Developing a cyber resilience strategy through your culture

Written by
Nick Martindale

30 Nov 2019

30 Nov 2019 • by Nick Martindale

Cyber security is a critical issue for organisations of every size and profile – and people lie at its heart. 

There are two types of company: those that have been hacked and those who don’t yet know they have been hacked,” warned John Chambers, former CEO of Cisco. 

Cyber attacks – defined as “the deliberate exploitation of computer systems, technology-dependent enterprises and networks” – are an unfortunate side effect of our growing reliance on technology. Increasing in frequency and sophistication (and fuelling a cyber-crime economy worth $1.5trn), they have already claimed some high-profile scalps.

In 2017, the global WannaCry ransomware campaign crippled the NHS, locking users out of 200,000 computers across 150 countries, with error messages demanding the cryptocurrency Bitcoin. Thought to have been masterminded by North Korea, the hack caused more than 19,000 patient appointments to be cancelled and cost the NHS £92m, including the subsequent clean-up and upgrades to its IT systems. 

Other memorable casualties include telecoms provider TalkTalk, which lost £60m and 101,000 customers in 2015 when hackers gained access to the personal details of more than 156,000 people. Only this summer, British Airways was issued a record fine of £183m by the Information Commissioner’s Office after an attack on its website in September 2018 led to a data breach, compromising the details of 500,000 customers. This equates to around 1.5% of BA’s £11.6bn worldwide turnover last year. 

According to the government’s Cyber Security Breaches Survey 2019, 32% of all UK businesses have experienced some form of cyber attack – but the issue is unquestionably global (and growing). 

Cyber-crime is an epidemic that requires a three-pronged approach

The impact of cyber attacks can be devastating. Cyber security researchers from the University of Kent have identified at least 57 different ways in which cyber attacks can have a negative impact on individuals, businesses and even nations, ranging from disruption to daily activities to depression, threats to life and heavy regulatory fines.

In the EU, including the UK, 2018’s introduction of the General Data Protection Regulation (GDPR) has upped the financial stakes considerably, with firms involved in a data breach facing fines of €20m or 4% of their total global turnover – and that’s before the wider damage from lost customers and reputation is considered. 

All this makes cyber security a business-critical, board-level issue with a core role for HR. When it comes to strategy, organisations need to factor in three pillars of protection: processes, technology and, most importantly, people. 

You’ve heard of ‘phishing’, but what about ‘spear phishing’ and ‘whale phishing’?

Phishing attacks – where staff are lured into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords – make up around 80% of all cyber attacks, according to the Cyber Security Breaches Survey, and their incidence is growing. 

In tech speak, phishing scams target non-specific individuals, while ‘spear-phishing’ hones in on particular individuals. ‘Whale phishing’ describes cyber criminals masquerading as a senior player within the organisation to target other important individuals within it. 

Oz Alashe, CEO of the cyber security awareness and data analytics company CybSafe, points out that phishing is “easy to perform and tough to defend against. Just one individual falling victim to phishing can be enough to give criminals the foothold they need,” he warns. 

A common ploy is for fraudsters to phone a company’s accounts team, claiming to be the CEO, explains Yannick Meiller, professor in information management at ESCP Europe Business School. “They’ll call during lunch and hope to speak to someone new, asking them to transfer €20,000,” he says. “As the amount is not big, they often get the money. In many companies these processes are not formalised.” 

So-called ‘business email compromise attacks’, which involve impersonating an organisation in emails or online accounts, account for 28% of cyber attacks, the government survey revealed. Mark Nicholls, chief technology officer at Rescan, describes one scam which involves pretending to be a supplier and convincing those in accounts departments to make payments for goods and services. 

“We also have reports of cyber criminals targeting HR departments, impersonating employees to update salary payment information,” he adds. “Business email compromises are different to traditional phishing attacks because there is usually a higher degree of interaction with intended targets.” 

Meanwhile, 27% of cyber attacks are down to maleware, including viruses, worms, Trojan horses and spyware. Terry Saliba, a cyber-security specialist at IT Solutions firm Evaris, highlights the use of ‘unsubscribe’ buttons to trick employees into downloading malware. Ransomware is the most prevalent variety of malicious software – found in 39% of malware-related cases, according to research by global communications and technology company Verizon. 

Then there’s the threat of insider fraud. Verizon reports that more than half (57%) of database breaches are the result of employee activity, accounting for 34% of all cyber threats. 

“In any workplace, the vast majority of employees will be honest, but a very small minority may not be,” warns Jim Gee, partner and national head of forensic services at risk firm Crowe. 

Even inadvertent security breaches are often down to people, as Alastair Brown, chief technological officer at HR software firm BrightHR, admits: “Employees often present the biggest danger when it comes to managing security risks,” he says. 

Addressing this involves creating a culture where employees understand the need to take cybersecurity seriously. 

Simple preventive measures recommended by the UK’s National Cyber Security Centre include ensuring people use strong, memorable passwords for important accounts (three random words rather than pets’ names) and secure their devices (installing software updates, setting PINs or passwords and only using official app stores). 

Staff should also get to know the techniques phishers use and think about the information they make available online, reporting any security incidents promptly to their IT team or line manager. 

Awareness of cyber-security should be assessed at the very early stages of employment 

CybSafe’s Alashe says: “People act securely only when they care, so make people care; make cyber security personal to them, gamify it, reward people who spot phishes and other insecure behaviours and bring other leaders onboard. If senior figures have a dismissive attitude towards cyber security, that’s going to trickle down to other employees.” 

“Everyone should be trained in information security awareness,” stresses ESCP’s Meiller. 

“But you must be specific in the seminars you provide for people, treating the subject differently according to whether you’re talking to those in marketing or finance. You need examples which are very close to them.” 

Initial training needs to take place during an employee’s induction; however, in truth, most is ad hoc: 65% of UK professionals did not receive mandatory IT training during their first month’s employment in their current or most recent role, despite the fact that 86% of them worked on a computer every day, according to a survey by Evaris. 

Experts believe that the issue of cyber security should be broached during candidate interviews. “This is rarely adopted outside of technology roles, but not only would it help with the selection of suitable candidates, it would contribute to the development of a secure-aware company,” says Deeph Chana, who teaches cyber security for business executives at Imperial College Business School. 

Muhammad Adeel, a lecturer in computing at Arden University, stresses that “due diligence should be assured in the hiring process, especially when requesting references from previous employers”, to reduce the chances of taking on someone who may have been involved in a cyber- security incident previously. 

“HR can devise employment contracts that give severe consequences to employees in cases where their policy violations have resulted in a breach of security, data loss or a cyber attack,” he adds. 

Fluid working practices can create more opportunities for data breaches 

Ideally, organisations would bring in external specialists to carry out training, but a shortage of genuine experts is a challenge, admits Oyku Isik, professor of information systems management at Vlerick Business School. In their absence, “self-paced digital awareness training, coupled with frequent and gamified ‘tests’ such as sending out internally arranged fake phishing emails, would help create the necessary awareness that would significantly reduce the risk of a breach,” she suggests. 

HR needs to be at the forefront of developing policies around safe working practices. Mobile 

working, for example, opens up risk. Meiller urges HR to remind people of the key aspects of information security when travelling for work (“if you’re working on a calculation to price a tender, you should not do it on the train!”), while Adeel adds that HR should help devise policies that discourage the use of external storage devices such as USBs and portable disk drives, which can be lost or stolen and are a means of propagating malware. The advent of cloud computing and availability of affordable online storage platforms has reduced the dependence on such options. 

Bring Your Own Device (BYOD), where employees deploy their own device for work and personal use, also requires clear guidance. 

“If you don’t have security in place, people can access corporate data through a personal device,” points out Muttukrishnan Rajarajan, professor of security engineering at City, University of London, and director of its Institute for Cyber Security. 

“You can predefine specific geolocations within which certain apps can be activated, and you can ringfence corporate apps with security.” HR will need to work closely with IT on this, he adds. 

HR should also monitor employee behaviour, looking for signs that suggest someone is frustrated or tempted to harm their employer. “Watch out for employees on performance improvement plans or talking negatively about the company on external social media platforms,” advises Jadee Hanson, chief information security officer at Code42. 

Where people are leaving your organisation, ensure data or other sensitive information is not taken out of the business. A survey by ObserveIT found that 43% of organisations globally don’t have a policy that prohibits staff from taking IP/data with them when they leave employment, while in the UK, only 62% take back physical work devices. 

If the worst happens; acting fast, apologising and reimbursing is key to repairing customer relations

Should a cyber attack occur, rather than trying to hide the issue, it’s vital to inform customers quickly and efficiently. Alashe describes the British Airways’ response as a textbook example of how to do it well. 

“A public statement was issued. All affected customers were reportedly contacted in a matter of days. Advice came clearly and swiftly, as did financial compensation,” he explains. “The CEO didn’t shy away from tough media appearances, and there were apologies and no excuses.” 

Organisations may also have to choose whether to pay ransoms to regain access to computers and networks, weighing up the ethical and practical issues. “Doing so funds organised crime networks and rogue nation-state actors,” points out Alashe. “However, we know that organisations do give in to ransomware demands.” There’s no guarantee that doing so will result in decryption, however, points out Hanson. 

Such decisions are likely to be made above HR’s paygrade. But a final area for HR is to deal with the repercussions of any breach, taking action against those who have broken company policies. 

“While a simple warning may be appropriate in some circumstances, additional disciplinary action may be required depending on the severity of the act and whether it was malicious or accidental,” says Brown. “Either way, action must be taken to reduce the risk of cyber crime occurring in the future.”