Miller+Schiff offers initial education and then follow up requirements and policy development to educate HR professionals/employees about Cyber threats, and what Human Resources execs and staff can develop (with IT) to help reduce the threat level of future attacks that might be initiated/facilitated by workforce behaviors and poor HR data security.
Why we (Bob and Marc) were inspired to create this new initiative:
Clearly cybersecurity is on the world’s stage, especially here in America. Made more visible to the general public through the concerns over the hacking of the democratic national committee and Russia’s alleged influence over our presidential election, the threat of cyber attacks has gotten great publicity. Even before our election, the hacking of records maintained by TARGET, BEST BUY and YAHOO with almost 1.5 billion records stolen (to name just a few) have created great concerns and interest. However, a bit less publicity has been given to and about the threats and executed attacks within any corporation (of any size) stemming from their own employees – or from former employees.
It has been often stated that the greatest point of vulnerability to an organizations data files is as a result of the behavior and lack of mindfulness of the employees themselves. A recent VERIZON data breach investigations report (2015) stated “an organization’s greatest vulnerability remains it’s own workforce”.
According to the council on cyber security (within the Department of Homeland Security) HR must play a critical role. Their report (2015) states that “HR has always had an important role in managing RISKs – from natural disasters to layoff, lawsuits, and workplace violence – and cyber risk is no different – HR has an important role to play.”
Employees and others working for or within any organization, including consultants and contractors can now work from almost anywhere, bring their own devices (BYOD), use cloud-based applications and access work files on their mobile devices. The result? A profound increase in threats to cybersecurity.
A major way of mitigating these threats rests with the mindset of the employee population. Among other reasons, this is one situation where HR is best positioned to take a needed role.
The HR department has the organizational role and skills necessary, and with effective HR Systems, can mitigate at least some of the known causes of any “insider” cyber attack.
One known cause of an “insider” attack is the result of a well-intentioned employees who makes a mistake, such as using a personal email rather than a work email or accidentally shares something classified on social media. HR can deal with these cases by making sure employees are properly trained and educating them on a regular basis. Effective HR Technology already has security based on roles and at the employee level the rights to see, report on, and disseminate data.
Another known cause is strongly linked to disaffected employees who have ill will toward the company. Because HR is typically tasked with implementing programs dealing with the workforce’s health and well being, in effect, tasked with understanding employee behavior, HR is the best Department to notice early warning signs that an employee could be being disloyal or headed in that direction, experts say.
Oftentimes the “insider” is a disgruntled current or former employee.
HR is in the best position to possibly predict or anticipate such behavior through the use of their current HRMS.
Breaking into a network takes minutes. However, finding and safely extracting what they want may take criminals months or even years of research and planning. To shorten this process, cyber criminals are getting help from insiders (whether knowing or manipulated) in more than half of all advanced attacks.
Attackers use social media to identify a useful target and to create a relationship with them. They target people with a pre-disposition to break security controls such as those with strong views, who do not react well to authority. They look for a trigger event which will break the employee's psychological contract with their employer – such as a demotion, change in role, redundancy or dismissal. Employees who take action against their employer are most likely to do so within 30 days of such an event. This gives the HR team a chance to intervene, including taking steps to increase monitoring and deter them. Managing an employee's exit from a company is facilitated by an an effective HRMS which can provide workflow, email triggers and alerts to all appropriate departments. Passwords and email accounts must be disabled in minutes not days, hardware must be returned before the employee leaves the premises – or has to be shipped (and closely tracked) from remote locations.
Keeping the HRMS master files safe and up to date is one of the most critical of all the contributions the HR function can make.“Homeland Security’s research and report finds that nearly 60 percent of fired employees steal important corporate data after departing their position. Furthermore, malicious intent aside, an IBM study found that well over 20 percent of breaches at work can be attributed to careless employee mistakes. The findings from both studies highlight the fact that organizations need to be vigilant of not only external cyber threats, but also the potential for trouble within their own ranks. “ (SHRM white paper- 2016)Meanwhile, the IT department has the technical skills to put certain systems in place — another key ingredient to stopping insider threats. There are systems such as Elastic Search, CloudLock, OneLogin and others that can detect when employees access or download documents they normally don’t and alert HR.
“The connection between HR professionals and security professionals needs to be the closest it’s ever been in history”, said Pete Metzger, Vice Chairman at executive search firm DHR International. “The Chief Human Resources Officer and the Chief Information Security officer, for example, should communicate with each other about important security issues, like securing mobile devices, hiring trustworthy people (more of an HR issue) and implementing effective of authentication (more of a technical issue),” he added. Moreover, he added, HR and IT should brief all the company leadership on important security issues, keeping everyone updated on any potential risks.
Once HR and IT team up, they can work together to build an effective cybersecurity training program encompassing policy, procedures and penalties.
HR should educate employees beginning with the onboarding of new hires and then with frequent follow up communications relating the in-place cyber awareness policies and procedures. No one should be exempt from this needed education, and the need for strong adherence and enforcement.The cybersecurity issue must also impact an organizations HRMS.
One recommendation might be for the vendor provided HRMS to be fully integrated with a third party “identify system – based on rules and roles. Most top tier HRMS providers do provide this type role based access during their implementation phase. Additional authentication must also be added. Remote access must be strengthened at the moment of logon. So called “2 factor” authentication such as biometric authentication now needs to be delivered out of the box by HRMS providers (who will have to integrate strong third party functionality to accomplish this. But it is a new “must have”. In general, current password and access controls must be strengthened.
HR must strive to recognize threats before they become attacks within the entity.
It is absolutely imperative that HR professionals not only have a comprehensive understanding of how to protect data within their own department, but also the company as a whole.
A majority of companies have sophisticated software systems in place to help curtail the risk of a cyber attack from an external source, such as a virus. Consequently, some of the biggest cyber threats that companies face are from groups of hackers that purposely target a company through a process known as "phishing”. The scamming technique can take an array of forms, but typically involves an impersonator that tricks an employee to surrender valuable information, usually via email: Hackers are able to imitate emails from seemingly trustworthy sources, which employees will then open while at work. The emails can carry malicious malware that hackers can then use to access sensitive data.
Alongside "phishing," other common threats include careless mistakes from employees, such as emailing or losing valuable data, logging onto insecure internet networks while out of the office, and conscious malicious attacks from employees or former employees.
So, our new entity – MILLER+SCHIFF – takes our backgrounds in cybersecurity and HRMS and puts us in a position to educate the HR executives and their workforce on these issues. (Bob works closely with Homeland Security and other large government cybersecurity agencies, and Marc is a well known HR technology independent consultant).
We believe HR’s critical and needed role must be evaluated in light of these five areas of HR’s responsibility:
knowledge of the workforce
support in cyber security hiring
management of HRMS and protecting HR data
understanding and administration of workforce rights
ongoing delivery of cyber awareness to the workforce
While the threat of a cyber security attack can never be completely eliminated, the risk can be curtailed through effective employee workforce management. After all, as current statistics reveal, the biggest threat to a company's cyber security is usually its own workforce.
We hope that Miller+Schiff can help spread the word that cybersecurity is not just an IT issue; that human resources is positioned to play a critical role in bring cyber awareness and mindfulness of actions to the enterprise’s human capital.