Sarah Adams: No place for HR to hide from cybercrime

Sharp edges can be dangerous. And HR, whether it’s in- or out-of-house, is at the sharp end of cyber-security in two major ways.

First, the kind of data HR personnel handle makes them a prime target for cyber-attacks. Things like addresses, dates of birth, National Insurance numbers and payroll details are like gold dust to cybercriminals. They’re the perfect ingredients for identity fraud.

Second, HR wears the hat for ensuring both new and existing staff are trained in cyber-awareness. IT can only do so much to protect the network. The rest of the responsibility lies with network users, who must avoid making the kind of mistakes that can open the door to hackers.

Tragi-comedy of errors

Such slip-ups can involve anything from using weak passwords, which hackers can easily bypass, to falling for virus-infected click-bait. But they’re key, because figures from the UK regulator, the Information Commissioner’s Officer (ICO), suggest insiders can be blamed for 62% of cyber-attacks.

Some of those attacks are intentional. Employees on the make can deliberately cream off data and sell it either to competitors or to criminals on the dark web. Disgruntled ex-staffers can also mount a vendetta against a company by stealing data and passing it on.

Whoops!

But many cyber-attacks and data breaches have a more innocent origin. Employees can send data to the wrong person by mistake ­– simply by attaching the wrong file to an email. Or they can log onto insecure networks on laptops while out of the office, unknowingly letting the hackers in.

Then there’s phishing.

Far too easily, employees can be persuaded to click on links in bogus emails or to download attachments – especially when the attachment is disguised as a job application. But one simple click can unleash a torrent of file-locking malware or ransomware that quickly spreads across your network.

Clear and present danger

A combination of up-to-date IT security, good staff training, and board-level co-operation give you your best chance of avoiding a hacker attack or data breach. But cyber-attacks are everywhere, and the Department of Culture, Media and Sport reports nearly half of the UK’s 5.5 million businesses suffered an attack or a breach last year.

That number only stands to grow as the hackers get ever more devious, while being prepared for an attack is more relevant now than ever. That’s because there are hefty new fines for data breaches on the horizon, once the new General Data Protection Regulation (GDPR) comes in next May.

GDPR

GDPR affects anyone who handles personal data for EU citizens and aims to standardise the way it’s collected, processed and stored. It shines a light directly on HR departments and consultants, because a lot of the employee info they gather and keep is ‘sensitive’, and could be used for ID fraud.

Oh, and fines for not playing by the new rules, which also include telling the ICO about a breach within 72 hours, plus informing everyone affected, are eye-watering: up to €2 million or 4% of annual turnover, whichever is more. A fine that big could put a huge dent in the bottom line of any company, or even finish it altogether.

Fully prepped?

As with most things, the key to riding out the storm is being prepared. You need a well-drilled recovery plan in place that will kick into action as soon as an attack is discovered. Not only to stop it, but to clear up the mess left behind, and to get you back up and running again as quickly as possible.

That’s because time means money, and any time that a business is unable to trade as normal spells lost revenue.

Think about it: if a customer website has been taken down by hackers, no-one can buy or even browse the product range. Or if files across a network have been infected and encrypted, staff won’t be able to access information, process orders, or do anything much at all. Business will grind to a halt.

What if your system has been infected with ransomware and cybercriminals are demanding a ransom of £1750 in Bitcoin? Does anyone know how to negotiate with hackers? Do you simply pay up, trusting their promise that they’ll decrypt your files once the money is transferred? Do you take the risk?

Data danger

Data breaches can throw up a different set of problems, with equally devastating consequences. And that should throw up a red flag for HR. Once sensitive data is in the hands of criminals, they can use it for a string of illegal activities.

Losing bank payment and card details is probably at the worst end of the scale, because it can lead to large-scale financial losses. But any personal information can be used by criminals to commit crimes in an individual’s name. Money laundering and drug smuggling, for example.

 Pay-back time

The bad news, of course, is that any type of cyber-attack or data breach involves pay-back – no matter how it came about or where it came from. It affects any organisation from top to bottom.

One of the biggest costs for business is lost revenue while their normal way of doing business is compromised. The fall-out from an attack can go on for days and if you’re losing sales and customers during that time, your profits can take a big hit.

Paying for the expertise to sort out damaged IT can be expensive, too. Things are easier if you have a crack in-house IT team who can get to work quickly. But most businesses rely on contractors. What if they’re tied up? And how much will they charge to make things good…even if they can?

Name and shame

Then there’s the cost to your reputation. If you’re unable to fulfil contracts or deliver as promised because your system is in lock-down, clients might be tempted to take their business elsewhere. Word gets out quickly when people feel they’ve been let down and can do lasting damage.

That damage can be even worse if private data’s been lost. No-one likes the thought of their confidential information being in the hands of criminals, and they’re quite likely to come after you with a law suit for compensation. An expensive law suit, at that.

And then there’s the regulator to deal with. If the ICO considers the breach is significant enough, or that you haven’t been operating within the GDPR rules post-May 25, they’ll launch an investigation. And that means lawyers, paperwork, potential fines, the lot.

Taking stock

We all operate within a complex and increasingly technologically driven business environment. And with time at a premium, anything that takes the strain, reduces risk and helps businesses through a potentially ruinous period has value.

If you’ve already got a fail-safe cyber-attack recovery plan, and feel sure your business could cope with the added pressure, then you’re one of the lucky ones. Pressure in terms of lost revenue, lost reputation, and the sheer time, effort and expertise it takes to sort things out, that is.

If not, cyber insurance can provide a good solution. Here’s what it does.

• It pays for rapid IT forensics to crawl over your systems, find the source of the attack, and fix any damage. It covers re-installing software, recovering data, getting websites back up and running, and re-establishing networks.
• It pays for replacement IT kit, if necessary, while yours is being mended. That means you can keep doing business in the meantime.
• It pays for any lost revenue while you can’t operate as usual. That’s really handy, since it can take several days or even weeks to recover form a cyber-attack.
• If you’ve lost personal data, it pays to inform everyone affected, as required by the ICO, and stumps up for credit monitoring. It also buys legal expertise and covers court costs plus compensation if victims make claims for damages against you.
• It takes care of informing the ICO when there’s been a data breach – within 72 hours under the new GDPR. It also pays for the know-how to handle a follow-on investigation, and covers any fines – with the ICO’s say-so.
• It helps to defend and restore your battered reputation after a cyber-attack by paying for crisis management and PR.

 

Future thinking

Plenty to think about, then. It’s an unfortunate 21^st-century fact of life that a simple click of a mouse can unleash a tidal wave of unwanted consequences. And that’s especially relevant for HR, considering the volume of sensitive personal data at stake, plus the new demands of GDPR

Time to plan ahead for a cyber-attack?