FUTURE TALENT November - January 2019/2020 | Page 48

O
ON TOPIC
malicious software – found in 39% of
malware-related cases, according to
research by global communications
and technology company Verizon.
Then there’s the threat of insider
fraud. Verizon reports that more than
half (57%) of database breaches
a re t h e re s u l t of e m p l oye e
activity, accounting for 34% of all
cyber threats.
“In any workplace, the vast majority
of employees will be honest, but a very
small minority may not be,” warns Jim
Gee, partner and national head of
forensic services at risk firm Crowe.
Even inadvertent security breaches
are often down to people, as Alastair
Brown, chief technological officer at
HR software firm BrightHR, admits:
“Employees often present the biggest
danger when it comes to managing
security risks,” he says.
Addressing this involves creating a
culture where employees understand
the need to take cybersecurity
seriously.
Simple preventive measures
recommended by the UK’s National
Cyber Security Centre include
e n s u r i n g p e o p l e u s e s t ro n g ,
memorable passwords for important
accounts (three random words rather
than pets’ names) and secure their
devices (installing software updates,
setting PINs or passwords and only
using official app stores).
Staff should also get to know the
techniques phishers use and think
about the information they make
available online, reporting any security
incidents promptly to their IT team or
line manager.
People act
securely only
when they
care, so make
cyber security
personal
to them
CybSafe’s Alashe says: “People act
securely only when they care, so make
people care; make cyber security
personal to them, gamify it, reward
people who spot phishes and
other insecure behaviours and bring
other leaders onboard. If senior figures
have a dismissive attitude towards
cyber security, that’s going to trickle
down to other employees.”
“Everyone should be trained in
information security awareness,”
stresses ESCP’s Meiller.
“But you must be specific in the
seminars you provide for people,
treating the subject differently
according to whether you’re talking to
those in marketing or finance. You
need examples which are very close
to them.”
Cyber attacks and their consequences
• Cause significant
financial damage:
according to the 
2018 Cost of a
Data Breach Study
by Ponemon
Institute, the average
total cost of a data
breach is $3.86m
48 // Future Talent
• Damage brands
and reputations
• Erode or decimate
customer loyalty
• Result in the loss of
intellectual property
• Invite regulatory
penalties
• Impair security
for governments
and states
• Increase potential
for future attacks
• Put some companies
out of business
Initial training needs to take place
during an employee’s induction;
however, in truth, most is ad hoc: 65%
of UK professionals did not receive
mandatory IT training during their first
month’s employment in their current
or most recent role, despite the fact
that 86% of them worked on
a computer every day, according to a
survey by Evaris.
Experts believe that the issue of
cyber security should be broached
during candidate interviews. “This is
rarely adopted outside of technology
roles, but not only would it help with
the selection of suitable candidates, it
would contribute to the development
of a secure-aware company,” says
Deeph Chana, who teaches cyber
security for business executives at
Imperial College Business School.
Muhammad Adeel, a lecturer in
computing at Arden University,
stresses that “due diligence should be
assured in the hiring process, especially
when requesting references from
previous employers”, to reduce the
chances of taking on someone who
may have been involved in a cyber-
security incident previously.
“HR can devise employment
c o n t r a c t s t h a t g i v e s e v e re
consequences to employees in cases
where their policy violations have
resulted in a breach of security, data
loss or a cyber attack,” he adds.
Ideally, organisations would bring
in external specialists to carry out
training, but a shortage of genuine
experts is a challenge, admits Oyku
Isik, professor of information systems
management at Vlerick Business
School. In their absence, “self-paced
digital awareness training, coupled
with frequent and gamified ‘tests’ such
as sending out internally arranged fake
phishing emails, would help create the
necessary awareness that would
significantly reduce the risk of a
breach,” she suggests.
H
R needs to be at the
forefront of developing
p o l i c i e s a ro u n d s afe
working practices. Mobile
working, for example, opens up risk.
Meiller urges HR to remind people of
the key aspects of information security
when travelling for work (“if you’re
working on a calculation to price a
tender, you should not do it on the