Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Everyone is vulnerable when it comes to being exploited by hackers. Therefore business need to ensure they have the correct technical backing to help fight off these hackers. Hacking is most defiantly becoming a money-making game, Cybercrime is increasing year on year and costs business dearly.  Oxford Economics reports that the average large business loses £120m when it is hit by a hacking attack; averaged out across the economy, it means around £4m per business, per year, is attributed directly to hacking. Cybercrime is not all about losing money, it’s about the reputation of businesses. Being hacked and having client’s information divulged can be damaging to a business and can take years for its name to recover. Even big business like TalkTalk are still fighting to save their reputation, from when in 2015, 150,000 customer records were compromised.
In May 2017, the NHS was sent into despair after a widespread ransomware attack, which saw staff locked out of computer systems. The only way they could access their computers was to pay out bitcoin ransom. Some did pay although this was very few. Although within a few days this was resolved. It was the incalculable cost of cancelled operations, missed appointment that affected the NHS the most. No one really knows how the attack spread, many professionals have tried but no-one can agree. We can only assume that the reasoning for the attack to of been stopped and sorted within a few days, is down to better software and well trained technical staff, then this backs up the beginning point that HR play a crucial role in finding the right people to help prevent such attack in any type of business.
This is echoed by Claire Logan head of people and talent at PA Consulting Group, she says: “HR has a critical role in cyber-security. Too often, IT teams care passionately about it, but don’t know how to communicate that passion to other employees.” “We cannot protect organisations only through technology,” adds Peter Cheese, chief executive of the CIPD, which last year teamed up with he Department for Culture, Media and Sport to launch an e-learning tool to help the HR profession tackle cyber threats. “An awful lot of it is human behaviour and action.”
Government research discovered that, while almost two-thirds (65 per cent) of large UK businesses had fallen victim to a cyber-security breach in the space of a year, just 17 per cent were training staff on the issue.
Because of the increasing number of Cyber Attacks, The National Cyber Security Centre in London was launched. One of its roles was to increase awareness of the issues of cyber-attacks as well as showing businesses the broadening scale and complexity of threats and what actions need to be done. It’s important to remember that no two cyber-attack are the same, The NHS attack that they nicknamed WannaCry was most likely spread via a worm that exploited vulnerabilities in the network. There are alos more pressing attacks which are what they call targeted hacking, for example malware in the form of spam emails, or fraudulent convincingly crafted messages aimed at persuading finance departments to authorise payments. These targeting attacks can be so convincing that many fall ill to them.
We must also remember ‘phishing’ nowadays this is one of the most used ways of researching individuals through social media. People put a wealth of information on their Facebook/LinkedIn/ Twitter feeds about them, making it easy for hackers to find out personal information which they can use to make their emails seem more genuine. Threats doesn’t necessarily need to be Cyber. A major London law firm had discovered that the TV in its boardroom was secretly relaying an audio feed to an external source in a different country.
New figures from Willis Towers Watson suggest that 46 per cent of UK employees spent half an hour or less on cyber security training in 2016, with 27 per cent having done none. A new mind-set to learning may be required in this area. “We’ve got to move beyond this compliance tick-box approach, which has been used in various contexts over the years to say: ‘Well, we’ve done our training because we’ve ticked a box and everybody’s done their e-learning course on anti-bribery or corruption or modern slavery’ or whatever it might be,” says Cheese
Consultancy firm PwC, for example, recently launched Game of Threats, a digital game designed to mimic a cyber-attack on an organisation, as a learning tool for clients. “Game of Threats engages people in a scenario, in a playful, gamification of cybersecurity,” says Anthony Bruce, HR consulting partner at PwC. “It’s about engaging people in a way that is stimulating, fun, not traditional, not sitting in front of a screen pressing buttons.” Cheese believes the trick to creating training that lands are to link it to how cybercrime could affect staff in their personal lives. “Make them feel: ‘Gosh, this affects me just as much as it affects the organisation’, then you create that buy-in and engagement much more strongly than just presenting this as a rather dull corporate thing,” he says.
No matter how good your IT department is and what software’s you’re using, it will only be able to protect a business if the whole company complies to the culture of securing details. For example, putting information on social media, using work computers for personal use etc. To be able to make a real difference to Cybersecurity, business’s need to work closely with HR depts. And see it as a cultural change activity rather than just a one off.
Studies suggests cyber awareness among the public at large is still low. In 2016, researchers at the University of Illinois dropped USB sticks around their campus, 98 per cent were picked up and people opened files on 45 per cent of the sticks, sometimes within six minutes of the device being planted. When asked why they had accessed the files, the majority (68 per cent) said they were trying to locate the drive’s owner, although 18 per cent admitted they had given in to curiosity. Bruce says: “We’ll know we’re getting there when, if you’re in a meeting and there’s a USB stick on the table and you want to return it to the owner and go to stick it in your computer, somebody says: ‘Hang on. Do you know where that came from and do we know what’s on it?’”
Building that strong cyber culture involves HR not just in improving learning outcomes, but in sourcing expertise. Recruiter Robert Half Technology says 77 per cent of CIOs fear they will face more security threats over the next five years because of a lack of skilled staff. IT security vacancies increased by 6.2 per cent in the year to April 2017, as businesses scrambled to protect themselves from hacks. “HR must take an active role in ensuring businesses have access to expertise to protect against cyber-attacks,” says Ann Swain, chief executive of the Association of Professional Staffing Companies. “This includes the recruitment of IT specialists to ensure systems are secure. HR directors must communicate the need for resource in this area and advise on the potential consequences if adequate skills are not in place.” Of course, not every staff member is on the organisation’s side in the battle against cyber-attacks. An increasing number can be attributed to malicious insiders. “In most cases, there were warning signs before they happened and those signs were ignored.
It’s a case of: ‘I always thought this individual was acting strangely, but I didn’t think I could tell anyone,’” says Nick Seaver, information and technology risk partner at Deloitte. “HR are great at being the people who can both look for the flags that indicate someone is a risk to the organisation, and help create a culture where people feel empowered to raise a suspicion.” Throw in the large number of contractors and contingent workers who supplement full-time employees and this vigilance becomes even trickier. “Ensuring contingent workers have completed the same training, that we know who they are and have the same amount of confidence that they don’t have malicious intent is important,” says Bruce. “Because of the turnover in that kind of work, it can be a crucial back door into organisations.” With experts warning it is a question of when, not if, a WannaCry-scale attack is repeated, breaking down the silo's that keep IT and HR apart is a matter of urgency.