We are always being warned about the risks of cyber-security and how it could destroy a company by gaining access to the internal computer networks. We often fall back on the fact that the IT department will be able to fix whatever nasty online bug has managed to infect our systems. However, what if the first line of defence could be stronger? The easiest way of protecting our company systems is by making sure we give our staff some simple IT training and advice.
The majority of executives (87%) cite untrained staff as the greatest cyber risk to their business, according to research from Willis Towers Watson.
Compounding this is the fact staff training is ranked among the categories to have made the least progress when measured against the National Institute of Standards and Technology (NIST) cyber-security framework.
The research also identified the most common types of attacks to include malware/spyware (81%) and phishing (64%), with external unsophisticated hackers (59%) and cyber-criminals (57%) identified as the next biggest external threats reports HR Magazine.
As workforce vulnerabilities contribute to most cyber incidents, two-thirds of companies surveyed believe HR and information security partnership is key. When asked who takes the lead role in developing employee-related cyber risk policies, 54% said HR leads with information security advising, and 28% said information security leads with HR advising.
Anthony Dagostino, global head of cyber risk solutions at Willis Towers Watson, said: “These findings are encouraging because they signal that more organisations are involving their HR function in addressing cyber risk. Still, organisations need greater collaboration between their CHROs and their CISOs to truly assess the organisational culture driving cyber risk in the first instance.
“The solution isn’t always more security awareness training. It could be a leadership or incentives and rewards issue, things that fall squarely within the function of the CHRO.”
Rona Beattie, a professor in human resource development at Glasgow Caledonian University, said: “Organisational security has three key strands: cyber, physical and people. Normally they are addressed and resourced in that order; that is if people security is even considered at all,” she said. “Yet computers and IT, and physical barriers are designed and operated by people. In effect people are an organisation’s strongest and weakest link; we’re all one click away from sending data into the wrong hands, as we’ve seen repeatedly across sectors with ‘leaks’ of personal data, customers and staff.”
She said that the dangers surrounding cyber security mean that everyone in an organisation should have an understanding of security with regards to their role.
“Add into that risk the potential for a malicious insider to create significant harm because of their organisational knowledge and access to critical resources,” she said. “The three strands of security need to be seen holistically. People security should be regarded similarly to health and safety, with everyone having a level of responsibility related to their role and level.”