Cyber Security: The Human Resources perspective

Should your Human Resources (HR) experts be more involved in assessing and protecting your organisation from cyber attacks?

Employees at some of the UK’s biggest employers – including the BBC, Boots, Aer Lingus, and British Airways – will all be rightly concerned at the potential loss of their personal data to cyber criminals as part of the widely reported MOVEit hack.*

This is not the first large-scale cyber-attack on British business and is unlikely to be the last. Yet we believe that this latest round of online criminality should function as the catalyst to finally place cyber security at the front and centre of Human Resources thinking.

According to Steve Herbert, Wellbeing and Benefits Director at Partners&: “Cyber security experts often point to the “human element” as the inconsistency which – deliberately or accidentally – enables criminals to find an access route into their employer’s computer systems. And, although this latest attack doesn’t appear to be the result of employee actions, it has nevertheless led to the theft of sensitive employee data as the ultimate objective of criminal activity.

It follows that employees can be the catalyst for such an attack and/or the victims of it, and this makes cyber security very much a Human Resources issue. HR experts may therefore need to become far more involved in implementing policies, procedures, and insurances to minimise these risks across their entire workforce.

Matthew Clark, Cyber Director at Partners&, reminds employers that government figures published last year indicate that almost 4 in every 10 employers (39%) reported at least one cyber attack in the previous 12 months, whilst fewer than 15% of the UK’s small and medium-sized enterprises have a standalone cyber insurance policy in place.

According to Matt: “Cyber security is a problem for employers of all sizes, and for every breach at a major employer, there are likely to be many more attacks on smaller – potentially far more vulnerable – organisations too. Aside from the reputational damage and interruptions to operations, employers may need to report breaches to the Information Commissioner, notify each data subject of the leak, and potentially pay significant levels of compensation. Employers are often required to also bear the cost of monitoring services to minimise fraud for those impacted by the breach. This latest attack highlights that cyber security should be a central component of the Human Resources remit – both to prevent attacks and protect employees. We would therefore strongly encourage many more HR experts to consider the benefits of cyber insurance to protect both their employer and their employees.

To understand more about cyber risk and how employers can protect themselves from cyber attacks visit the Partners& cyber hub.

The MOVEit hack – a cyber event impacting HR and recruitment sectors

Organisations worldwide face persistent threats from hackers and cybercriminals who are constantly seeking vulnerabilities to exploit. One significant event that has shaken the HR and Recruitment communities recently was the MOVEit software hack, resulting in the breach of personal data on potentially millions of individuals including home addresses, dates of birth, national insurance numbers and bank details. There are critical implications for both the businesses involved and the individuals concerned.

MOVEit is a managed file transfer software product that enables users to store and share sensitive information securely. The National Cyber Security Centre (NCSC), the UK’s cyber watchdog, was quick to publish an advisory bulletin on this latest mass hack, describing it as a “SQL injection vulnerability”, a method of attack long favoured by cyber criminals where malicious code is inserted into a website’s database to manipulate or access unauthorised data. Though the attack method was long-established, this was the first time the weakness was uncovered, making it a so-called “Zero-day” vulnerability.

Progress Software Corporation, the US company behind MOVEit, has issued a software update that patches the vulnerability. However, with companies like British Airways, the BBC and Aer Lingus already impacted, the contagion is likely to be much broader.

A notable feature of this cyber-attack is its focus on the software “supply chain.” By compromising a single organisation within a supply chain (in this case Progress), attackers can potentially access and disrupt multiple organisations that depend on it. This allows them to maximise the impact of their attack and target high-value assets across the supply chain.

The attack highlights the value cyber insurance can bring to professionals in HR, Recruitment, and Umbrella firms.