Why HR should work more closely with IT

CHRO Community Conversation explores HR’s role in cybersecurity

Cybersecurity expert Nathan Desfontaines explained why HR should work more closely with IT.

It is often said that people are the weakest link in cybersecurity. With the current mix of working from home, modified office spaces and (financial) stress, criminals can use social engineering to target workforces. This has been evidenced by the ever-increasing frequency of data breaches where human error often being either a cause or catalyst.

This was the topic for discussion in this week’s CHRO Community Conversation, which was hosted in partnership with Workday.  CHRO SA MD Joël Roerig introduced CyberSec’s MD, Nathan Desfontaines, who led the discussion on the human component of cybersecurity and why IT is not the only department that should feel worried or responsible.

“The CEO of Experian SA recently argued that his company was ’in no way, shape, or form’ hacked, but that a clever criminal convinced them to part with their data. Nathan later created a social media post explaining that this indeed qualified as a hacking incident. According to Nathan, hacking is not only the result of a technical vulnerability,” said Joël.

Nathan then proceeded to provide an overview of the threats that HR leaders need to be aware of given the extent to which employee errors, negligence or ignorance can leave a company vulnerable to major financial and reputational damage caused by cybercrime.

Nathan said there has been an increase in cyberattacks in the last 12 months, including the City of Johannesburg’s website, which was hacked with ransomware with the aim of extorting the city for BitCoin payments. There were also a number of breaches among banks and internet service providers, which suffered a denial of service attacks and data breaches in the same week that the COJ experienced its breaches.

“Liberty announced that they had been breached and a large amount of data had been exfiltrated and that this was followed by a ransom note. There have also been victims in the healthcare sector where South Africa’s second-largest private hospital operator in SA, Life Healthcare Group, announced that, while in the midst of the Covid-19 outbreak, it had been victims of an attack,” said Nathan, adding that data had overtaken oil as the world’s most valuable resource.

That is why there has been an increase in social engineering which,  by definition, is the use of deception to manipulate individuals into divulging confidential or personal information.

Why would that happen to us?

Nathan said that, while companies were well-protected with firewalls and intrusion prevention systems, they aren’t geared for the phone call to the HR or finance department, saying that had completely blindsided a lot of companies who had great tech but were nevertheless still vulnerable to their employees falling victims to relatively rudimentary attacks.

Said Nathan: “Over a decade ago, companies were targets of viruses, worms and trojans, and over time  That quickly evolved into very sophisticated attacks like ransomware attacks. That led to companies spending heavily to protect themselves against sophisticated cyber attacks. However, while we were all gearing up for the digital war, to ensure that organisations have the right tech, tools, and capability to withstand even the most sophisticated of attacks, it seems that cybercriminals began targeting the low-hanging fruit – employees.

Nathan said it is often the case that people and, by extension, organisations, wait to suffer a breach before they take cybersecurity as seriously as they should. That happens because people tend to think an attack is unlikely to happen because ‘why would somebody attack me? I’m just an average Joe’. Nathan said that attitude exists, not only in people’s corporate environments but also in their personal capacities. And that mentality of not investing in security because of the perceived unlikelihood of an attack is a huge weakness that cybercriminals exploit.

Collaborate more closely with IT

“In the cybersecurity community, we say there are two types of companies. One is a company that has been hacked and is aware of it, and the type that has been hacked and not aware of it. And the important point to note about the latter is that ignorance is not security.”

The second reason why cybersecurity is not top-of-mind in many organisations is that there are mixed messages. Providers of cybersecurity solutions sell them as a silver bullet that will solve all a client’s concerns. As a result, organisations and individuals alike believe that once they purchase that particular solution, they have converted the bases and no longer have to worry about cyber threats.

During the breakaway sessions, HR leaders had the opportunity to share experiences and ideas with one another around the steps they are taking to ensure their people are educated about their responsibility to prevent cybercrime. They also discussed the vulnerabilities created by working from home and how HR leaders can collaborate more effectively with their IT counterparts to prevent cybercrime.

Nathan closed the discussion saying that the cybersecurity community had overestimated the impact that working from home would have on the number of attacks saying “we prepared for armageddon when we realised that there would be an increase in remote working.” However, expectations far exceeded reality in terms of what that meant for businesses because there simply had not been as many breaches as anticipated. Nathan said, however, that this could simply mean that, “either the breaches have happened but are yet to be identified as organisations currently monitoring and reporting capabilities do not have required visibility; or there is possible an inherent level of inherent security by means of workforce distribution.”

“Maybe we just haven’t realised those breaches yet, meaning we may only start seeing their impact happening as more employees return to offices.”

Original Post CHRO South Africa