Home' HR Monthly : October 2015 Contents 16
"EVERYONE ASKS ME HOW TO GET AHEAD OF
THE CURVE. THE REALITY IS THE CROOKS
ARE THE CURVE."
STEVE INGRAM, NATIONAL CYBER LEADER, PwC
security incidents soared 48 per cent from the previous year to
42.8 million. The average financial loss per incident was up 34
per cent, to US$2.7 million.
Insiders were the main culprits. Current and former
employees caused 65 per cent of insider incidents, and another
33 per cent were caused by current and former contractors,
consultants and service providers.
Those statistics highlight that cyber security is no longer just
a technology issue, says Ingram. It requires a comprehensive,
integrated strategy across IT, HR, legal, security and risk -- led
by someone in the C suite. "Ask the head of IT about cyber
security," he says. "If they just say firewalls, be worried."
For HR professionals, key focus areas include pre-
employment vetting, induction programs, regular staff
training, strictly enforced cyber security policies and a vigilant
approach to potentially malicious new or current employees.
That last category -- deliberate internal hackers and leakers
-- grabs most of the media headlines but experts say most
incidents are caused by unwitting or careless staff behavior.
Human fallibility often represents the easiest target for
attackers to exploit. That phishing remains by far the most
successful gateway to obtaining entry to internal systems is
testament to this. In 2014, 72 per cent of phishing emails
were sent during the working week, with 78 per cent crafted
specifically to relate to IT or security topics. Invariably there
will be someone who clicks and provides that first route in to
the network, according to Control Risks research.
Dave Campbell, acting executive manager of CERT
Australia, the Federal Government's computer emergency
response team says their surveys show that targeted emails
are the most common cyber security threat for Australian
businesses. "All staff -- including CEOs and senior management
-- need to improve their IT security skills and put them into
practice on a daily basis," he says.
Training is the key says Rob McAdam, CEO at Pure
Hacking. "This is where HR can get real bang for their
buck." His company is called in when organisations believe
their systems have been hacked. In two-thirds of the cases
there is no hacking, just human error such as using a
contaminated USB stick brought from home.
McAdam, a former policeman, stresses that security
awareness training alone isn't sufficient. The best approach
is a strongly enforced compliance mandate, complete with
rules on data usage and storage, an induction program for
new employees and annual training for all staff. The aim,
he says, is to develop a culture of security, where all staff
regularly change their password, use different passwords
for work and home, delete anything they don't need and
report anything unusual to IT security.
Careless staff may be the biggest insider threat, but a
malicious current or former employee who deliberately
hacks systems or steals data can cause huge damage. Ingram
says HR's cyber security role here is no different from
attempting to prevent any other type of fraud -- thorough
pre-employment screening and on-going monitoring of
behavioural changes in existing staff.
"Everyone asks me how to get ahead of the curve. The
reality is the crooks are the curve."
In assessing job applicants, recruiters should look at
links to "countries of concern", ideological values, recent
or repeated minor criminal acts, significant financial
concerns that are not being addressed and termination
from employment for misconduct or fraud. These are red
flags for high-risk employees, says the federal government's
Protective Security Better Practice Guide published last
For existing staff, HR needs to be alert to personal issues
such as gambling, drinking, financial or marital problems
and triggers such as redundancies, poor performance
review, demotion or corporate restructures. Ideally, the
company's strong cyber security culture will mean that
coworkers and managers of potential hacker employees
notice and report the change in behaviour.
"I've been working in fraud since the mid 80s," says
Ingram, who was previously with the Australian Federal
Police. "I've yet to see a fraud incident where someone
around didn't have a hunch something wasn't right."
Links Archive September 2015 November 2015 Navigation Previous Page Next Page