How HR can reduce the costs of a cyber attack

HRM speaks to a leading figure in New Zealand’s technology sector about what HR can do to reduce the impact of a hack.

A new study by IBM and the Ponemon Institute found that employee policies and training – or lack thereof – are highly influential on how a hack will financially impact an organisation.

One expert told HRM that there are precautions employers can take to protect themselves from the risks posed by the workforce itself.

The report, 2015 Cost of Data Breach Study: Impact of Business Continuity Management, found that having the following processes in place saved affected organisations money:
  • Incident response team (saving of US$12.60 per compromised record)
  • Extensive use of encryption (saving of US$12 per compromised record)
  • Employee training (saving of US$8 per compromised record)
  • Board-level involvement (saving of US$5.5 per compromised record)
Meanwhile, the following were financially damaging to affected organisations:
  • Third party involvement (cost of US$16 per compromised record)
  • Lost or stolen devices (cost of US$9 per compromised record)
  • Engaging consultants (cost of US$4.5 per compromised record)
HRM spoke to Graeme Muller, CEO of the New Zealand Technology Industry Association (NZTIA), about the ways in which Kiwi employers can better manage the risks to their IT security.

“We’re seeing a lot of companies being attacked, hacked, and victimised by things like fraud,” he said.

“The research shows us that the cost of cyber breaches is high. 

“But the interesting thing is that cyber issues can be quite intangible – most companies don’t broadcast when these hacks happen, but they do have to tell the people who have been hacked, which can lead to the loss of a large number of customers.”

He explained that because hacks aren’t always widely broadcasted when they occur, it can cause people – particularly employees – to underestimate the risk and become complacent.

“The level of professional hacking is increasing, and a large proportion of the issues are coming from people compliance,” Muller said.

He added that raising awareness and understanding around the criticality of cyber security is important at all levels of an organisation.

“It is now as important – if not more – than traditional security, but not enough attention is being paid to it because the evidence of the damage is hard to see. People need to be aware that it doesn’t mean it’s not happening.”

“One of the things we’re trying to highlight is that it’s not just about keeping the baddies out any more – more people are involved, and more processes need to be looked into.”

He likened modern cyber security to traditional, “regular security” – “you have to make sure someone turns the key and switches the alarm on,” he said.

“It’s important that staff are aware of the ways in which security can be breached,” Muller continued.

“Employers need to be considering policies like managing mobile devices and how they are managing 3rd party contractors.”

He advised that all workplace systems (whether they are mobile or not) need passwords – and decent passwords.

NZTIA has been partnering with Connect Smart, a government cyber security policy office that reports to the Department of Prime Minister.

“We’ve been doing a lot of work to increase awareness,” Muller told HRM.

“It’s important for all sized businesses, but obviously the impact is much more substantial for larger companies – the aftermath would be hardest-hitting for companies like Fonterra, Trade Me, or the Warehouse if a hack was to occur.”

He added that most companies don’t have a security plan or strategy in place.

“According to research, this reduces the impact of an attack by 12%,” Muller said.

“Making sure that a strategy is written down, and that your people and processes are prepared reduces the threat but also helps your staff to know what to do if something does happen.”

But what should these policies and strategies include?

“From what I’ve been reading, a lot of the focus has traditionally been around the technology itself,” Muller said.

“But now the people processes are equally as important as the technology.

“It’s also important that the policy should be interweaved through the whole people strategy, and be included in employee inductions and training.”

Muller added that a huge amount of damage comes through third-party contractors.

“Employers must be aware of how to set their network so that users don’t open up any threats,” he said, referring to last year’s hacking of US retail giant Walmart.

“The Walmart hack came in through third-party air conditioning contractors,” Muller told HRM.

“Their use of the system allowed hackers to find way into Walmart network because the company didn’t have the right processes in place to protect itself. This left the customer data visible and allowed it to get swiped.”

He suggested that companies need to implement policies around how contractors attach themselves to the network and what to expect if a security breach does occur as a result of it.

“The nature of the policy should depend on how deep the contractors have to go into the business,” Muller said.

“If they are bringing in devices and connecting those in, they need to make sure they’re receiving the same sort of training as ordinary staff.”

Muller reiterated that IT security should be treated in exactly the same way as physical security.

“You wouldn’t just let random people walk into the office block – you get them to sign in at reception and leave them there until the appropriate person collects them,” he explained.

“Employers need to maintain responsibility for guests, and they will have agreed to the online equivalent of the health and safety policies.

“Do you let people wander around your workplace randomly? Would you leave the door open at night? Employers need to have a process in place that regularly re-secures its systems – much like many workplaces would have an automatically updating alarm code.”

In OECD countries, the impact of a hack is an average cost of $154 per individual stolen record, and on average there are between 18,000 and 20,000 records lost per hack.

“So we’re looking at hundreds of thousands of dollars in costs,” Muller said.

“Costs include legal, compliance and response, and factors in – depending on sector – the customer costs from the loss of business.”

“Research is telling us that the consequences can be very expensive – we need to be moving the discussion into business rather than keeping it around how to secure our firewalls and computers.

“That’s not going to save your organisation.”