Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Security and the HR role Seminar
HR and Security – A marriage made in Heaven?
Dr Moira Bailey
Senior Lecturer and Programme Leader
Robert Gordon University
HR and Security – a marriage made in heaven?
Dr Moira Bailey
BACKGROUND
• Traditionally security has focussed on: – Physical assets
– Information security
• This has to change – for various reasons
– The current global situation – we have heard from Graham about this: Brussels, Paris
– The Insider threat – increase in emphasis
– Increased focus now on people element with regard to security – the security services are ‘coming out of the dark into the light’
EXECUTIVE CONCERNS
Increasing focus on violence occurring in the workplace both from internal and external sources
Recent Terror events in various locations throughout Europe
Media Spin Opinion and Frenzy
Politics Complexity of the issues from privacy to religious expression
Overlapping executive responsibilities – Security, HR, Legal, IT and Law enforcement
WHAT DOES ALL THIS MEAN? • The organisation should be prepared for
unexpected events – continuity needs to be maintained
• The organisation needs to be protected against unexpected events
• Organisations need to be aware that the people within the organisation can become a threat to the organisation and the other people in it (as well as other stakeholders eg visitors, contractors)
• Good security will help achieve this
HR FUNCTIONS
• Recruitment • Training and Development • Employee Relations • Compensation and Benefits • These are all governed by legislation (a good start) ………. BUT • What are the security implications within the functions? eg in
terms of T&D employees are often given training with regard to company information being confidential but are employees trained in how to recognise changes in colleague behaviour which might indicate radicalisation?
WE NEED TO LOOK AT OURSELVES
• Does HR work in a silo? – Perceptions – Police, ‘No’ people, Party Planners
– Compliance and Regulations, Administration driven
– Distant and Aloof
• We need to ask ourselves some hard questions • Do we recognise ourselves?
• Is this how we are perceived?
• Are we happy with this?
• What impact could these perceptions have on the security within an organisation?
HR’S ROLE? • It therefore must involve:
– PROTECTING THE ORGANISATION THROUGH ITS PEOPLE
• This can be achieved through recruitment, selection and induction functions
– PREPARING THE ORGANISATION THROUGH ITS PEOPLE
• This can be achieved through the training and development function
• Appropriate business continuity processes
Recruit
Induct
Retain Develop
Exit/Move Internally
Wellbeing H&S And a cousin of the above ……… Security
Relations
Reward
THE FUNCTIONS OF HR
HR MUST ENSURE ……………..
RECRUITMENT (INCLUDING INTERNAL) AND INDUCTION
• Pre-employment screening Guidance document • Risk Assessment for personnel security: a guide (June
2013) • On-going personnel security: a good practice guide (April
2014) • Investigating employees of concern: a good practice
guide (March 2011) • Workplace behaviours
These guidance documents can be downloaded from ww.cpni.gov.uk
TRAINING AND DEVELOPMENT • Training and Development
– Managers and Staff need training to fulfil the requirements of the human aspect of BCP
– Managers and workers trained to raise their awareness of potential security issues including insider threat
– Managers and workers trained to identify potential security issues
– Managers and workers trained on the use of appropriate reporting procedures
– Managers and workers trained to be vigilant – employee behaviour displays attitude towards security
– Training must be ongoing – people forget Guides available from CPNI website
BUSINESS CONTINUITY PLANNING
• Business Continuity Planning – the human aspect
– Though this generally helps prepare the organisation – knowledge of these elements can help the organisation protect the organisation too eg knowledge of staff can alert to a potential Insider Threat
IT’S A BUSINESS ISSUE
Post 9/11
• 1 firm in the financial district 43% of their staff were at risk of PTSD – 9 months later still 21% were suffering still
• The threat of terror attacks can affect employees – resulting in loss of productivity, absenteeism, missed deadlines, inability to make decisions
Post Oklahoma Bombings
• Half the survivors developed anxiety, depression, alcohol problems and 33% suffered PTSD
• A year later Oklahoma still had increased alcohol problems, stress and PTSD
Post London July 7 2005 •People did not want to travel on tubes •High levels of stress in London’s population – victims, witnesses and others •Negative world view
Post Super Puma Crash 2013 •"personally refuse" to get into a Super Puma •will consider a job change •reservations about taking the helicopter again •refusing point blank. •"But you are then put between a rock and a hard place because if you don't go to work you can't support your family, pay your mortgage etc
BCP
• Policies and Communication – sick leave, flexi time, travel, communication strategy - conference calls, television and radio, review current systems eg EAP
• Employee education and support – teach employees how to prepare for and respond to different types of disasters, cascading information, training in implementing emergency procedures, support networks, counselling. Management training on managing stress, coping with grief and grieving families, counselling and consulting resources (internal as well as external), adjusting performance expectations
• Virtual infrastructure – offsite working – remote access to software and data files
• Job training – crisis response training materials, job shadowing, mentoring
• Talent management – replacement of key personnel, business critical roles, succession planning
THE HUMAN ASPECT OF BCP
Challenge beliefs, create meaning, explore lessons learned and communicate them
Recognition from others, supporting acts of courage eg returning to scene or work
Creating a supportive recovery environment encouraging family and organisational group support structures
Physical safety eg contact details, getting people home, freedom from threat
Emergency personnel on site, food, shelter, water, warmth, sleep
After the event
During the event
HOW ARE PEOPLE LIKELY TO BE AFFECTED ?
Cognitive reactions:
Loss of faith
Impaired memory/ concentration Confusion/ disorientation/ denial Impaired decision making
Reduced confidence/ self esteem
Hypervigilance
Physical reactions:
Insomnia
Headaches
Reduced appetite/libido/energy
Hyperarousal
Emotional reactions:
Shock/numbness
Fear/anxiety
Survivor guilt
Anger/Helplessness/Hopelessness
Social reactions:
Withdrawl
Irritability
Interpersonal conflict
Avoidance
HOW PEOPLE REACT TO TRAUMA
HOW PEOPLE REACT TO TRAUMA
Security culture
Past Events
Power Structure
Control Systems
Org Structure
Daily Behaviour
Symbols
Past events (relating to security and people talked) about inside and outside the company eg security breaches that may be laughed about
People who have the greatest amount of influence on decisions, operations, and strategic direction (relating to security)
Financial systems, quality systems, and rewards relating to security – not just financial – does security pervade all departments of the organisation
Visual representations of the company eg how rigid are the security checks
Daily behaviour and actions of people that signal acceptable behaviour eg employees ignore visitors walking through the building
This includes both the structure defined by the organization chart, and the unwritten lines of power and influence eg is the role of security valued? Why? Why not?
FOSTER A SECURITY CULTURE – THE ANSWER?
THERE IS A BUSINESS CASE FOR A SECURITY CULTURE
• Increased employee engagement
• Reduced risk and vulnerability
• Reduction in theft of materials or company information
• Reduced risk of reputational or financial damage
• Low cost interventions
• Improved organisational performance
What does/should security expect from HR?
• An understanding of the term ‘security’ and its relevance in the contemporary workplace
• An appreciation of the scope of security in the contemporary workplace
• HR expertise and the role that can play in ensuring a secure environment
• Working together
• The influence of HR throughout the organisation to promote a security culture
What does the security function want from HR?
Colin Brown
Security Manager
CRB Consultants
Security – Its Your Business
Colin Brown
Security?
The Duke of Hindsight
HR and Security – You decide
Platform for Success
Security Posture
Risk – roll the dice
Recruitment and Management
Exit Interviews
Conclusion
Security – Its Your Business
Colin Brown
Demystifying Data Protection Law
Ross McKenzie
Data Protection Practitioner
Burness Paull LLP
Demystifying Data Protection Ross McKenzie, Data Protection Practitioner
Oil & Gas UK – Security and the HR Role - 20 April 2016
Aberdeen
Edinburgh
Glasgow
The Balancing Act of Handling Requests
Relevant Rules
• Data Protection Act 1998 regulates use of personal
information, based on the “right to privacy”.
• Gives rights to individuals and imposes obligations
on organisations which handle personal data.
• When asked to supply personal information by police
how do you balance an individual’s right to privacy?
The Balancing Act
• Section 29 of Act gives organisations an exemption which can be relied on where disclosure is for:
– the prevention or detection of crime; or
– the apprehension or prosecution of offenders.
• Can only be used where not disclosing is likely to prejudice these purposes.
• Not an absolute right – should ask for a justification in a “section 29 notice”.
What do you give?
• Whilst the exemption can be relied on, an
organisation is still required to comply with other
provisions of the Act insofar as they can such as:
– Only providing information which is strictly
required; and
– Supplied securely - biggest fines for security
breaches.
A Closer Look at Monitoring in the Workplace
Barbulescu v Romania
• European Court of Human Rights case confirmed that monitoring of employee’s use of messenger service used on Company IT did not breach their privacy rights.
• Relied on:
– Internal Company rules.
– Company access was limited - only viewed messages to verify employee was working following reasonable suspicions.
• Not free reign!
Top Tips
• Have a clear Company policy on monitoring.
Examples include:
– IT and Security Policies;
– General Data Protection / Privacy Policy; or even
– Employment Contracts.
• Ensure policy is communicated to staff!
• Consider application to home devices.
Changes on the Horizon for the Industry
General Data Protection Regulation – Summer 2018
• Changes relevant to security include:
– A requirement to document and consider privacy
impact in processing which uses sensitive data;
– Self reporting of security breaches required for
certain breaches;
– Greater requirement of “accountability”; and
– Increased penalties (4% of annual worldwide
turnover).
Network and Information Security Directive
• Requirement for critical infrastructure operators to
take appropriate security and organisational measures
to manage cyber security risk.
• Requirement to report cyber security breaches.
• UK will have to implement a NIS strategy to comply
with the Directive.
Ross McKenzie
Data Protection Practitioner
Direct Dial: +44 (0)1224 618550
Mobile: +44 (0)7876 861 828
Email: [email protected]
We’d like to hear from you....
Cyber Security from an HR perspective
Milan Taylor
Partner
Mercer
© MERCER 2016 51
H E A L T H W E A L T H C A R E E R
APRIL 20th 2016
R I S K Y B U S I N E S S
P R O T E C T I N G H R D ATA
I N T O D AY ’ S H A C K E R
P R O N E W O R L D
Milan Taylor, Partner
© MERCER 2016 52
T O P I C S W E W I L L A D D R E S S T O D A Y :
• The issue at hand
– It’s a major business issue
– It is likely here to stay
• Inside and Outside: Where are the Threats?
• Where Technologists Fit In: What Vendors Tell Us
• Conclusions
© MERCER 2016 53
C Y B E R R I S K I S A R A C E W I T H O U T A F I N I S H L I N E … … .
81%
• Of large businesses in the United
Kingdom suffered a cybersecurity
breach during the past year
• The average cost of breaches has
nearly doubled since 2013
© MERCER 2016 54
C Y B E R T E R R O R I S T S :
Have accessed the records of 21.5 million American public service
employees
Infiltrated the German parliament’s network
Blocked a French national television broadcaster’s 11 television channels
for several hours
Compromised the operations of 1,000+ energy companies in 84 countries,
with one mouse click crippling:
- Wind turbines
- Gas pipelines
- Power plants
Sources:WHY HACKERS COULD CAUSE THE NEXT GLOBAL CRISIS Raj Bector,
Claus Herbolzheimer, and Sandro Melis,, and Robert Parisi.CYBER RISK HANDBOOK 2015,
Marsh & McLennan Companies, 2015.
© MERCER 2016 55
A C L E A R A N D P R E S E N T D A N G E R : W O R L D W I D E
• 116 cyberattacks daily
• Rate of attacks has grown 23% yearly since 2010
• The average annual cost of cyberattacks has risen 17% yearly - reaching $9 million per
business
• Costs businesses more than $400 billion a year – a sum broadly equivalent to the
GDP of Austria or Thailand.
• The most recent Global Risks report ranks cyberattacks as one of the top 10 risks most
likely to cause a global crisis.
• Cyberattacks were ranked as the top risk for which North American respondents felt their
countries were least prepared.
Sources: Center for Strategic and International Studies/McAfee, Net Losses: Estimating the Global Cost of Cyber Crime (2014); World Economic Forum, Global Risks 2015 (2015);
Symantec Internet Security Threat report; Ponemon 2012, 2013 Costs of Cyber Crime study; The Global State of Information Security® Survey 2014;The Betterly Report Cyber/Privacy
Insurance market survey 2013; Cybersecurity Market report by Marketsandmarkets, June 2012.
© MERCER 2016 56
TaxAct alert: Outsiders got into accounts
Online electronic tax filing service TaxAct alerted 780
Californians that their accounts had been accessed by outsiders
— presumably thieves trying to steal personal information
and obtain user tax refunds.
• Names
• Social security numbers
• Addresses
• Driver’s license numbers
• Bank account information
J A N U A R Y 2 0 , 2 0 1 6
© MERCER 2016 57
C Y B E R R I S K : I T ’ S N O T J U S T F O R I T A N Y M O R E
• It is a Board-level governance issue
– Requires the engagement of the full executive leadership team to address.
• Everyone (Including HR)
– Requires a comprehensive, multidimensional approach
– Addresses people, processes, and vendors
• Prevention and Recovery
– Prevention tactics
– Response and recovery plans
© MERCER 2016 58
T H E E X T E N T O F T H E I S S U E : I M P L I C A T I O N S F O R H R
• 50 billion connected devices in the world by 2020 –
• 6.5 devices for every person on the planet.
• Implications for HR
– Think “permanent enterprise risk” not “isolated IT event.”
– Plan your workforce cybersecurity strategy
- Know your people
- Educate
- Monitor sentiment
Source: DHL/Cisco, Internet of Things in Logistics (2015)
Many will be in the workplace
All are hackable
© MERCER 2016 59
I T ’ S A P E O P L E I S S U E
Awareness
Compliance
Understanding Sentiment
© MERCER 2016 60
I T ’ S A P E O P L E I S S U E
Accidental
Renegade
Malicious
• Unaware
• Negligent
• Knows and
Ignores
• Tech-savvy
• Malcontents
• Seek revenge
• Seek £££
• Sabotage
• Espionage
© MERCER 2016 61
W H E N I N S I D E R S A T T A C K … …
6
1
49%
Current
Employees
51%
Former Employees
Source: Keeney, M., Cappelli, D., Kowalski, E. Moore, A., Shimeall, T. and Rogers, S. (2005) Insider Threat Study: Computer System Sabotage in Critical
Infrastructure Sectors, Pittsburgh, PA Carnegie Mellon University Software Engineering Institute/ United States Secret Service.
© MERCER 2016 62
W H A T R E S E A R C H T E L L S U S A B O U T I N S I D E R
A T T A C K S
1. Most likely triggered by a negative work-related event
2. Most perpetrators had acted out at work previously
3. Planned their activities in advance
Source: Keeney, M., Cappelli, D., Kowalski, E. Moore, A., Shimeall, T. and Rogers, S. (2005) Insider
Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, Pittsburgh, PA Carnegie
Mellon University Software Engineering Institute/ United States Secret Service.
© MERCER 2016 63
G E T T I N G S T A R T E D … … .
Analyse the Information
Develop Information
Security Requirements
“Mind the Gap”
What data needs
protection?
Create “what if”
damage scenarios
Ascertain your appetite
for risk
Measure gap between
current and desired
states
Plan and execute a
risk mitigation
strategy
© MERCER 2016 64
1. Consider threats from insiders in risk
assessments
2. Dedicate specific budgets and resources
for insider-threat countermeasures
3. Execute background checks on all new
hires
4. Track the access and use of highly
sensitive/confidential accounts
5. Audit unusual online behavior
6. Deactivate sensitive systems access
following employee termination
6
4
F I R S T T H I N G S F I R S T
© MERCER 2016 65
F O R M U L A T I N G A N I N T E R N A L W O R K F O R C E C Y B E R
S E C U R I T Y P L A N
Educating
• Annual compliance training
– Secure work areas
– Security when traveling
– Secure email procedures
– Avoiding phishing
• Foster a culture in which it is
“safe” to raise concerns
Monitoring Sentiment • Track employee/ contractor sentiment
• Be proactive on potentially negative work
issues:
– Mergers/acquisitions
– Layoffs
– Restructuring
– Even performance reviews…
• Use data analytics software to scan email
and social media posts to flag “disgruntled”
employees
© MERCER 2016 66
© MERCER 2016 66
WHE RE TE CHNO LO G I S TS
F I T I N : WHAT V E NDO RS
TE LL US
© MERCER 2016 67
V E N D O R S R E P O R T R I S I N G D E G R E E O F
C Y B E R S E C U R I T Y C O N C E R N F R O M T H E I R
C U S T O M E R S
11%
11%
78%
Decreasing (over the last 12months)
About the same degree ofconcern as 12 months ago
Increasing (over the last 12months)
© MERCER 2016 68
P E R C E N T O F C U S T O M E R S A S K I N G A B O U T S E C U R I T Y
M E A S U R E S T H A T M A Y I M P E D E H A C K I N G I N T O T H E I R
H R S Y S T E M S
11%
33%
56%
0
10
20
30
40
50
60
Less than one-third One-third to two-thirds More than two-thirds
© MERCER 2016 70
C U S T O M E R S ’ C O N C E R N S : I N T E R N A L V S . E X T E R N A L
B R E A C H E S
More concerned about
external cyber break-ins
to their Cloud Data
Equally concerned
about ALL types of
data security
breaches
33%
67%
© MERCER 2016 71
B U T D O T H E Y A S K ?
D O C U S T O M E R S S E E K V E N D O R H E L P I N
E S T A B L I S H I N G T H E I R C O R P O R A T E D A T A S E C U R I T Y
P R A C T I C E S ?
22%
67%
11%
0
10
20
30
40
50
60
70
Never Sometimes Often
© MERCER 2016 72
A R E V E N D O R S A S O U R C E O F I N F O R M A T I O N O N T H E
P O T E N T I A L F I N A N C I A L I M P L I C A T I O N S O F A
C Y B E R A T T A C K O N C U S T O M E R S ’ H C M
E N V I R O N M E N T ?
67%
22%
11%
0
10
20
30
40
50
60
70
No Yes, we provide general financial impact databased on public information (other research
or aggregate data)
Yes, we provide a detailedassessment/analysis based on a variety of
client specific factors
© MERCER 2016 73
D O V E N D O R S P R O V I D E C U S T O M E R T R A I N I N G T H A T
A D D R E S S E S C Y B E R S E C U R I T Y ?
22%
33%
22%
22% No, our customers have neverrequested this type of training
No
Sometimes, but only if acustomer requests it
Yes, we often provide this typeof training
© MERCER 2016 74
© MERCER 2016 74
CONCLUSIONS
© MERCER 2016 75
Y O U C A N D O T H I S : M I S T A K E S T O A V O I D
Mistakes
It can’t happen to you
It’s IT’s problem
Reality
Yes it can. Even though you may
think your data is not all that
important, it can be used maliciously.
Take risk seriously.
Cybersecurity includes people
policies, procedures. It is as much a
governance problem as a technical
one
© MERCER 2016 76
Rely solely on anti-virus technologies
Ignoring your network and
its architecture
Y O U C A N D O T H I S : M I S T A K E S T O A V O I D
Mistakes Reality
You do need to understand and
update your network. Do you know
where your critical data is?
Less than 40% of attacks today
involve malware. “Perimeter security”
alone is insufficient – think only
reactive…
© MERCER 2016 77
Failure to monitor the
endpoints
Y O U C A N D O T H I S : M I S T A K E S T O A V O I D
Mistakes Reality
Once through the perimeter– what
damage can be done? This is the
proactive part —constantly looking
for aberrant behavior.
© MERCER 2016 78