TEISS guest blogger Stephen Burke, CEO and founder of Cyber Risk Aware, explains why HR and IT security departments should work together to create a human firewall.
An organisation’s cyber security can only ever be as strong as its weakest link. The biggest vulnerabilities are not necessarily found within the hardware or software. Human error is the biggest challenge. And yet nearly half of HR departments do not know when their cyber security strategy was last considered, while only 22% have reviewed the people aspect of cyber security in the past year.
There is a common misconception that cyber security falls solely under the remit of the CISO and IT teams. But with many cyber threats coming from within an organisation – such as insider threats and human error – the disconnect between IT and HR departments needs to be rectified.
The IT department’s primary security goal is to protect the company’s confidential data. In contrast, HR’s focus is primarily on developing corporate culture, though protecting employee privacy is rapidly making its way up the list of priorities thanks to the GDPR. As a result, senior people often mistake security risk in a company as being primarily a technology risk. They believe that having the right cyber security products in place will be enough protection.
Organisations are aware of the importance of having cyber security technology in place. Hackers exploit human nature. They use tactics such as social engineering to gain the trust of employees, encouraging them to click on malicious emails which then allow access into the network.
HR has the skills to mitigate these tactics. For example, a well-intentioned employee may be using insecure personal email rather than an official work one or may accidentally share sensitive information on social media. HR can reduce this risk this by ensuring employees are properly and regularly trained in cyber security awareness.
A similar threat would be a disaffected employee with a grudge against the company. Part of HR’s role is to understand employee behaviour and notice early warning signs of anomalous behaviour.
The IT department, meanwhile, has the technical skills to implement products and services which can identify either when employees are behaving in a risky manner or if an external hacker is breaching the network.
The role of HR in implementing cybersecurity strategy has historically focused on policy enforcement and compliance and, whilst this is important, it’s not going to drive a change in user behaviour. Many HR and learning/development teams approach security training from a legacy perspective where annual tick-box training reigned supreme.
Whilst all these methods have a time and place, when it comes to cyber security and helping non-technical people retain what is essentially technological subject matter, a course delivered in short, interactive modules will result in greater success with more employees recalling what they’ve learnt and putting it into practice.
It’s also important to consider who is delivering the training: many ‘techies’, whilst knowledgeable, may not necessarily be good educators.
Customisation of education is also important. Anecdotal evidence has revealed that many organisations which have conducted phishing training reach a plateau where it is impossible to reduce phishing susceptibility below 15%. One company, however, included their marketing team in the process of developing anti-phoshing campaigns. By customising their training messaging they were able to achieve a further reduction to 5% susceptibility.
When it comes to creating a culture of cybersecurity, changes need to be made throughout the organisation, not just within the IT department. The connection between HR and IT professionals needs to be closer than ever before and they should communicate regularly about important security issues.
The overall aim should be that employees form a ‘human firewall’. This connected network of human sensors can then protect themselves both in and out of the workplace, as a result of three simple considerations:
Cyber awareness training from the outset. Changing user behaviour is an ongoing process and should begin on every employee’s first week as part of their induction. HR and IT should work together to determine the employee’s level of cyber security awareness, creating a training programme that is tailored and interactive.
Incentivise ongoing training. There’s no doubt that employees are more motivated when incentivised, therefore HR and IT should investigate ways in which to motivate all workers, from entry level to the C-suite.
Ongoing assessments for policy, compliance and awareness. IT teams are always on the lookout for both intentional and unintentional lapses in cyber security – a role which HR can fill. Additionally, HR needs information from IT about those employees who are negligent with their cybersecurity responsibilities. If this information can be delivered in real-time, IT can intervene and trigger the relevant training modules.
Good cyber security is the result of the right technology and employee training. When HR and IT work together, organisations of any size can mitigate the risks of a data breach.
Stephen Burke is CEO and founder of Cyber Risk Aware, a training and phishing simulation platform that provides cyber security education and evaluation services designed to protect organisations form internal cyber security threats.
Zalando, Europe's biggest online-only fashion retailer, has rejected accusations that a performance management tool that asks employees to give feedback on each other and ranks them accordingly increases stress and …
In a globalised, inter-connected world, how do security leaders monitor BYODs (Bring your own device)? In this video Thom Langford, Founder, TL(2) Security and Christian Toon, CISO, Pinsent Masons, discuss …