Cyber Security – have you considered ‘the people factor’?


Here’s an interesting article written by Jelf, the MIA’s recommended financial consultancy firm…

A recent report* by IBM found that 60% of cyber attacks were as a result of insider activity.  And for “insider”, think employee.

Now it should be made clear that the action that leads to a cyber attack might well be that of unintentional negligence (for example the simple opening of a web-link in an email), but it should also be recognised that in some cases the cause will be linked with direct malicious intent by the insider or employee concerned.

The business and reputational damage that can be caused by such an attack are of course considerable, and the recent global ransomware attack that caused chaos across almost 100 countries worldwide and majorly disrupted the UK’s National Health Service really highlights the potential impact of such an eventuality.

So it would appear self-evident that the “people factor” in Cyber Attacks should be a significant concern for all business, and by extension their HR functions.  Yet when we highlighted this risk at one of our London events last year there were several written and verbal comments to the effect that this particular subject was not relevant to the audience, and indeed had no place in an event targeted at those in Human Resources.

A similar theme was evident in our 2017 Jelf Employee Benefits Survey.  For instance:

When did you last review the “people factor” cyber risk in your organisation?

  • In the last 12 months:  22.16%
  • Between 1 and 3 years ago:  05.41%
  • More than 3 years ago:  02.16%
  • Never:  23.24%
  • Don’t know:  47.03%

It would therefore appear that few HR units are regularly looking at this situation, and this is surely a dynamic that needs to change if the “people factor” risk to organisations is to reduce.

So this is an area where we would strongly urge HR departments to actively ‘own’ the people factor inherent in cyber risk with the introduction of strong systems and protocols from the date of employment onwards.

And from an Employee Benefits perspective we would also urge caution.  Employers should seek to ensure that their choice of Employee Benefits platform is both robust and secure, and to undertake a regular review of all password protocols.  In addition we would suggest a detailed audit of any automated employee data flow between Payroll, HR, and Employee Benefit providers to identify and resolve potential weaknesses.

The bottom line is that Human Resources professionals have a key role to play in managing and mitigating this risk, and it is no longer sufficient to expect this problem to be owned by the employer’s IT team alone.

For more information on this subject please speak to your usual Jelf Consultant in the first instance.  And for more details about Cyber Insurance protection for businesses please follow this link.

*IBM X-Force Research:  2016 Cyber Security Intelligence Index