Fighting cyber crime
Key ways HR can help fight cyber crime
Over the last 12 months, cyber-security has gained prominence as a boardroom topic. Such an issue is not only to be dealt with at board level; it is important to know that Human Resources have a key role too.
Cybercriminals have become far more sophisticated in their attacks than they were a decade ago. Then, good IT systems could foil most attacks. But “spear-phishing” and “whaling attacks” cannot easily be repelled by IT systems. Cybercriminals will often research their target, and getting public information on key individuals in an organisation is pretty straightforward – typically sourced from the organisation’s own website and social media sites like LinkedIn. Armed with this information, the cybercriminal commences the attack.
The attack is often in the form of an email that appears to come from a legitimate and trusted source and will appear authentic. It will refer to organisations or persons known to the intended victim and use proper corporate logos. The email will often mask the true sender’s information. All of this is with the intent to gain the intended victim’s trust so they do not ask questions.
With “spear-phishing”, the email will ask for sensitive and confidential information, often as a matter of urgency (e.g. the email appears to be from a friend overseas that has been mugged and needs help), or direct the intended victim to a bogus website where information needs to be entered (e.g. a parcel has been received and you need to go to a website to release it, and while the website will appear legitimate, it is actually bogus). The intent is to gain personal information to enable the cybercriminal to defraud the intended victim.
In a “whaling attack”, the cybercriminal pretends to be the CEO/CFO (and the cybercriminal will have worked out when the CEO/CFO is on leave, often from social media). The cybercriminal then sends an email that appears to be from the CEO/CFO and instructs the intended victim (in this scenario that is likely to be someone in the finance team) to undertake a money transfer or to advise of a change of account for a supplier.
Human Resources’ role in prevention
HR has an important role to play in helping organisations foil these types of attacks. It can do this on three levels:
Policies and Processes:
Computer use policies should be kept up to date and should prohibit browsing on sites that are not business related. Limiting traffic to legitimate business sites helps reduce the risk of your staff landing on a compromised site. However, this is not a failsafe approach, as many legitimate sites are often hacked. Processes should also be put in place to cover “at-risk situations”, such as always requiring a second form of communication to confirm any change to a transaction (e.g. ring the supplier on its usual number to check they really do want to alter bank account details for payments).
Education and Training:
Get a cybersecurity expert in to educate staff on what to look out for and what steps can be taken, including how to set and remember a strong password. Training on cybersecurity should be a part of staff induction, and we recommend holding regular update sessions for all staff too. Ultimately, to get all staff to be vigilant on cybersecurity will require a culture change, so HR should create a plan on how it will foster a culture of cyber vigilance.
Carefully consider what information is made public about your organisation and its staff. We recommend only making public what needs to be made public (i.e. where there is a legal obligation to do so or business value in doing so).
Human Resources’ role in mitigation
If the worst happens and a security breach occurs, HR needs to be ready with its breach response plan. A security breach can be a public relations nightmare if not handled well. HR should be planning now the communications it will make to deal with a security breach.
Lane Neave can help
We can help draft the policies and processes you should have in place in relation to cybersecurity risks. We can also assist you to plan a communications response to a security breach. Call your usual Lane Neave contact to find out more.
Partner, Lane Neave