HR Lessons from the Biggest Security Breaches

We are only half way through 2017 and we have already seen some big cyber security breaches. Ransomware attacks crippled some businesses and suspicions of election hacks and cyber interference still dominate the news. With businesses relying on data more than ever, ransomware attacks such as the one that occurred at Renault, can have huge implications for day-to-day operations. Data protection is top of mind for everyone and businesses are spending lots of time and money to reduce the occurrences of data breaches.

Research by Deloitte notes that the major impacts of a data breach continue to be felt two years after an event. Their study also notes that the hidden costs, such as reputational damage, losing customers to the competition, increases in insurance premiums, and losses from obstruction of operations, are many times worse than the direct costs such as increased communication to affected customers, technical investigations, and attorney fees¹.

The University of North Carolina at Chapel Hill researched 88 companies suffering data breaches which revealed that the market reacts very negatively to data breaches. Companies lose as much as 3% of their market value over the long run as a consequence of data breaches ². The ripple effect of the breach goes beyond just bad publicity. Markets react negatively regardless of the number of customers impacted as it is viewed as a strategic blunder on the part of the affected company.

The weakest link in the security chain is People

While external cyber-attacks get a lot of publicity, it is important to pay attention to the 6 employee habits that impact data security such as the failure to report lost or stolen devices. Equally important is making sure that security access is cut-off when employees leave the organization.

Employees sharing of passwords (whether intentional or not), with people outside the organization to gain access to resources or to deface the company assets as seen in Matthew Keys’ ³ case, occur frequently. According to a study published by Carnegie Mellon University, it takes companies on average nearly three years to notice an employee is stealing secrets.

Security breaches highlight several flaws in how business processes are designed and operate. HR can play a bigger role in security breach prevention.

1. Organizations often use outdated systems until they are critically broken. Every major IT project needs a champion and HR can champion the replacement of dated systems which are often unengaging and unproductive as employees have to work around their limitations (and sometimes the workarounds are unsecure).
2. We are all guilty at one time or another of ignoring update notices from the software applications we use. It has become a habit for us to quickly hit the ‘Ignore’ button without reading a notice. HR can help educate employees to take notice of these update and security notifications.
3. Discontent and lack of engagement of employees can create vulnerabilities that hackers and/or criminals can exploit. Bribes to allow access to information and/or the company network can look very tempting to employees that are already unhappy at work. We all know that happy employees are more productive but the flip side is that happy employees are less likely to betray the organization. HR must continually review their policies and programs to make sure the right people are hired and the right processes are in place so that employees can effectively and securely do their jobs.

There is no 100% effective way to protect ourselves from malicious attacks but educating employees to report lost or stolen devices, regularly update passwords (and to not share them), keep applications up-to-date, and to not open emails and attachments from unknown senders, are simple things that HR can build into employee communications and processes. HR can also champion the automation of business processes such as employee termination, which would automatically shut off employee access to the network and applications when the employee leaves the organization.

Big data has given us a better understanding of our businesses, customers, and competition, but it has also opened the door to big security issues. We can all play a more active role in minimizing these threats.

At StarGarden we have a unique solution to filling in the security loopholes in the organization through automating of service requests for access based on the authority of an employee in the organization. Download Free white paper to find out how HR can help tighten data security in organizations.

References:

1. http://www.csoonline.com/article/3110756/data-breach/a-deeper-look-at-business-impact-of-a-cyberattack.html
2. http://blog.kenan-flagler.unc.edu/risky-business-the-impact-of-data-breaches/
3. https://www.wired.com/2016/04/journalist-matthew-keys-sentenced-two-years-aiding-anonymous/
4. http://abcnews.go.com/International/news-analysis-takeaways-wannacry-cyberattack/story?id=47420590