Opinion: Biggest cyber threat to your business? Your staff

Gina Wilson, partner at Clyde & Co, examines why HR should consider the risks their staff pose with regards to the cyber security of the business

Gina Wilson, partner at Clyde & Co, examines why HR should consider the risks their staff pose with regards to the cyber security of the business.
 
Criminals and competitors are who you may think present the greatest threat to your business’ cyber security, but it is in fact your staff. Unsurprisingly, former staff members are your next biggest threat.
 
Relatively few staff would act with malicious intent to cause a cyber attack; what more commonly occurs is negligence and accidental disclosure leading to secure information falling in to the hands of cyber criminals.
 
Maintaining the security of your cyber presence has become a business necessity. According to the PwC Global State of Information Security Survey 2016, 45% of board members are (apparently) involved with cyber security strategy.
 
The information held by your business which could be compromised by a cyber attack includes client lists and contact details, financial details of you and your clients, pricing, product design and manufacturing processes.
 
Foreseeable too are financial costs flowing from the cyber attack including the cost of disruption to trading and loss of actual and prospective clients. There is also the integrity of your IT equipment and services which could be compromised and require repair.
 
As regards to the risk presented by staff to cyber security, companies may wish to reflect on the following:
  1. Have you identified what financial and information assets are critical to your business which could be compromised by the IT/cyber usage of your staff presence? This is a moving target so your register of these risks needs to be reviewed and updated in particular as the technology and scams develop. In assessing the risks, this should include consideration about how your information and assets are stored in cyberspace and to whom access is permitted.
  2. Do you assess whether your passwords (used by staff, contractors and clients – to access IT systems which belong to your business, those of your clients and any third parties such as banks and suppliers) are sufficiently unique, strong and regularly changed, and do you enforce a strict password policy?
  3. Are your staff aware of your security processes and do your staff adhere to them? Do you monitor your IT systems to detect any unusual and suspicious activity on the part of your staff? Does your IT system permit staff to download any items (e.g. pirate videos) which could contain malware (hostile or intrusive software such as computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs)?
  4. Do you regularly inform your staff of the latest cyber threats so that they are aware of the dangers to avoid?
  5. If your clients demand or expect a particularly strict approach to cyber security, consideration should be given to contractually obliging your employees to adhere to certain security measures.
  6. In the event of a cyber attack, are your staff well-trained in the effective and speedy implementation of your cyber recovery plan?
In terms of your obligations to your employees, you may wish to consider the cyber threats including whether the personal data about your staff stored and communicated in an encrypted format.