FUTURE TALENT November - January 2019/2020 | Page 49

ON TOPIC
train!”), while Adeel adds that HR
should help devise policies that
discourage the use of external
storage devices such as USBs and
portable disk drives, which can be lost
or stolen and are a means of
propagating malware. The advent
of cloud computing and availability of
affordable online storage platforms
has reduced the dependence on
such options.
Bring Your Own Device (BYOD),
where employees deploy their own
device for work and personal use, also
requires clear guidance.
“If you don’t have security in place,
people can access corporate data
through a personal device,” points out
Muttukrishnan Rajarajan, professor of
security engineering at City, University
of London, and director of its Institute
for Cyber Security.
“You can predefine specific
geolocations within which certain
apps can be activated, and you can
ringfence corporate apps with
security.” HR will need to work closely
with IT on this, he adds.
HR should also monitor employee
behaviour, looking for signs that
suggest someone is frustrated or
tempted to harm their employer.
“Watch out for employees on
performance improvement plans or
talking negatively about the company
on external social media platforms,”
advises Jadee Hanson, chief
i n fo r m a t i o n s e c u r i t y of f i c e r
at Code42.
Where people are leaving your
organisation, ensure data or other
sensitive information is not taken out
of the business. A survey by ObserveIT
found that 43% of organisations
globally don’t have a policy that
prohibits staff from taking IP/data with
them when they leave employment,
while in the UK, only 62% take back
physical work devices.
O
The small business experience
When business coach and author Mandie Holgate was hacked
two years ago, it cost her £20,000-£30,000 and left her without
a website for six months. Her two sites – one to promote her
services and the other a business school and networking organisation – were attacked
after a web-design firm she used hosted them on a cheap US-based platform with
minimal security, without her knowledge.
She was alerted when her attempt to send an email resulted in an error message
saying she was sending 500 messages an hour. The hackers had used her email
address to spam people, and within 15 days both sites had been listed on Spamhaus.
“There were about 300 hidden websites on my site, so they were using my ability,
in terms of SEO, to promote other companies,” she recalls. “They damaged the code
so it looked like I was selling things no business owner would ever want to be selling.”
Her first concern was for her customers and business partners (including 10
people who had purchased a licence to trade through the business networking site).
“My saving grace was that I didn’t have any personal details on anything that
wasn’t highly password protected,” she says. “It meant they couldn’t get any further
than destroying my site.”
The reluctance of the web-design company to accept responsibility initially left
her unable to contact the hosting platform. But with the help of another designer
and cyber security company Spritz Monkey, she started the recovery process.
“I learned a lot,” she says. “My concern is that small and large businesses are
employing people to make ‘pretty’ sites which are ultimately not secure.”
S
hould a cyber attack
occur, rather than trying
to hide the issue, it’s vital
to inform customers
quickly and efficiently. Alashe
describes the British Airways’
response as a textbook example of
how to do it well.
“A public statement was issued. All
affected customers were reportedly
contacted in a matter of days. Advice
came clearly and swiftly, as did
financial compensation,” he explains.
“The CEO didn’t shy away from tough
media appearances, and there were
apologies and no excuses.”
Just one individual falling
victim to phishing can be
enough to give criminals
the foothold they need
Organisations may also have to
choose whether to pay ransoms
to regain access to computers and
networks, weighing up the ethical
and practical issues. “Doing so funds
organised crime networks and rogue
nation-state actors,” points out
Alashe. “However, we know that
o rg a n i s a t i o n s d o g i ve i n to
ransomware demands.” There’s no
guarantee that doing so will result
in decryption, however, points
out Hanson.
Such decisions are likely to be
made above HR’s paygrade. But a final
area for HR is to deal with the
repercussions of any breach, taking
action against those who have broken
company policies.
“While a simple warning may be
appropriate in some circumstances,
additional disciplinary action may be
required depending on the severity
of the act and whether it was
malicious or accidental,” says Brown.
“Either way, action must be taken to
reduce the risk of cyber crime
occurring in the future.”
November – January 2019 // 49