Why Human Resources need to engage with cyber security

You may think that cyber security is something for your IT department to manage. If you work in Human Resources, you need to think again. Because cyber security is very much your responsibility.

No, I am not saying you need to go around seeing if your organisation has installed the latest firewall or if all your Internet of Things ports have been secured.

What you do need to do though, is to check whether your colleagues across the organisation are cyber safe.

That’s because only around one third of data breaches are caused by malicious outsiders. The rest are caused by insiders, your colleagues: acting foolishly, carelessly, and yes sometimes maliciously.

What can go wrong? A lot of things. Personal information about customers is leaked because a laptop gets left in a taxi.  An email leads to an unintentional contract variation. A social media posts leads to a libel suits. An unwary worker shares their log-in details, leading to data theft.

So what should you be doing?

Start with strategy

A good place to start is strategy. Most organisations have some understanding of cyber risk. But often they focus on protecting corporate networks from external risks such as hackers. What is your organisation’s cyber security strategy? Does it include sufficient analysis of internal “human” risks? If it doesn’t then you need to work with the Information Security team to identify and manage these human risks.

Develop practical policies

Developing appropriate policies to help manage cyber security and spell out the “rules” is important. You are likely to need policies in several areas: web and computer use, data privacy, social media use at work, a “Bring your own device” policy to manage personal phones and tablets, and even policies about the software and cloud services that people are allowed to use.

Writing these policies should not be a “tick box” exercise. They need to make sense: they should be easy to understand by everyone in the organisation; and they need to benefit your organisation. They shouldn’t simply be designed to make the IT department’s life easier. Sure, pouring digital super-glue into all the USB ports would stop people uploading corporate data to insecure USB sticks, but it might not improve business efficiency. HR executives, with a feel for wider business needs, as well as an understanding of what will motivate or demotivate employees, are an essential part of any cyber policy development process.

Training: tell people how they should behave

The next step is training. Training is essential because without it most people won’t know how to act in a cyber safe manner.

You might as well accept that almost no one is going to read your policies. So you will have to tell everybody about them, face to face. And it won’t be enough to read out a list of rules and corresponding sanctions for disobedience. Apart from putting everyone’s backs up, people will generally ignore rules if they don’t know why they are in place. You will need to explain what the rules mean, why keeping to them is important, and quite possibly when they can be ignored (and when they can’t).

You will need to train the way people think too. This isn’t just about describing dangers: it’s about how people interact safely with colleagues, with suppliers and customers, and with people outside the organisation. It’s not about following rigid processes: it’s about understanding how to avoid risk in the first place. For instance you can’t tell people the precise information to avoid sharing on social media. But you can help them understand what types of information they shouldn’t share and how competitors can draw conclusions from seemingly innocent pieces of data.

Build continued awareness

Don’t think a one-off (or even annual) training session will cut it though. You need to keep awareness of cyber safe behaviour at the front of people’s minds. This means developing assets designed to deliver continued awareness of cyber risks – posters (that change design and location regularly), screen savers, sign in messages, even mouse mats and mugs.

Develop a cyber secure culture

An even more important issue for HR to address is culture. An organisation that doesn’t take cyber security seriously is unlikely to be changed by training and awareness. HR may need to address underlying cultural assumptions.

Start by auditing the security culture. Do this from the perspective of employees: what cyber risks do they know of; what do they think of existing security processes; to what extent do they feel security is their responsibility? And do it from the perspective of the organisation: how are employees expected to behave; what sort of resources are provided for security; is dangerous behaviour stopped, tolerated – or not even noticed.

Once you know what needs to change, you can start thinking about how to do that. Build persuasion tools, such as leader boards of cyber-safe behaviour; incentivise safe behaviour with praise or other rewards – and make sure it is not disincentivised accidentally; ensure that leaders walk the cyber security walk; develop an intolerance to unsafe behaviour. (“Why are you putting my job at risk by doing that?”)

But don’t develop a blame culture. That way you will just drive unsafe behaviour underground.

Encourage people to be less trusting

Sadly, one element of culture you will need to work on is trust. People are often very trusting and this can be a problem for cyber security. They need to be taught to question: emails don’t always come from the people they appear to, friendly people on the phone aren’t always who they say they are, confident people striding round the office without a visitor’s badge don’t necessarily have the right to be there. Defending against people who take advantage of trust doesn’t need complex software: it needs awareness, sometimes combined with robust processes.

Make sure cyber security is usable

HR teams also need to work on the usability of any security processes.

By their nature most IT people are very logical. In addition they understand the purpose of systems they are developing. And of course they are focussed on their responsibility to protect IT systems.

In HR you are also focussed on cyber security. But you may have a wider view of the organisation. Almost certainly you understand what motivates people. You understand how people perform their tasks. And you probably provide a receptive ear to frustrated colleagues. In fact you are probably going to be one of the first people to hear about cyber security initiatives that are counter productive – because they cause blocks in efficiency. And you may even hear how people would like to alter them.

All this means that you are in pole position to identify usability problems, to construct the analysis that proves (to sceptical colleagues in IT) problems exist and to make the case for change.

Monitor “off network” activities

Not everything that should concern your organisation will be happening within your corporate network. You colleagues, almost inevitably, will be using social media. And many will be commenting on colleagues, clients, your organisation and your industry. In addition they may be using cloud computing services such as Drop Box and Google Docs to store, edit and share corporate information. This type of activity needs to be managed, to preserve information security and to protect reputation.

Recruit sensibly

When recruiting, watch out for people who may not be cyber secure. Anyone who comes from a competitor boasting they can bring a list of clients on a disk may well be less than trustworthy. You might also need to think twice about people whose social media posts are irresponsible – perhaps complaining about their current employers or giving information away about new initiatives.

Keep an eye on risky people

Some people will be higher risks than others. Sometimes this will be a result of personality. For instance sales people are likely to me more open, and possibly more trusting, than finance people. But that’s not where the real risk lies. The people you will need to monitor most closely are those who feel disengaged from your organisation. These may include temporary staff, new recruits during a probation period, people on low pay or in boring jobs, people who have handed their notice in, and people who are having difficulties at work, perhaps experiencing disciplinary procedures.

Yes, cyber security really is an issue for HR

Human Resources managers may not be particularly focussed on technology. But they have a responsibility to learn about cyber security because the role that HR can play in preserving security is an enormous one. In other words, if your HR and IT departments are not working closely together on cyber security you are opening your organisation up to some major and unnecessary risks.

Advertisements

Eight steps to change cyber security culture

Hackers are always a problem. And naturally, your IT Department has network security buttoned down. But they are probably more worried about something else: you and your colleagues.

The big challenge in cyber security is people. It is how to change an organisation’s culture from relying on IT for security into one where everyone takes responsibility. Everyone, from the CEO to the newest intern.

John Kotter famously proposed an eight step process for changing organisational culture, starting with “Establish a sense of urgency” and finishing with “Institutionalise the change”. Well, most people realise that the cyber security problem is pretty urgent. So I thought I’d outline a separate set of eight steps that organisations can follow to strengthen their cyber security culture.

Step 1. Build your guiding coalition

Start by building a multifunctional team to guide change. Cyber security shouldn’t be the responsibility of IT, so you will need people from across the organisation to be involved: sales, marketing. operations, finance… This is essential so you get buy in across the organisation.

More importantly though, if your approach to security doesn’t take account of the way people work, it will fail.

Step 2. Form your vision and scope out your intentions

Next you need to form your vision for cyber security. That should be simple: to protect your assets, reputation, efficiency and information from computer based threats, and to ensure that your digital information is private, is accessible by people who have authority, and has integrity (think “the truth, the whole truth and nothing but the truth”).

In addition you will need to identify the scope of your vision: who it applies to, and what assets, processes and information is relevant. You will also need – and this is a big task – to identify the risks that your vision faces and how best to manage them.

Step 3. Define the details of what you want to achieve

Out of your vision will come the detailed policies you need around cyber security (including policies on IT and web use, Bring your own device, Privacy, and Social media). These need to be expressed in clear language: avoid techie jargon at all costs. Having a truly multifunctional team should mean that the policies should be relevant and effective for your whole organisation.

Step 4. Build new processes

Based on your policies you will be able to identify the tools you need to implement and the processes you need to develop that will help to protect you from cyber risks. It is vital to include a cross section of employees in the design of these systems. Without them you are likely to end up with unusable, frustrating and inflexible processes. If that happens your workforce will soon be looking for ways to work around them. So remove any barriers to people being cyber safe.

Step 5. Educate

Bring your policies to your workforce and educate them about any new tools and processes. Tell them why cyber security is important – for your organisation but also for them personally. And make sure they understand what they should do if they have problems or if things go wrong (as they surely will).

Don’t rely on one off training sessions: make sure that security is constantly “front of mind” with reminders using different techniques, messages and media hitting them as often as possible.

Step 6. Persuade

You can “educate” all you want, but if you fail to persuade them about the importance and effectiveness of what you are proposing then you won’t change anyone’s behaviour.

There are lots of methods that you can steal from marketing and from behavioural economics here. For instance, make sure authority and other credible figures are seen to follow the rules (if the Chief Exec is lax with security you can be certain everyone will happily follow their example). Prove to people that your new ways of working actually deliver benefits. Help people realise that they face constant and sometimes personal risks but (and this is very important) that there is plenty they can do to keep safe.

Keep an eye on how people are incentivised as well. Not about cyber security but about their every day tasks. Don’t put incentives in place that could persuade people to behave in an insecure manner.

Step 7. Socialise cyber security

Kotter talks about “enlisting a volunteer army” and that’s exactly what you have to do. You need everyone in your organisation buying in to the idea of cyber security. Part of this will be ensuring that “the organisation” behaves properly: if it is seen to be cavalier with the security of customer data for instance your internal processes will lose credibility. Ultimately you want your workforce disapproving of people who behave unsafely.

Disapproval doesn’t mean developing a blame culture. That would be very damaging – given the ever changing nature of cyber threats you need people to be able to feel safe if they make a mistake or if they respond wrongly to a new threat. But you do need people to accept cyber safety as the norm and as something that has value in protecting their career and indeed themselves personally, as well as protecting their colleagues and the organisation as a whole.

You might want to take some ideas from Sales as well – leader-boards for people who are particularly effective, prizes for good behaviour, simple recognition for jobs well done…

Step 8 Monitor and enforce

Measurement is very important. Your organisation needs to know how well it is maintaining a positive security culture. Identify some relevant KPIs so you will know if you need to take remedial action.

Enforcement is also important. If people who act unsafely are seen to get away with it then others will quickly follow them. Regular negligence and malicious behaviour may need disciplinary sanctions. More often than not though, you will simply need to offer a little “re-education”. And treat this as a learning opportunity for the organisation as well as the individual concerned. After all if someone is regularly breaking the rules it could well be the fault of the rules!

The Tory minister, the fake Sophie Wittams profile, & data security

The hilarious-if-it-wasn’t-so-tragic incident of Tory minister Brooks Newmark sending dodgy pictures to a male journalist pretending to be a female party worker raises an interesting data security issue for business.

It would be very easy to build a credible Twitter profile of an important person (say a prospective client), using a photograph of them taken from the web and buying a large number of followers to make the profile look genuine.

This profile could then be used in two ways:

  • to publish misleading information
  • to gain the trust of other people who are happy to communicate via Twitter with the prominent person

In the latter case, the person behind the fake Twitter profile might reference a particular person (the “victim”) in a number of tweets in the hope that the victim would follow the fake profile. Once that connection is established, the fake profile can communicate privately via Direct Message with the victim soliciting information (rather than dodgy pictures). Alternatively the fake profile can simply address public tweets to you by putting your Twitter name at the start of their posts.

Similar scams could take place on LinkedIn and Facebook although in both of those cases it might be more difficult to build up credible profile with lots of connections/friends as connecting on these platforms is a “mutual” action that both parties need to agree to, whereas on Twitter you can follow people without their permission and buy “followers” for a few dollars thus easily building a credible profile.

How can businesses (and politicians) guard themselves against false Twitter profiles? If someone you think you may know engages you in conversation on Twitter about a strategically important issue:

  1. First, check out the number of connections the profile has. If there are only a few then you should check out whether they follow lots of people and whether they are active on Twitter. A profile with only a few connections should be checked out. Call them up and ask if they are messaging you on Twitter. (The fake “Sophie Wittams” profile that brought Brooks Newmark down had 52 followers and had tweeted 172 times, so the journalist responsible had taken care to build a credible profile over a period of time.)
  2. Second, check out the authenticity of the followers the profile has. You can use a service like twitteraudit.com to see how many fake followers a particular account has. Too many (more than 50%) and you should be suspicious.
  3. Third, check out their profile. Does it look genuine: for instance does it contain a recent photograph and perhaps contact details or other personal information? If not, then you are right to be wary.
  4. Fourth check out whether there are any similar profiles on Twitter. Search for their name, and variants of their name, to see if there are other accounts that seem to belong to the same person. If there are several similar accounts all seeming to belong to the same person, you will need to discover which is the genuine profile.
  5. Fifth, check out whether the person with the name on the profile has connected with you before on Twitter, but under a different profile; if they have then something may be up.
  6. Sixth, if you are suspicious use the profile image to search Google. It may indicate that the photo belongs to someone else (but if it doesn’t, don’t take this as proof that the photo is genuine)
  7. Seventh, if it seems too good to be true for any reason, then it almost certainly is! (Politicians take note.)

LinkedIn is slightly more difficult to check out as it isn’t possible to detect fake connections (and depending on the account settings it may be impossible to see them at all). However, it is still possible to check out the number of connections, the extent of the biography and the level of activity. If a profile looks incomplete, unused, and with few connections then you might want to treat it as suspicious. In addition, check whether the profile seems to have connected with you before: if they have then the chances are that one of those profiles is a fake.

Facebook? Well my advice here is to avoid business conversations on Facebook. Connect only with people who are genuine friends, not business acquaintances. And never discuss business on a Facebook page or via any form of Facebook messaging.

Back in 1993 the New Yorker magazine published a cartoon with the caption “On the Internet, no one knows you are a dog”. This is still very true, especially in social media. And it is something that anyone with an interest in data security needs to remember.

Are mobile devices a threat to your business?

How many of your employees have smart phones? Probably a high percentage. If so, do you recognise the risks that employees with smart phones can pose to your organisation?

Loss

First of all consider what might happen if an employee lost their mobile phone. Inconvenient for them of course.

But what if they have synched Outlook with the phone? Someone who finds it could have access to emails, office contacts, their work calendar…

If that is the case then you will want to know that their phones are protected with a good password. But you also need them to agree to allow remote locking and wiping on their phones so that if they do lose their phone you won’t lose confidential information.

Listening in

Smart phones can be turned into spyware.

Malware can be used to hack into content on smart phones meaning that sensitive emails and office calendars can be read by outsiders.

But there’s worse. There are freely available apps like flexispy that can remotely spy on call logs and emails; track location; and even record surroundings. A phone that contains software similar to flexispy could potentially create an audio record and even a video record of a business meeting with the owner totally unaware.

At present this would probably involve someone having access to the physical device, unless of course the user downloads malware masquerading as a genuine app that requires access to the devices’s microphone or camera.

Education is key. And there is a case for insisting that employees who wish to bring smart phones into your premises are obliged to install appropriate protection software. You might even want to go as far as forbidding the presence of mobile devices (including iPads) in important meetings (which if you want to improve productivity wouldn’t be a bad idea anyway!)

Location tracking

Do you want your competitors to know where your employees are? What if you are negotiating a tie up with company in another city? Or investigating whether to export o an overseas territory?

You don’t need to have a phone infected with malware to give this information away. An employee taking photos and uploading them to a social media platform might accidentally disclose this information for instance via the Facebook Timeline Map.

If the location of an employee is at all sensitive then you need to educate them to edit the location settings on their phones and their Google accounts.

Managing the risks

The more employees’ personal mobile devices are given access to corporate information, the greater the requirement for organisations to understand and take action to manage the risks of information leaking those personal devices.

Educating employees about the risks is the cornerstone of any strategy. But a requirement that employees implement security software on any personal devices brought into a corporate environment is also increasingly important.

Corporate social media policies

These days any organisation needs to have a social media policy in place. This needs to cover:

  • When social media sites can be used (different for personal amusement, personal PR, and continuous professional development purposes)
  • How people need to talk about their employer and their colleagues
  • What their employer may do with respect to their use of social media (there are privacy issues to consider here)

I’m certainly not a lawyer but I have worked with social media for  quite a few years and over the time I have picked up a few ideas about what works and what can go wrong. So I have listed out below what I feel are the main issues with examples in italics of how I have addressed them in the past. (But as I say I am not a lawyer so if you want to use any of the wording I would have it checked out first!)

Introducing the social media policy guidelines

First of all  you will need to explain the purpose and scope of any guidelines  you are putting in place. Something along the lines of:

These guidelines are intended to help you manage your use of social media in respect of your work life.

Social media are online public spaces where you can share information with friends, colleagues and strangers. These spaces can be principally for social purposes such as Facebook, for business purposes such as LinkedIn, or for both such as Twitter. In addition there are numerous discussion forums in media owner and retailer websites where you can debate industry issues or review products and services.

Next I think you need to explain that there are laws that apply to the use of social media. I don’t think this needs to be complicated: just to remind people that they can’t libel people or steal intellectual property:

Remember that legally you are personally responsible for anything you say online. Just because you are on Twitter or Facebook doesn’t mean you can say anything illegal or libelous. You should also be careful not to breach copyright or infringe trademarks when posting to social media sites.

When can you use social media?

The next thing I would address is when people can use social media, and for how long. Of course this is totally up to you but I feel that it shouldn’t be a sackable offence to pop onto Facebook now and then, so long as the use is reasonable (after all most people are allowed to make a cup of tea a few times during the working day and this is little different.)

With respect to personal use:

Within the working day, please limit your use of social media websites to one or two 5 minute sessions, unless your use has some relevance to your work. Of course you can use social media for the whole of your lunch break should you choose.

And with respect to professional use:

If your profile on business social sites like LinkedIn, Twitter etc shows us as your current employer and you link to our website on your profile, you can update your personal pages (e.g. upload presentations and whitepapers you have written), or search for contacts, whenever you want, so long as this doesn’t impact on your main job performance.

You can use Twitter to tell people about new documents on our website or other relevant business links that you feel colleagues and peers in other companies will find useful, whenever you want, so long as this doesn’t impact on your main job performance.

Please do not set up Facebook, Google+, LinkedIn, Twitter etc pages that appear to be “official” company pages. You should not represent your personal opinion as being the formal position of your company and in the same way you should not create social media pages or accounts that might be mistaken for official company pages or accounts.

sIf you decide you are going to monitor which websites people use at work (and plenty of companies do this), I believe it is only polite and good management, to inform people of this and let them know if certain types of site are deemed inappropriate for use in the office.

Talking about the company and colleagues

I would then begin to outline the guidelines, starting with how they should talk about the company and their colleagues:

If you mention our company or our industry in any social media please do use your common sense about what is appropriate and what isn’t. The first question you should ask yourself when posting anything online is “Would my boss be happy to read this?”

However strongly you feel, it will never be appropriate to post in a public space defamatory or uncomplimentary comments about the company, your colleagues and peers, suppliers and clients, even if you are only joking. If in doubt, ask your line manager. Never post if you are angry about something. [That last is really important. I would add “drunk” as well but that might give the wrong impression of people I have worked with in the past!]

Never use a company social media account to post anything of a personal nature – unless it has some positive relevance to the company (for instance you have just completed a fun run that the company has sponsored). [Again this is really important to emphasise, especially to younger colleagues who may use social media a lot and who can sometimes forget they are not on their private Facebook account.]

Respect your colleagues. Don’t post to your personal web pages inappropriate pictures of work colleagues at company or industry sponsored events. This includes any content that would show up your colleagues or company in an uncomplimentary light. A useful question to ask here is “Would my (or their) mother be happy to see this?”

Ensure you protect the privacy of colleagues and peers and don’t gossip about them in a public space unless you have their permission.

Always remember that it is easy to misinterpret comments about people so take care when joking about colleagues and peers and be sensitive to people’s feelings.

Sometimes people have tripped up over financial disclosure so a word about that is useful (and don’t assume the FD has this top of mind either.)

Remember there are special rules about disclosing financial information. Remember that you don’t need to include financial details to break the rules: saying something as simple as “the company is doing really well” could get you into trouble. If in doubt, ask.

Talking about clients

It is also important to take special care that colleagues don’t upset clients or other stakeholders:

Never talk about clients or work you have done for a client without getting the OK from your line manager first. Never reveal confidential information about the company, our suppliers, our clients or anyone we have an NDA with in a public space.

Sometimes people will be engaging is discussion about your industry. They might be doing that for “personal PR” reasons, which I would encourage a reasonable amount of, or to learn about something. Unless they are authorised though you probably don’t want them representing their opinions as the company’s and it is important to help them understand how to manage this:

By all means blog, contribute to online discussion groups, tweet or post documents on websites about industry issues. However, be very careful to avoid making it seem as if your comments are officially held by the company. Your blog is your opinion, and not that of the company and you should make this clear.

Taking part in discussions

It is one thing posting content; it’s another to enter into discussions, especially with people who, unbeknown to you, might be prospects (or potential employees). So helping people to understand how to engage with other people is useful:

When participating in public online discussions display a professional demeanour at all times. Never display contempt about what other people say. Never be rude to or dismissive of other participants.

Before you contribute any comments, make sure you get your facts straight. It won’t help anyone if you make yourself look stupid by writing something that is obviously untrue!  If in doubt, check with someone else.

Not everyone will want to engage with you in debate publicly. So enable people to reply to your postings privately via email.

If you see our company or a colleague being misrepresented, use facts rather than opinion to defend them; alternatively do not respond and inform your line manager instead.

If you are angry about something do not respond online. Wait until you have calmed down! Think twice before you post any response.

Do not impersonate colleagues or anyone connected with your company when online.

Social media at home

And finally I think  it is as well to address behaviour on  personal accounts when employees out of the office: over the years many people have found themselves in trouble for making comments about their company or colleagues on private accounts, on the assumption that, when they are not at work, they can say what they like. 

Remember that, even if you are at home, the rules of politeness and the laws of libel still apply! So take care not to upset work mates or damage your company with ill advised comments, even if they seem funny at the time. They might not seem so funny next time you meet your colleagues!

Conclusion

A lot of people feel that what people do on social media is their own concern. They feel that the “virtual” world is somehow distinct from the real world and that the same rules don’t apply. Guidelines on social media use are therefore sometimes seen as over-bearing and unnecessary.

But it is much easier to prevent “accidents” than to clear up after them. And even experienced people can do remarkably silly things when using social media. So providing clear guidelines that help people understand how what they do and say online can impact on their company, their colleagues and their career prospects seems to me to be caring rather than draconian.

If you would like to know more about managing how your employees use social media then drop us a line at hello@mosoco.co.uk or call us on 07855 341 589.