You Caused the Crash
Is data insecurity more about human than technology?HR and cybercrime. Not exactly two words you see together often. But chances are you’ll be seeing them together more and more in the future.
Keeping employee information safe has long been the domain of HR, but increasingly that means more than having the key to the filing cabinet.
Recently, everybody was treated to an object lesson in keeping data secure. TalkTalk, one of the UK’s largest internet service providers, was hacked into by a few teenagers. As a technology company, it should probably be better prepared and aware than most. Yet in the event, their expertise didn’t mean much.
Sensitive data for thousands of customers was compromised by a few ticked-off teens. While it shows that you probably reap the rewards for constantly buffering when people want to watch TV online, it also shows that these days, when it comes to cracking defences of companies’ data, where there’s a will there’s a way.
The attack on TalkTalk is only one of a long procession of attacks on organisations, not just by angry kids, but by countries, fraudsters, and disgruntled employees.
TalkTalk joins Sony, JPMorgan, and the US government on a very long list.
So HR comes in where? If expertise, money and power can’t protect you, what can?
People are time bombs
Well, for a start, most data breaches come from employees, not failings of IT security. These are the same people that leave laptops stuffed with private data on trains.
Think of them as not just people, but also dangerous time bombs of data security incompetence.
Monitoring and training employees play a much larger role in cyber security than you might think. So to start with, HR can institute policies that protect an organisation from the inside, without a jot of programming or IT knowledge.
Good practice can include:
- Ensuring rigid permissions to areas of data. If every employee can access everything, it significantly increases risk. By compartmentalising data and restricting what people can access to what is relevant to them, any security breach has its damage limited.
- Promoting good password practice, e.g. not saving it on your desktop in a folder, changing it regularly, and making it resistant to “brute force” attacks by making it more complex than “password1234.” (Someone reading this is guilty.) A long string of numbers and letters is best.
- Having clear guidelines on BYOD – devices brought in from outside the office. Personal USB sticks and phones are often more vulnerable to being infected outside of the security of the office. And once they are brought inside, they can undermine the barriers in place to prevent outside attack.
- Providing training to employees on risk, and maintaining a vigilant approach to other kinds of office security. Being lax in other areas tends to make people more likely to carry that attitude across to how they approach IT security.
- Reviewing regularly. Since the pace of change in technology is so fast, it doesn’t matter if you were one of the first to adopt an IT security policy if your policy mostly covers employees faxing sensitive information to your competitors.
Research suggests that although many organisations put some or all of these into practice, an incredible 96% of cybercrime could be prevented by rigorous enforcement. It’s a case of the policies being in place and probably being sufficient – but the attitudes and enforcement of the policies are usually lax, and therein lies the problem.
Not my problem?
You may look at cyber security and think it’s a case of big player, big target.
But the reality is SMEs are just as vulnerable to the same kinds of attack. While China may fish for national secrets from NASA, smaller groups of criminals will look to exploit soft, often smaller, targets.
The business of selling sensitive information, of customers or employees, gets bigger every year. As data gets more valuable, smaller and smaller companies become more viable targets. (The UK government estimates the annual cost to be £27 billion in the UK alone.)
The stuff that makes the news is almost universally related to customer information, because Ashley Madison hacks are juicy news and customers losing information generates more outrage than a company losing some important data. This leads people to underestimate how often business data is a target for criminals.
Of the £27 billion figure, over a third of that is intellectual property theft from business. So you don’t need a customer base of tens of thousands to present an appealing target.
And even having links to companies that do may present hackers with an opportunity to go through you to access them, which would obviously cause serious credibility damage.
Pragmatic approach
Of course, no security will ever be absolutely impossible to circumvent, but damage limitation and having a quick response can make a big difference if the worst does happen.
Not only that, but simply appearing to be a tougher nut to crack is a defence in and of itself. Even if the alarm on the outside of your house is only a budget model, if a thief strolls by and your neighbour didn’t bother to have an alarm installed, the choice makes itself.
HR has a special place in preventing cybercrime due to its special position when it comes to monitoring staff. Identifying employees who present a special risk is one thing HR can do especially well. It’s suggested that around half of cyber attacks have some kind of insider help, and most of the rest have unwitting help.
Hackers may reach out to disaffected employees over social media, or even trick earnest employees into sharing seemingly innocuous data that can undermine even the Fort Knox of firewalls and data security.
If your data security policies are a little unloved, there’s never been a better time to get on top of them, as the risk increases daily.