HR's vital role in tackling cybercrime

HR's vital role in tackling cybercrime

Cyber security threats have never been more pervasive, with the WannaCry hack bringing the NHS to a halt and the Petya cyberattack spreading across Europe.

With many businesses operating digitally, the risk and responsibility of safeguarding can no longer be incumbent on IT.

Justin Dolly, Chief Security Officer & CIO at Malwarebytes - a Silicon Valley-based cyber security company with a European HQ in Cork, Ireland, believes that HR departments are vital to protecting the business.

“Historically, the focus has been on deploying various security tools designed to protect a company’s infrastructure,” Dolly explains. “While these tools are critical, and can be the difference between a devastating breach and an attack thwarted, employees are becoming an increasingly critical part of the equation. It’s something that is slowly being realised, and a recent survey by Harvey Nash/KPMG found that the so-called insider threat is the most rapidly growing threat of all. “

Insider threats can be as simple as opening an attachment or link without consideration around what it could contain. Dolly warns that employees should be given cyber security training, with its importance equal to that of knowing where the fire escape is.

“All employees need to be educated in good cyber security hygiene, rather than it being an afterthought,” he warns. “Working with IT teams, HR staff should be devising policies and procedures to help staff stay safe. This can range from training sessions on how to effectively use the cyber security tools in place, as well as explaining how critical it is not to disable them, to testing staff on how well they can identify a phishing email. We are a security company, but that doesn’t mean everyone who works for us is a security expert, after all we have teams of accountants, marketers, telesales agents and so on, who, for the most part, don’t have security ingrained in their being. To combat this, we occasionally run spot tests - sending a ‘phishing’ email to employees and seeing who bites. Even for us, it’s often surprising how many people fall for it!”

He reassures that their intention isn’t to discipline those who make mistakes, but instead they want to raise awareness about how easy it is to become a victim. It also identifies where more investment or training is required. “Each time we run the test, fewer and fewer employees click the links,” he adds.

“Information security has begun to catch the attention of HR professionals, but it's still a long way from being considered a core component of the employee handbook. However, more than ever, a security-first approach needs to be taken for all business decisions - after all, the future of any company could depend on it.”

Read more about teaching staff to tackle cybercrime here.

Have you enjoyed this piece?

Subscribe now to myGrapevine+ and get access to exclusive new content, and the full content archive.

Be the first to comment.

You are currently previewing this article.

This is the last preview available to you for the next 30 days.

To access more news, features, columns and opinions every day, create a free myGrapevine account.