Three-quarters of large organisations suffered a staff-related security breach during 2015, with half of the worst cases caused by human error. However, while the majority of organisations offer employees some security awareness training, only a quarter of executives believe that this training is "very effective" at changing employee behaviour regarding information security. Source ZDnet
|
With recent media releases highlighting the increasing number of cyber attacks effecting all sectors of industry and government 2017 looks like it will be another year of catastrophe and corporate nightmare scenarios.
It is also clear the attacks are becoming more frequent and increasingly more complex. Many organisations are struggling to deal with the additional costs of protection and the increased adoption and diversity of available devices and services is proving a major change.
Australian organisations with well defined business and technology strategies are ramping up and investing in their IT departments to enable new business driven service offerings, hybrid computing models, and emerging IOT opportunities are implemented whilst attempting to maintain an acceptable level of risk mitigation to satisfy legal and regulatory requirements. The attackers are always circling, looking for an opportunity to launch, zero day threats continue to keep the senior executives up at night, and it's still early days. Yes, it is a challenge but the good fight continues.
Other organisations in the absence of an appropriate IT budget or a well defined security defence strategy are simply stagnating, avoiding industry trends, overlooking emerging technology practices which improve productivity and quality of service simply because they cannot afford the additional risk exposure.
Take BYOD as a simple example. It is cost effective and a proven success; most employees would rather use their own devices even at a personal cost than use the company provided laptop or device. It makes sense. using your own tools makes you work more effectively, you choose what suits you. Removing the cost associated with fitting out an employee, a major bottom line advantage for the organisation.However, many organisations will not allow it. Too risky. They don’t have the controls or cyber savvy employees to maintain appropriate defences.
This is often the case. The IT department is tasked with considerable responsibilities; broadening the company services portfolio often raises significant security concerns which may require investment in additional security controls and technical security services. Technology brings technology requiring more technology.
One option available to address some of these concerns is the engagement and utilisation of the whole company in maintaining and developing the security defence strategy, extending it beyond the IT department’s responsibility; beyond a technology issue.
This approach not only benefits smaller companies but large corporations with well defined strategies and a cashed up technology services division. The human factor is at every level and in all organisations. It is often a resource that is undervalued and often overlooked in preference to technology solutions and automated services. It's a common misconception. As long as the traffic lights function the drivers need not bother with the road rules.
THE HUMAN FACTOR - This is where the HR department can play a major role.
The HR department is the gateway to the organisation. All employees pass through it as part of their induction process and this is precisely where the security awareness cyber attack training should begin. (Human and Technological). HR departments are critical to ensuring employees are aware of their responsibilities and obligations to their employer, their clients and their industry as a whole.
Unfortunately, few companies identify the obvious benefits and opportunities in empowering Australian HR departments to take the lead on security training. Regrettably, their investment budgets and priorities reflect this position. Employees are on-boarded, given a generic online ‘company awareness” training link and they are on their way.
|
All appears to be done that can be done. Three weeks later a new employee, sitting at their desk, logged into their corporate email account clicks on a pdf attachment that appears to come from a legitimate source, albeit unknown: malicious code is downloaded to the user’s computer resulting in the organisations entire mail system and file sharing servers going offline. Within minutes the breach is posted online via Twitter, Facebook, etc. The organisation goes into damage control, ensuring the public and their clients the situation has been contained while in the background the IT department is trying to get an idea on how and what just happened. I think it is safe to suggest that too often all that can be done is not being done. |
Take the weakest link and make it your strongest asset.
The aforementioned scenario could have been easily avoided if the employee had received and continued to receive cyber attack training as part of their development and ongoing company training. Such examples clearly highlight the need to engage and empower employees on how to deal with and manage cyber attacks.
To achieve these HR departments need the appropriate tools, training modules to ensure the right security posture is established from the outset.
Moreover, and perhaps the most significant requirement for a HR driven security strategy is its ability to remain current, ongoing, real world based and reflective of industry sector, current geographical location and political climate. One test, one training module at commencement will not cut it.
Employees need to be challenged and assessed via ongoing phishing simulators that record and monitor how employees are responding and reacting to attacks. Environment snapshots need to be made available to the HR departments for analysis. HR determines how the company wide attack awareness posture is tracking; where it needs improving and what departments, employees require additional training and encouragement. |
Employees who fall victim to phishing attack simulations should be provided with the necessary training modules to ensure they acquire the necessary skills to identify and avoid future attacks
HR commitment towards cyber awareness extends throughout the entire period of an employee's employment. The stakes have never been higher and the level of commitment needs to reflect these new challenges. Employees are often at the forefront of attacks and require ongoing support and development in an ever-changing cyber landscape.
Australian HR departments in today’s corporate environments are not only tasked with managing employee aspirations, career objectives, employment concerns; they have a unique opportunity to strengthen, protect and maintain an organisations human security controls (The Human Factor). Their proximity to every company employee makes them a perfect choice to assume such a responsibility.
Written by
Alan Mihalic
Cyber Security Advisor
Copyright Cybersec21.org