The “WannaCry” ransomware cyberattack that began spreading last Friday quickly affected over 300,000 machines in 150 countries, mostly in Europe and Asia, making it the largest such attack in history and putting in stark relief the threat cybercrime now poses to organizations around the world. WannaCry exploited a vulnerability in outdated versions of Microsoft Windows, and as Washington Post tech writer Brian Fung explained earlier this week, some businesses were hit particularly hard because of a simple lack of resources and attention. There’s no question that if the affected businesses had kept their Windows systems up to date, they would have been protected from this threat, but doing so is often a lot less straightforward than many would assume, especially if cybersecurity isn’t properly ingrained in a company’s culture, or when cybersecurity efforts or IT upgrade initiatives lack the resources they need.
While the WannaCry attack appears to have been more sophisticated than a typical phishing scam, the majority of ransomware attacks (in which the attacker encrypts certain files on a user’s computer, locks them out of vital programs, or freezes their desktop, then demands payment to undo the damage) are conducted through phishing—a confidence scam in which the user is tricked into giving personal information or loading malicious software via email.
Why HR Should Care
Ransomware is—and should be—a major concern for HR departments: HR professionals are particularly vulnerable to such attacks, as they are often accustomed to receiving and opening innocuous emails from outside the organization. Cybercriminals know this and target organizations through their HR departments with malicious software disguised as a job application, résumé, or invoice. A recent phishing attack that compromised thousands of current and former employees at the newspaper publisher Gannett, for example, exploited this vulnerability.
The other reason HR needs to pay attention to cybersecurity is that rank-and-file employees are one of an organization’s foremost lines of defense against hacking.
While executives may think of cybersecurity as primarily an IT issue, cybercriminals know that one of the easiest ways to penetrate a company’s digital defenses is through employee error. Phishing is particularly frustrating because even the most advanced, state-of-the-art security controls can be circumvented if your employees make the avoidable mistake of something as simple as opening an email attachment they shouldn’t.
How HR Can Help
At the CEB Information Risk Leadership Council, our main teaching on employee security awareness is that you have to actually incite behavior change and tailor campaigns to specific employee segments. Many employees who fall victim to ransomware attacks have already completed mandatory cybersecurity training, but had they truly comprehended and internalized the lessons of that training, it’s more likely they wouldn’t have opened that suspicious email.
Promoting employee awareness of information security is thus a perennial challenge for information security leaders and their teams, who are hopefully coordinating their employee training programs with the Learning and Development function. The L&D function, whose expertise is in behavior change, can collaborate with the Infosec function to figure out how to make these trainings more compelling and memorable.
Part of the challenge here is convincing employees to really care about cybersecurity. It’s one thing to explain the consequences of a data breach to the company, and quite another to get employees to understand what’s at stake for them. Some companies use negative incentives or punishments (e.g., revocation of IT privileges, formal or informal warnings, or negative impact on performance scores), but this tactic comes with many problems: It’s often hard to identify whose fault a breach is, negative incentives might not work in your corporate culture, and revoking IT privileges from certain types of workers (like researchers who need email and Internet access to do their jobs) would be extremely counterproductive. Of course, positive incentives exist as well, but usually have less of an impact than punishments.
There is no easy solution to this challenge, unfortunately, but the most successful approaches we’ve seen center around embedding respect for cyber and information security into the organization’s culture—a more daunting task than simply establishing protocols. Last year, the CEB Data Privacy Leadership Council looked into what determines good privacy behaviors among employees and found that they are chiefly driven by the team climate. Specifically, employees tend to look at their peers to decide how difficult such behavior is and whether they should engage in it. Facilitating a team climate that supports privacy behaviors is much more effective than focusing on awareness or controls.
Executives who wish to learn more about how to prevent data breaches and mitigate cyberthreats can check out the Executive Guidance CEB (now Gartner) produced on the topic last year. Also don’t miss the great work from our new colleagues at Gartner on the three things organizations should do immediately in the wake of WannaCry and how to address threats in today’s security landscape.