Friendly fire

In today's rapidly evolving cyber-security landscape, organisations can't afford to limit their defence to only external attacks. Internal threats stemming from employee actions also need to be dealt with, through coordinated efforts between HR and the IT department.

A receptionist at a large

A receptionist at a large, international charity received an email from a supplier who seemed familiar to her.

Attached was a legitimate-looking invoice, which she opened without suspicion.

Unbeknownst to her, the PDF file went on to infect the network with “ransomware”, a programme that blocks all access to the system until a sum of money is paid.

The April incident threatened the entire non-profit organisation’s functionality, as the ransomware was also  designed to read and encrypt internal files.

Forged emails like these are one type of sophisticated phishing attack by cyber-criminals who are able to mimic the writing styles of people an employee knows, thus encouraging them to open attachments or click on malicious links.

“Even the best-trained employees are vulnerable to these forms of socially engineered attacks,” reads a report by online security firm Darktrace, which helped the charity in the aftermath of the attack.

Darktrace was able to flag the receptionist’s computer for anomalous behaviour when it contacted a Ukrainian server to download the strange file, and the company quickly contacted the charity to take the infected computer offline.

Such cases of insider threats – where an employee’s action exposes the company to cyber-attacks – have unfortunately become the rule in organisations today, rather than the exception.

Given the increasingly complex security landscape and growing sophistication of cyber-criminals, traditional perimeter defences are no longer enough to protect a network.

Companies now need to look inward as well, and strengthen their defences against insider threats.

Eric Meyer, CEO of Apvera, which offers a cyber threat intelligence platform, says more and more cyber-security breaches these days have been proven to be employee-related.

“People are not just a company’s greatest asset but also their biggest vulnerability,” he says.

Within the firewall

Last year, large global companies including JP Morgan Chase, T-Mobile and Sony were hit by massive data breaches originating from within the organisations themselves.

Most security tools today focus on identifying malware-initiated attacks, but insider breaches are committed by employees with valid data access privileges.

“Insiders already have access to your network, understand security protocols, and have permissions to access sensitive data,” says Meyer.

Tiffany See, Vice President of HR, Commercial Sales, for Asia-Pacific at data storage provider Dell EMC, says even when companies have the latest security controls and software, there are still risks. “All it takes it just one click from an uninformed employee to give access to threat actors and circumvent the technologies,” she says.

Vital to addressing such risks is to proactively monitor user activity and flag alerts for unusual behaviour.

One major insider threat comes from the Bring Your Own Device (BYOD) policies that many organisations have in place, allowing staff to use their own smartphones, tablets and laptops at work.

This combines dangerously with a laissez-faire attitude that many staff have toward cyber-security in their personal lives.

In a Singapore poll, digital security company Gemalto found that employees across the country look for the quickest and easiest way to do things online – even if it puts systems at risk.

“Out of 76% (of 500 respondents) who use personal devices to access work emails, only half were required by their company to implement security measures such as regularly changing passwords,” says Yeo Eng Sheng, Gemalto’s HR Director for Southeast Asia, Oceania, and Japan.

More than 45% of respondents had also downloaded an unverified app onto a work device, with one-third doing so without the knowledge of their IT department.

In addition, almost half of Singapore workers had not gone through any security training in the workplace.

New types of attacks are also catching staff, and their employers, unawares.

HR and IT: A dynamic duo

While insider threats cannot be completely removed, effective employee management can curtail much of the risk.

HR hence needs to partner with both senior management and the IT department to prevent human vulnerabilities from being exploited.

“Nobody can constantly watch what employees are doing – unless you use a technology to help you detect, analyse, and engage possible threats,” says Meyer.

For India-headquartered telecommunications solutions provider Tata Communications, HR practitioners play a role in building a sustainable security culture.

This starts right from the recruitment process.

“A thorough background check helps eliminate prospective threats right at the start,” says Aadesh Goyal, Global Head of HR.

The learning and training team also puts all employees through mandatory online and on-ground training programmes in information security, Goyal says. HR’s role at the company also extends to investigating potential internal threats and reporting to the IT and legal departments.

Dutch firm Gemalto, which employs 1,400 people in Singapore, is also concerned about internal threats. Its online security team joins forces with HR to ensure employees are aware of the threats and take preventive steps to minimise the company’s exposure to them.

The secrets of workplace resilience
HRM Asia - 20 Feb 2018
Through years of extensive research, Graeme Cowan has discovered how companies can help their workforce stay emotionally strong
Inside Shopee's journey from startup to retail sensation
HRM Asia - 15 Feb 2018
Shopee encountered many resource challenges in its early years. Its Chief Commercial Officer Junjie Zhou shares how he guided the company to steadier ground.
Leaders on leadership: Rolls-Royce's regional director
HRM Asia - 14 Feb 2018
Paul Harris, Rolls-Royce Motor Cars' Asia-Pacific Regional Director reveals the company's workforce plans for 2018.
How Medtronic turned business strategy into talent strategy
HRM Asia - 13 Feb 2018
Change agility and cultural diversity are two of Medtronic's main goals for 2018. Its HR Director Binayak Bagchi shares more.
Forecasting 2018's top three HR trends
Yamini Chinnuswamy - 12 Feb 2018
With transformation still a key theme, we take a look at the three towering issues that could well reinvent HR practices this year.
Up close and personal with a regional head of HR
Kelvin Ong - 09 Feb 2018
British American Tobacco's Asia-Pacific Head of HR Ji Yoon Chung gets candid.