Security and the HR role Seminar

HR and Security – A marriage made in Heaven?

Dr Moira Bailey

Senior Lecturer and Programme Leader

Robert Gordon University

HR and Security – a marriage made in heaven?

Dr Moira Bailey

BACKGROUND

• Traditionally security has focussed on: – Physical assets

– Information security

• This has to change – for various reasons

– The current global situation – we have heard from Graham about this: Brussels, Paris

– The Insider threat – increase in emphasis

– Increased focus now on people element with regard to security – the security services are ‘coming out of the dark into the light’

EXECUTIVE CONCERNS

Increasing focus on violence occurring in the workplace both from internal and external sources

Recent Terror events in various locations throughout Europe

Media Spin Opinion and Frenzy

Politics Complexity of the issues from privacy to religious expression

Overlapping executive responsibilities – Security, HR, Legal, IT and Law enforcement

WHAT DOES ALL THIS MEAN? • The organisation should be prepared for

unexpected events – continuity needs to be maintained

• The organisation needs to be protected against unexpected events

• Organisations need to be aware that the people within the organisation can become a threat to the organisation and the other people in it (as well as other stakeholders eg visitors, contractors)

• Good security will help achieve this

HR FUNCTIONS

• Recruitment • Training and Development • Employee Relations • Compensation and Benefits • These are all governed by legislation (a good start) ………. BUT • What are the security implications within the functions? eg in

terms of T&D employees are often given training with regard to company information being confidential but are employees trained in how to recognise changes in colleague behaviour which might indicate radicalisation?

WE NEED TO LOOK AT OURSELVES

• Does HR work in a silo? – Perceptions – Police, ‘No’ people, Party Planners

– Compliance and Regulations, Administration driven

– Distant and Aloof

• We need to ask ourselves some hard questions • Do we recognise ourselves?

• Is this how we are perceived?

• Are we happy with this?

• What impact could these perceptions have on the security within an organisation?

HR’S ROLE? • It therefore must involve:

– PROTECTING THE ORGANISATION THROUGH ITS PEOPLE

• This can be achieved through recruitment, selection and induction functions

– PREPARING THE ORGANISATION THROUGH ITS PEOPLE

• This can be achieved through the training and development function

• Appropriate business continuity processes

Recruit

Induct

Retain Develop

Exit/Move Internally

Wellbeing H&S And a cousin of the above ……… Security

Relations

Reward

THE FUNCTIONS OF HR

HR MUST ENSURE ……………..

RECRUITMENT (INCLUDING INTERNAL) AND INDUCTION

• Pre-employment screening Guidance document • Risk Assessment for personnel security: a guide (June

2013) • On-going personnel security: a good practice guide (April

2014) • Investigating employees of concern: a good practice

guide (March 2011) • Workplace behaviours

These guidance documents can be downloaded from ww.cpni.gov.uk

TRAINING AND DEVELOPMENT • Training and Development

– Managers and Staff need training to fulfil the requirements of the human aspect of BCP

– Managers and workers trained to raise their awareness of potential security issues including insider threat

– Managers and workers trained to identify potential security issues

– Managers and workers trained on the use of appropriate reporting procedures

– Managers and workers trained to be vigilant – employee behaviour displays attitude towards security

– Training must be ongoing – people forget Guides available from CPNI website

BUSINESS CONTINUITY PLANNING

• Business Continuity Planning – the human aspect

– Though this generally helps prepare the organisation – knowledge of these elements can help the organisation protect the organisation too eg knowledge of staff can alert to a potential Insider Threat

IT’S A BUSINESS ISSUE

Post 9/11

• 1 firm in the financial district 43% of their staff were at risk of PTSD – 9 months later still 21% were suffering still

• The threat of terror attacks can affect employees – resulting in loss of productivity, absenteeism, missed deadlines, inability to make decisions

Post Oklahoma Bombings

• Half the survivors developed anxiety, depression, alcohol problems and 33% suffered PTSD

• A year later Oklahoma still had increased alcohol problems, stress and PTSD

Post London July 7 2005 •People did not want to travel on tubes •High levels of stress in London’s population – victims, witnesses and others •Negative world view

Post Super Puma Crash 2013 •"personally refuse" to get into a Super Puma •will consider a job change •reservations about taking the helicopter again •refusing point blank. •"But you are then put between a rock and a hard place because if you don't go to work you can't support your family, pay your mortgage etc

BCP

• Policies and Communication – sick leave, flexi time, travel, communication strategy - conference calls, television and radio, review current systems eg EAP

• Employee education and support – teach employees how to prepare for and respond to different types of disasters, cascading information, training in implementing emergency procedures, support networks, counselling. Management training on managing stress, coping with grief and grieving families, counselling and consulting resources (internal as well as external), adjusting performance expectations

• Virtual infrastructure – offsite working – remote access to software and data files

• Job training – crisis response training materials, job shadowing, mentoring

• Talent management – replacement of key personnel, business critical roles, succession planning

THE HUMAN ASPECT OF BCP

Challenge beliefs, create meaning, explore lessons learned and communicate them

Recognition from others, supporting acts of courage eg returning to scene or work

Creating a supportive recovery environment encouraging family and organisational group support structures

Physical safety eg contact details, getting people home, freedom from threat

Emergency personnel on site, food, shelter, water, warmth, sleep

After the event

During the event

HOW ARE PEOPLE LIKELY TO BE AFFECTED ?

Cognitive reactions:

Loss of faith

Impaired memory/ concentration Confusion/ disorientation/ denial Impaired decision making

Reduced confidence/ self esteem

Hypervigilance

Physical reactions:

Insomnia

Headaches

Reduced appetite/libido/energy

Hyperarousal

Emotional reactions:

Shock/numbness

Fear/anxiety

Survivor guilt

Anger/Helplessness/Hopelessness

Social reactions:

Withdrawl

Irritability

Interpersonal conflict

Avoidance

HOW PEOPLE REACT TO TRAUMA

HOW PEOPLE REACT TO TRAUMA

Security culture

Past Events

Power Structure

Control Systems

Org Structure

Daily Behaviour

Symbols

Past events (relating to security and people talked) about inside and outside the company eg security breaches that may be laughed about

People who have the greatest amount of influence on decisions, operations, and strategic direction (relating to security)

Financial systems, quality systems, and rewards relating to security – not just financial – does security pervade all departments of the organisation

Visual representations of the company eg how rigid are the security checks

Daily behaviour and actions of people that signal acceptable behaviour eg employees ignore visitors walking through the building

This includes both the structure defined by the organization chart, and the unwritten lines of power and influence eg is the role of security valued? Why? Why not?

FOSTER A SECURITY CULTURE – THE ANSWER?

THERE IS A BUSINESS CASE FOR A SECURITY CULTURE

• Increased employee engagement

• Reduced risk and vulnerability

• Reduction in theft of materials or company information

• Reduced risk of reputational or financial damage

• Low cost interventions

• Improved organisational performance

What does/should security expect from HR?

• An understanding of the term ‘security’ and its relevance in the contemporary workplace

• An appreciation of the scope of security in the contemporary workplace

• HR expertise and the role that can play in ensuring a secure environment

• Working together

• The influence of HR throughout the organisation to promote a security culture

What does the security function want from HR?

Colin Brown

Security Manager

CRB Consultants

Security – Its Your Business

Colin Brown

Security?

The Duke of Hindsight

HR and Security – You decide

Platform for Success

Security Posture

Risk – roll the dice

Recruitment and Management

Exit Interviews

Conclusion

Security – Its Your Business

Colin Brown

Demystifying Data Protection Law

Ross McKenzie

Data Protection Practitioner

Burness Paull LLP

Demystifying Data Protection Ross McKenzie, Data Protection Practitioner

Oil & Gas UK – Security and the HR Role - 20 April 2016

Aberdeen

Edinburgh

Glasgow

The Balancing Act of Handling Requests

Relevant Rules

• Data Protection Act 1998 regulates use of personal

information, based on the “right to privacy”.

• Gives rights to individuals and imposes obligations

on organisations which handle personal data.

• When asked to supply personal information by police

how do you balance an individual’s right to privacy?

The Balancing Act

• Section 29 of Act gives organisations an exemption which can be relied on where disclosure is for:

– the prevention or detection of crime; or

– the apprehension or prosecution of offenders.

• Can only be used where not disclosing is likely to prejudice these purposes.

• Not an absolute right – should ask for a justification in a “section 29 notice”.

What do you give?

• Whilst the exemption can be relied on, an

organisation is still required to comply with other

provisions of the Act insofar as they can such as:

– Only providing information which is strictly

required; and

– Supplied securely - biggest fines for security

breaches.

A Closer Look at Monitoring in the Workplace

Barbulescu v Romania

• European Court of Human Rights case confirmed that monitoring of employee’s use of messenger service used on Company IT did not breach their privacy rights.

• Relied on:

– Internal Company rules.

– Company access was limited - only viewed messages to verify employee was working following reasonable suspicions.

• Not free reign!

Top Tips

• Have a clear Company policy on monitoring.

Examples include:

– IT and Security Policies;

– General Data Protection / Privacy Policy; or even

– Employment Contracts.

• Ensure policy is communicated to staff!

• Consider application to home devices.

Changes on the Horizon for the Industry

General Data Protection Regulation – Summer 2018

• Changes relevant to security include:

– A requirement to document and consider privacy

impact in processing which uses sensitive data;

– Self reporting of security breaches required for

certain breaches;

– Greater requirement of “accountability”; and

– Increased penalties (4% of annual worldwide

turnover).

Network and Information Security Directive

• Requirement for critical infrastructure operators to

take appropriate security and organisational measures

to manage cyber security risk.

• Requirement to report cyber security breaches.

• UK will have to implement a NIS strategy to comply

with the Directive.

Ross McKenzie

Data Protection Practitioner

Direct Dial: +44 (0)1224 618550

Mobile: +44 (0)7876 861 828

Email: Ross.McKenzie@burnesspaull.com

Ross.McKenzie@burnesspaull.om

We’d like to hear from you....

Cyber Security from an HR perspective

Milan Taylor

Partner

Mercer

© MERCER 2016 51

H E A L T H W E A L T H C A R E E R

APRIL 20th 2016

R I S K Y B U S I N E S S

P R O T E C T I N G H R D ATA

I N T O D AY ’ S H A C K E R

P R O N E W O R L D

Milan Taylor, Partner

© MERCER 2016 52

T O P I C S W E W I L L A D D R E S S T O D A Y :

• The issue at hand

– It’s a major business issue

– It is likely here to stay

• Inside and Outside: Where are the Threats?

• Where Technologists Fit In: What Vendors Tell Us

• Conclusions

© MERCER 2016 53

C Y B E R R I S K I S A R A C E W I T H O U T A F I N I S H L I N E … … .

81%

• Of large businesses in the United

Kingdom suffered a cybersecurity

breach during the past year

• The average cost of breaches has

nearly doubled since 2013

© MERCER 2016 54

C Y B E R T E R R O R I S T S :

Have accessed the records of 21.5 million American public service

employees

Infiltrated the German parliament’s network

Blocked a French national television broadcaster’s 11 television channels

for several hours

Compromised the operations of 1,000+ energy companies in 84 countries,

with one mouse click crippling:

- Wind turbines

- Gas pipelines

- Power plants

Sources:WHY HACKERS COULD CAUSE THE NEXT GLOBAL CRISIS Raj Bector,

Claus Herbolzheimer, and Sandro Melis,, and Robert Parisi.CYBER RISK HANDBOOK 2015,

Marsh & McLennan Companies, 2015.

© MERCER 2016 55

A C L E A R A N D P R E S E N T D A N G E R : W O R L D W I D E

• 116 cyberattacks daily

• Rate of attacks has grown 23% yearly since 2010

• The average annual cost of cyberattacks has risen 17% yearly - reaching $9 million per

business

• Costs businesses more than $400 billion a year – a sum broadly equivalent to the

GDP of Austria or Thailand.

• The most recent Global Risks report ranks cyberattacks as one of the top 10 risks most

likely to cause a global crisis.

• Cyberattacks were ranked as the top risk for which North American respondents felt their

countries were least prepared.

Sources: Center for Strategic and International Studies/McAfee, Net Losses: Estimating the Global Cost of Cyber Crime (2014); World Economic Forum, Global Risks 2015 (2015);

Symantec Internet Security Threat report; Ponemon 2012, 2013 Costs of Cyber Crime study; The Global State of Information Security® Survey 2014;The Betterly Report Cyber/Privacy

Insurance market survey 2013; Cybersecurity Market report by Marketsandmarkets, June 2012.

© MERCER 2016 56

TaxAct alert: Outsiders got into accounts

Online electronic tax filing service TaxAct alerted 780

Californians that their accounts had been accessed by outsiders

— presumably thieves trying to steal personal information

and obtain user tax refunds.

• Names

• Social security numbers

• Addresses

• Driver’s license numbers

• Bank account information

J A N U A R Y 2 0 , 2 0 1 6

© MERCER 2016 57

C Y B E R R I S K : I T ’ S N O T J U S T F O R I T A N Y M O R E

• It is a Board-level governance issue

– Requires the engagement of the full executive leadership team to address.

• Everyone (Including HR)

– Requires a comprehensive, multidimensional approach

– Addresses people, processes, and vendors

• Prevention and Recovery

– Prevention tactics

– Response and recovery plans

© MERCER 2016 58

T H E E X T E N T O F T H E I S S U E : I M P L I C A T I O N S F O R H R

• 50 billion connected devices in the world by 2020 –

• 6.5 devices for every person on the planet.

• Implications for HR

– Think “permanent enterprise risk” not “isolated IT event.”

– Plan your workforce cybersecurity strategy

- Know your people

- Educate

- Monitor sentiment

Source: DHL/Cisco, Internet of Things in Logistics (2015)

Many will be in the workplace

All are hackable

© MERCER 2016 59

I T ’ S A P E O P L E I S S U E

Awareness

Compliance

Understanding Sentiment

© MERCER 2016 60

I T ’ S A P E O P L E I S S U E

Accidental

Renegade

Malicious

• Unaware

• Negligent

• Knows and

Ignores

• Tech-savvy

• Malcontents

• Seek revenge

• Seek £££

• Sabotage

• Espionage

© MERCER 2016 61

W H E N I N S I D E R S A T T A C K … …

6

1

49%

Current

Employees

51%

Former Employees

Source: Keeney, M., Cappelli, D., Kowalski, E. Moore, A., Shimeall, T. and Rogers, S. (2005) Insider Threat Study: Computer System Sabotage in Critical

Infrastructure Sectors, Pittsburgh, PA Carnegie Mellon University Software Engineering Institute/ United States Secret Service.

© MERCER 2016 62

W H A T R E S E A R C H T E L L S U S A B O U T I N S I D E R

A T T A C K S

1. Most likely triggered by a negative work-related event

2. Most perpetrators had acted out at work previously

3. Planned their activities in advance

Source: Keeney, M., Cappelli, D., Kowalski, E. Moore, A., Shimeall, T. and Rogers, S. (2005) Insider

Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, Pittsburgh, PA Carnegie

Mellon University Software Engineering Institute/ United States Secret Service.

© MERCER 2016 63

G E T T I N G S T A R T E D … … .

Analyse the Information

Develop Information

Security Requirements

“Mind the Gap”

What data needs

protection?

Create “what if”

damage scenarios

Ascertain your appetite

for risk

Measure gap between

current and desired

states

Plan and execute a

risk mitigation

strategy

© MERCER 2016 64

1. Consider threats from insiders in risk

assessments

2. Dedicate specific budgets and resources

for insider-threat countermeasures

3. Execute background checks on all new

hires

4. Track the access and use of highly

sensitive/confidential accounts

5. Audit unusual online behavior

6. Deactivate sensitive systems access

following employee termination

6

4

F I R S T T H I N G S F I R S T

© MERCER 2016 65

F O R M U L A T I N G A N I N T E R N A L W O R K F O R C E C Y B E R

S E C U R I T Y P L A N

Educating

• Annual compliance training

– Secure work areas

– Security when traveling

– Secure email procedures

– Avoiding phishing

• Foster a culture in which it is

“safe” to raise concerns

Monitoring Sentiment • Track employee/ contractor sentiment

• Be proactive on potentially negative work

issues:

– Mergers/acquisitions

– Layoffs

– Restructuring

– Even performance reviews…

• Use data analytics software to scan email

and social media posts to flag “disgruntled”

employees

© MERCER 2016 66

© MERCER 2016 66

WHE RE TE CHNO LO G I S TS

F I T I N : WHAT V E NDO RS

TE LL US

© MERCER 2016 67

V E N D O R S R E P O R T R I S I N G D E G R E E O F

C Y B E R S E C U R I T Y C O N C E R N F R O M T H E I R

C U S T O M E R S

11%

11%

78%

Decreasing (over the last 12months)

About the same degree ofconcern as 12 months ago

Increasing (over the last 12months)

© MERCER 2016 68

P E R C E N T O F C U S T O M E R S A S K I N G A B O U T S E C U R I T Y

M E A S U R E S T H A T M A Y I M P E D E H A C K I N G I N T O T H E I R

H R S Y S T E M S

11%

33%

56%

0

10

20

30

40

50

60

Less than one-third One-third to two-thirds More than two-thirds

© MERCER 2016 70

C U S T O M E R S ’ C O N C E R N S : I N T E R N A L V S . E X T E R N A L

B R E A C H E S

More concerned about

external cyber break-ins

to their Cloud Data

Equally concerned

about ALL types of

data security

breaches

33%

67%

© MERCER 2016 71

B U T D O T H E Y A S K ?

D O C U S T O M E R S S E E K V E N D O R H E L P I N

E S T A B L I S H I N G T H E I R C O R P O R A T E D A T A S E C U R I T Y

P R A C T I C E S ?

22%

67%

11%

0

10

20

30

40

50

60

70

Never Sometimes Often

© MERCER 2016 72

A R E V E N D O R S A S O U R C E O F I N F O R M A T I O N O N T H E

P O T E N T I A L F I N A N C I A L I M P L I C A T I O N S O F A

C Y B E R A T T A C K O N C U S T O M E R S ’ H C M

E N V I R O N M E N T ?

67%

22%

11%

0

10

20

30

40

50

60

70

No Yes, we provide general financial impact databased on public information (other research

or aggregate data)

Yes, we provide a detailedassessment/analysis based on a variety of

client specific factors

© MERCER 2016 73

D O V E N D O R S P R O V I D E C U S T O M E R T R A I N I N G T H A T

A D D R E S S E S C Y B E R S E C U R I T Y ?

22%

33%

22%

22% No, our customers have neverrequested this type of training

No

Sometimes, but only if acustomer requests it

Yes, we often provide this typeof training

© MERCER 2016 74

© MERCER 2016 74

CONCLUSIONS

© MERCER 2016 75

Y O U C A N D O T H I S : M I S T A K E S T O A V O I D

Mistakes

It can’t happen to you

It’s IT’s problem

Reality

Yes it can. Even though you may

think your data is not all that

important, it can be used maliciously.

Take risk seriously.

Cybersecurity includes people

policies, procedures. It is as much a

governance problem as a technical

one

© MERCER 2016 76

Rely solely on anti-virus technologies

Ignoring your network and

its architecture

Y O U C A N D O T H I S : M I S T A K E S T O A V O I D

Mistakes Reality

You do need to understand and

update your network. Do you know

where your critical data is?

Less than 40% of attacks today

involve malware. “Perimeter security”

alone is insufficient – think only

reactive…

© MERCER 2016 77

Failure to monitor the

endpoints

Y O U C A N D O T H I S : M I S T A K E S T O A V O I D

Mistakes Reality

Once through the perimeter– what

damage can be done? This is the

proactive part —constantly looking

for aberrant behavior.

© MERCER 2016 78