in security, but there are two other insider types whose behavior can lead to breaches: rogues and actual malicious insiders. Rogues are renegade employees who are likely to be more technically savvy than others and feel that they understand the issues, but choose to ignore them. They may be the ones who really want a different browser or app at work that they use at home, and know how to get it -- so they do. They generally did not mean to cause harm and educating them as to why the rules apply to everyone can help quell rogue behavior.
Malicious internal hacktivists are a more serious issue. They may think there is monetary gain to their behavior, like a ransom, or they may hold a grudge against the firm or some of its members. Sabotage and espionage are also drivers of untoward cyber conduct.
There are four points that pertain to malicious insider attacks:
- They are most likely triggered by a negative work-related event.
- Most perpetrators had acted out at work previously.
- They planned their activities in advance.
- On average, it takes 50 days to resolve a malicious insider attack and costs and time to recover are both increasing.
Role of HR
Many potentially negative work events are well known by the HR team and their potential negative repercussions could be much better anticipated. For example, better and more thorough explanations of pending mergers, acquisitions, layoffs, reorgs or restructuring could mitigate some employee hostility that can occur when they don't fully understand the business rationale. Of course, even a solid understanding may not make a malcontent feel one bit better about the organization and its actions. In these cases, it is especially useful to be able to ascertain the individual's computer access history.
Creating a cybersecurity education plan
Annual compliance training on cybersecurity should be a requirement; employees need reminders and new employees are always entering the organization. There are several areas of coverage on which to focus, starting with maintaining the security of the employee's office workspace. We all know the danger of passwords on sticky notes, but check around your organization to see how many passwords are exposed in plain sight or in unlocked desk drawers. A laptop screen left open in a vacant office can prove an invitation for rogue access.
One of my favorite stories on that front is from a cyber manager in the Netherlands. When she saw a laptop open and abandoned, she walked into the office and sent everyone an email from the laptop saying, "I will bring in cupcakes for everyone tomorrow." After a few times, employees who had to go home and bake cupcakes were much more careful with their office security.
Cybersecurity education should also extend to travel, such as securing laptops and mobile phones when working on a plane and checking for devices let in airline pockets, seats or hotel rooms. Managing data or email in crowded planes or airline lounges is another issue where awareness is needed.
Foremost, it is imperative that the organization foster a culture in which it is safe to raise concerns when employees see or suspect something is amiss that can impact corporate security. Cybersecurity in the workplace is everyone's responsibility; create a plan to ensure your employees are prepared to keep your business safe.