During the last few decades the issue of cyber security has become a burning one for both public and private sector actors. The world is changing which leads to new cyber security challenges for companies and their management. New technologies and development of the “Internet of Things” (namely, the interconnection of various electronic devices) require proper regulations made by both governments and individual entities.
Governments around the world have started developing a legal basis for protection of cyber security. Almost all existing legal instruments and other documents are aimed at cooperation between countries in particular spheres of cyber-space protection. Namely, the recent European Union Network and Information Security (NIS) directive (1), which is in line with the Cybersecurity Strategy for the European Union and the European Agenda on Security, introduces a security obligations framework for regulation of cyber security of operators of essential services (e.g., energy, transport, health and finance) and of digital service providers (e.g., online marketplaces, search engines and cloud services). The Convention on Cybercrime (also known as the Budapest Convention) deals with cyber-attacks in the criminal law context. Consequently, international and national practice show that governments are focused on protection against the most serious cyber-attacks.
For the private sector, there is still little cyber security legislation. Information protection is generally regulated by laws on protection of personal data including laws that require businesses to report cyber-attacks resulting in leaks of personal data. For other information, there is still no appropriate regulation. That is why it is up to the owners and managers of particular companies to organize protection of their companies’ data.
The last decade brought changes to workplace management. The evolution of “workplace” is one of the factors that caused it. Nowadays, it includes not only an office place with provided office equipment. Massive use of smart-phones, tablets, and laptops along with Bring-Your-Own-Device (BYOD) policies and remote working practices have expanded the understanding of “workplace”. It results in the need to prevent data intrusion and leaks from all the possible sources.
According to the information provided by technology companies more than half of companies around the USA suffer from cyber-attacks each year. For some industries dealing with sensitive information, like law firms and hospitals, the percentage is even higher. Mandiant (2) experts say that of the 100 biggest firms in the USA by revenue, at least 80 have been hacked during the last couple of years. Obviously, companies in other countries have to tackle the same problems.
As examined by the Ponemon Institute (3), data breaches resulted in average losses of $221 in the US, $213 in Germany, and $100 in Brazil per company last year. In some cases, the losses amount to thousands and even millions of dollars. Studies show that the total amount of monetary losses is increasing each year. Moreover, in some situations cyber-attacks may significantly harm a company’s reputation, which is especially true of the publicity surrounding leaks of credit card and social security details. That is why it is, for sure, in the best interests of businesses to do everything possible to maintain cyber-security.
Having realized the scale of the problem, one will ask: what causes cyber-attacks and what should employers do to protect their companies. It may be surprising but the malicious attacks themselves are not the biggest danger to the technological security of companies. The main factor, which causes data leaks and intrusion, are employee mistakes and negligence. This article will examine ways to mitigate cyber security risks stemming from employees.
How can employers diminish the risks emanating from their employees?
1. Develop internal information security policy
First and foremost is to properly regulate use of the Internet and electronic devices which have access to the company’s data. A well-written information security policy (4) is an effective tool to deal with cyber security protection within a particular company.
The information security policy should reflect specifics of the company which implements it. Most countries have laws prescribing special rules for possessors of sensitive information. Companies with such information are obliged to keep the information safe. The leaks of data regarding health problems, passport and credit card details endanger lots of people’s private lives. Therefore, additional procedures for keeping integrity of the data may be required.
Other than sensitive information, laws do not prescribe special procedures applicable to cyber security protection. Nevertheless, it is in the best interests of the owners to maintain trade secrets and other commercial information from malicious attacks and internal leaks.
While preparing information security policies employers provide a detailed description of how employees should work with data, how to use / install software on both the company’s devices and the ones of employees, how often to change passwords, which websites are reliable, which links and emails to open, etc. Besides, it is good to differentiate rules for general employees and the IT staff of a company. The latter ones should establish the mechanism of IT security checks, the frequency of software updates, with a special focus on anti-virus software, etc.
Each clause of an information security policy has to be unambiguous, reasonable, and detailed. All inaccuracies will be interpreted in favor of employees breaching the rules. Furthermore, the policy shall not violate the human rights of employees (be careful with the right to private life and freedom of expression). Otherwise, they will be void.
IT experts strongly recommend limiting the installment of apps on all devices with access to company data. According to the information provided by IBM, an American multinationaltechnology company, over 60 per cent of the leading dating apps studied are vulnerable to medium and/or severe vulnerabilities that put application data, as well as data stored on the device, at risk (5). That is why developers of information security policies should be especially careful while determining at-risk apps, limiting their application, and ensuring adherence to the rules.
To get an understanding of what is required for information security management, a reference can be made to ISO 27001: 2013, which sets a standard for security management systems. It is aimed at all types of businesses regardless of their size or sphere of functioning. Even though the standard is not obligatory, authorities in some countries refer to its rules while checking compliance with data protection laws (6).
2. Implement Information Security policies into employment agreements (other binding instruments)
In order to make information security policies binding they should be incorporated in either employment agreements or other binding documents of a company. Practices of implementation of rules vary around the world. In some countries these rules have to be incorporated in the employment agreement. Otherwise, further introduction of the policy would mean unilateral changes to the employment agreement. In such situations it is essential to get written acceptance of the rules. In other countries, trade unions together with employers enjoy a right to introduce internal regulations, which include information security policies. Consequently, it is advisable to get employees’ signatures confirming their awareness of the introduced policies.
Another important point is to have a mechanism for information security policy revision. Symantec reports discovery of more than 430 million new unique pieces of malware in 2015 (7). This number increases each year. Therefore, only frequent updating of the policy can make it effective for cyber security protection.
3. Take disciplinary actions in case of non-compliance
As all violations of internal regulations, breaches of information technology policy should lead to internal investigations. If a breach is unintentional and does not cause significant damage, employers ought to make sure that it will not happen again. To that end, employers can talk to employees, once again explaining the importance of adherence to the policy. Furthermore, extra training may be of use.
In the case of more severe violations, employees may be subject to disciplinary action including termination of employment. Disciplinary actions in this case should be in line with the general disciplinary policy within a company. A disciplinary action should reflect the seriousness of an employee’s breach of the Information Security Policy. All jurisdictions have their own standards with regard to disciplinary action (e.g., the principles of progressive discipline).
It is important to remember that if senior staff does not take the information security policy seriously, others will not do it either. Moreover, if disciplinary actions are taken only against some employees who breach the rules, it may be considered discrimination. Thus, employers have to set the rules and control their enforcement by all employees.
Besides, it is one of the primary obligations of managers to maintain the integrity of cybersecurity at their company. If they cannot cope with it, relevant steps should be taken. There is a widespread practice of dismissing CEOs following cyber-attacks against their companies. For example, in the case of the cyber-attacks which hit Sony in 2014 and resulted in terabytes of data revealed, Amy Pascal, the then-CEO of Sony, was fired (8).
4. Educate employees on Information Security Policies
Even if information security policies are included in employment agreements or otherwise made binding, they can only help protect information’s integrity when employees have a clear understanding of their rules.
That is why it is not enough to just make a brief explanation of the rules or even conduct a training session for employees. Employers interested in the cyber security of their companies should organize trainings for all employees on an on-going basis. At these trainings employees ought to get updates in the IT security sphere and be trained to deal with emerging cyber threats.
Nowadays there is a wide range of developed programs for such trainings. Training games let people better learn new information. Trainings for IT staff have to be organized by the leading experts in the internet security sphere, as a lot depends on the IT staff’s expertise.
Special attention is worth paying to checking whether employees understand the rules of Information Security policies. As surveys show, most managers do not have any tests for employees to identify the gaps in their knowledge and understanding of the Information Security Policies. Obviously, it often makes such policies ineffective.
Conclusion
The founder and chairman of the Ponemon Institute Larry Ponemon said: “Data breaches normally aren't about bad people. It's normally about good people making mistakes or business processes that fail.”
That is why employers who wish to protect their companies’ data from intrusion should focus on reducing the human risks. It can be done by means of creating information security policies and their implementation through employment agreements or other legal instruments. On-going training is an essential part of cyber-risk management. Such training has to clearly explain to employees how they should deal with various electronic devices and the data collected on them. In case of breaches of the rules, employers should investigate the case properly and, if needed, take disciplinary measures up to and including dismissal. The same is applicable to the high-level managers of companies who do not take appropriate steps to secure their company’s data.
________________________________________
(1) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
(2) Mandiant is an American cybersecurity company.
(3) The Cost of Data Breach Study, the Ponemon Institute, June 2016.
(4) It is a model title for rules for protection of cyber security. Employers have full discretion to name their rules (IT policy, Rules of Behavior with Data, etc.).
(5) Security Analysis: Dating Apps Vulnerabilities, IBM, February 2015.
(6) For example, the UK Information Commissioner's Office.
(7) Internet Security Threat Report, volume 21, Symantec, April 2016.
(8) “Amy Pascal Comments On Jennifer Lawrence’s Pay Disparity”, the Huffington Post, February 12, 2015.
Published by: Terralex Connections, November 2016
Authors: Oksana Voynarovska, Yaroslava Zagoruiko