The WannaCry attacks last month may have been the most high-profile case of ransomware being used to extort money from companies, governments, and individuals but it is nowhere near the only one. Ransomware is now used thousands of times a day, according to the US government (pdf), which means that all employees should be well aware of the threat and how to combat it.
And this is where HR comes in. Ransomware is — and should be — a major concern for HR departments; HR professionals are particularly vulnerable to such attacks, as they are often accustomed to receiving and opening innocuous emails from outside the company. Cybercriminals know this and often target firms through their HR departments with malicious software disguised as a job application, résumé, or invoice. A recent phishing attack that compromised thousands of current and former employees at the newspaper publisher Gannett, for example, exploited this vulnerability.
The other reason HR needs to pay attention to cybersecurity is that rank-and-file employees are one of a company’s foremost lines of defense against hacking.
While executives may think of cybersecurity as primarily an IT issue, cybercriminals also know that one of the easiest ways to penetrate a company’s digital defenses is through employee error. Phishing is particularly frustrating because even the most advanced, state-of-the-art security controls can be circumvented if employees make the avoidable mistake of something as simple as opening an email attachment they shouldn’t.
How HR Can Help
The key to preventing attacks is to bring about behavior change and tailor campaigns to specific employee segments. Many employees who fall victim to ransomware attacks have already completed mandatory cybersecurity training, but had they truly learned the lessons of that training, it’s more likely they wouldn’t have opened the suspicious email that got them and their firm into all that trouble.
Promoting employee awareness of information security is thus a perennial challenge for information security teams, who are hopefully coordinating their employee training programs with their colleagues in Learning and Development. L&D teams, who specialize in changing employee behavior, can collaborate with the Information Security to figure out how to make these cybersecurity training more compelling and memorable.
Part of the challenge here is convincing employees to really care about cybersecurity. It’s one thing to explain the consequences of a data breach to the company, and quite another to get employees to understand what’s at stake for them.
Some companies use negative incentives or punishments (e.g., revocation of IT privileges, formal or informal warnings, or even marking them down on performance scores), but this tactic comes with many problems. It’s often hard to identify whose at fault for a breach, negative incentives won’t work in all corporate cultures, and revoking IT privileges from certain types of workers (like researchers who need email and internet access to do their jobs) would be extremely counterproductive. Of course, positive incentives exist as well, but usually have less of an impact than punishments.
There is no easy solution to this challenge, unfortunately, but the most successful approaches center around embedding respect for cyber and information security into an organization’s culture — a more daunting task than simply establishing protocols. Team “climate” is most likely to determine good behavior on data privacy among employees. Specifically, employees tend to look at their peers to decide how difficult such behavior is and whether they should engage in it.
Facilitating a team climate that supports privacy behaviors is much more effective than focusing on awareness or controls.