As National Cyber Security Awareness Week (20 to 24 May 2013) commences, Abul Rizvi explains why HR professionals should be on the frontline when it comes to protecting their company from online threats.
While many people think a company’s cyber security policy is the sole domain of the IT department, HR professionals have a vital role to play in educating staff about cyber security and staying safe online.
After all, it is one thing to have a cyber security policy in place, but unless staff understand and adhere to it, a company will remain vulnerable to online threats.
HR professionals can help create a culture of security in the workplace by communicating with staff about their roles and responsibilities, and ensuring that security is a priority in terms of general awareness and training.
More than 20% of Australian businesses experienced a cyber security incident last year and it is not just large corporations that are at risk.
A report by Symantec found that in the US, targeted attacks on organisations with more than 2,501 employees accounted for half of all attacks last year. However, targeted attacks on businesses with fewer than 250 employees jumped from 18% in 2011 to 31% in 2012.
Cyber incidents can leave a company financially worse off, damage its reputation (particularly if a customer or client’s information is compromised), and lead to time-intensive efforts to restore records and data.
So just what are the risks?
Malicious software, or malware, can infect a computer with viruses, worms, spyware, Trojans or other threats such as botnets. Malware can corrupt equipment and have a number of negative consequences, from a computer operating more slowly to giving criminals access to files and passwords. Malware can also allow hackers to take over a computer and undertake criminal activity.
Ransomware is a type of malware that criminals use to extort money, and should be reported to the police. Ransomware will often lock a computer or display a fake warning saying that it has been associated with a crime, and demand a payment or fine from the owner.
Spam emails are another risk as they can contain malware or be used by cyber criminals to gain personal information through phishing scams – a type of hoax email – which they will then use for illegal purposes, such as transferring funds or purchasing goods online.
Businesses need to treat internet security as a priority and ensure that staff are aware of – and follow – internet security policies.
If staff are using work computers, ensure that clear policies are in place about appropriate use, including personal use of email and web browsing.
Before new staff are issued with a password to log on to the network, ensure that they have received induction training. This should cover who can access and use equipment, what is considered acceptable use and what isn’t, procedures for logging off and securing equipment at the end of the day, personal email and internet use, protecting sensitive company information, and procedures if business equipment is lost or stolen.
Educate staff about password security. Ideally, a password should be a minimum length of eight characters, a mix of upper and lower case letters, at least one numeral and one non-alphanumeric character, and should not include a dictionary word in any language. Passwords should never be shared with anyone or stored in plain text on a computer.
Provide ongoing security training to all staff. This should cover updating and running security software, using email safely to avoid hoax emails and phishing scams, browsing safely online, and the company’s code of conduct for using social networking websites.
Become familiar with the Stay Smart Online website, which provides fact sheets and information on how businesses can protect themselves online. Encourage staff to sign up for the Stay Smart Online Alert Service to ensure they are aware of the latest cyber security risks and solutions: www.staysmartonline.gov.au/alert_service
Ensure that online security is discussed regularly at staff meetings.
About the author
Abul Rizvi is the Deputy Secretary of Digital Strategy and Services at the Department of Broadband, Communication and the Digital Economy.