4 minute read

Cyber security – the biggest threat could be your workforce

There’s a one in four chance you’ll have a data breach within the next two years, and existing and former employees are the cause in half of cases. But HR can influence both the deliberate and unintentional insider threats

Cyber security

Are you worried about cyber threats and data breaches? Most people are when it comes to their personal data and on-line security but what about the “insider threat” within your organisation?

Well, you should be worried, according to the latest global reports and surveys, as around half of all data breaches are caused by existing or former workers (employees and contractors), with the incidents split equally between malicious/deliberate and accidental/unintentional.

The main breaches, not surprisingly, involve personal information from customers and employees, along with the loss/theft of intellectual property and key operational data.

Around half of all data breaches are caused by existing or former workers (employees and contractors), with the incidents split equally between malicious/deliberate and accidental/unintentional

For many, the responsibility for cyber security has fallen on the shoulders of the IT department, but the traditional focus on external threat and perimeter protection is just not enough these days. There needs to be an agile organisational response and HR should be co-ordinating it. If alarm bells aren’t ringing yet, regarding the impact of an insider threat, then they should be. Think for a moment about the consequences, to your organisation, of a significant data breach under GDPR (General Data Protection Regulation); run a few scenarios; consider the likely impact to your organisation’s reputation/credibility, the operational costs, and the potential fine(s) of up to 4% of your global turnover.

The estimated average cost of a data breach is $3.8m (£2.96m) and it’s predicted to increase significantly as GDPR fines start to kick-in; that’s unless organisations ramp up their mitigation actions.

By the way, there’s a one in four chance that you’ll have a data breach within the next two years, according to the leading cyber security experts. It’s also likely that insider breaches may come in for rigorous scrutiny and higher fines from the regulators, even when the perpetrator was acting maliciously. In a recent UK legal case (pending leave to appeal) Morrisons was found to be vicariously liable for data breaches caused by the actions of an employee intent on causing them harm.

I hope you’re starting to be convinced that the insider threat is a real and present danger. Then there’s the potential damage to your reputation and brand, something that HR is heavily engaged in nurturing, with long-term negative impacts for both your customers and employees. KPMG reported that over 50% of consumers would either stop or take a break from shopping at a retailer after a data breach incident. I’ve also seen a report that over three-quarters of job applicants check-out a potential employer’s reputation before applying.

HR is best placed to influence both the deliberate and unintentional insider threats. As the term implies, insider threat involves any activity from a current or former employee, contractor, business associate or even a board member, that puts the organisation’s data at risk of being lost, damaged, leaked, or helps an external actor gain access through their actions. Most HR departments are involved in post breach responses and the subsequent deployment of revised policies and regulations as a future deterrence, but there’s an increasing requirement for better internal threat prevention and detection programmes. What better place for HR to bring their expertise into play, as many of the solutions involve actions that impact on people and the organisation culture?

Technologies are advancing rapidly and their deployment needs to be ethical, legally compliant, and right for the culture. Take the topic of monitoring employee activity, which has long been a contentious topic, and needs organisations to take a balanced decision on its use and extent. For example, in a recent Swedish case, a school was fined (€20K) under GDPR when it piloted a scheme on facial recognition of students as part of its attendance monitoring. Contrast that with the surveillance of people in China as it embarks on citizen community monitoring programme using facial recognition and behaviour analysis.

I’ve always believed that having the right culture will bring out the best in people, and at all levels, so focusing on having an engaged workforce (internal and extended) positively contributes to the organisation’s performance and future development. Philosophically, having an engaged workforce should reduce the risks of insider data breaches, but it’s still wise to invest in the appropriate level of awareness training, behaviour and event monitoring, and other threat mitigation initiatives. Similarly, having a highly disengaged group/team should be a “red flag”, requiring further investigation and speedy response from HR.

No matter whether it’s a disgruntled employee stealing IP for financial gain or compromising data with malicious intent or someone who accidentally stumbles into data breach problems, such as losing data/equipment, or being a phishing/malware victim, or poor password practices, that have severe consequences for the Organisation, and potentially also for the employee, HR should be involved in the solutions to eliminate the risks whilst protecting your values.

I think at some point we may see Cyber Security Risk (including the “insider threat”) highlighted as a (balance sheet) liability and going beyond the financial disclosure reporting that organisations must do now. Some may even look at securing insurance to cover them from the potential risks from significant data breaches.

Unlike Donald Trump, I don’t see a whistle-blower as an insider threat, or as he reportedly put it “close to a spy”. There should always be a clear distinction even when faced with tricky ethical questions.

Finally, it’s not a given that you’ll be subject to the insider threat so don’t become despondent or wait for the inevitable; get a plan and take action, conduct impact assessments, secure the leadership focus, and engage the whole of your workforce.

Published 27 November 2019

What did you think about this content? Use the stars below to give it a rating out of five.

Total votes: 27