Is your HR data protected against cyber attacks?
The value of HR data
With the ever-increasing challenges of remote and hybrid working, which has become more of the norm than a temporary solution during the pandemic, the need for digital transformation has become essential, i.e. the process of changing operational HR processes to become automated and data-driven. With data-driven HR, HR teams can use data to make better HR decisions. They can better understand and evaluate the business impact of people, improve the leadership's decision-making in people-related matters, make HR processes and operations more efficient and effective, and improve the overall well-being and effectiveness of the company's employees. HR is leading the way with digital transformation by adopting digital HR tools and technologies to improve operational performance. All of this can significantly impact a company's ability to achieve its strategic aims, and that's what makes HR data so valuable.
With the increasing reliance on data comes the importance of data protection and safeguarding against data breaches due to cyberattacks, where cybercriminals gain unauthorised access to a computer system or network and steal the private, sensitive, or confidential personal and financial data of the customers or users contained within. Common cyberattacks in data breaches include spyware, phishing and broken or misconfigured access controls.
Many organisations, especially smaller companies, are under the misconception that they are unlikely to be targeted by cyber attackers. However, those behind modern cyber crime are more opportunistic and send out automated attacks in the form of phishing emails or network scans looking for vulnerable systems to exploit poorly protected targets.
Cyber Security Research
Cyber security has become more critical over the past two years, as the pandemic forced teams into remote working. IBM's Cost of a Data Breach Report 2021 reported a six-fold increase in cyber crimes during the pandemic. Over the two years of the pandemic, the cost of a data breach increased from $3.89 million to $4.96 million. With at least half the employees working remotely, identifying and containing a cyber-security breach took an additional 58 days. The costs of keeping a company secure are also increasing dramatically – $433 billion is the projected collective global cybersecurity spending by 2030. One key finding in the latest IBM report is that the average cost of managing a data breach globally in 2021 was 4.8 million dollars.
A study from Verizon has found that with the increase in hours, locations and devices that employees are using due to remote and hybrid working patterns, there has been a corresponding increase in vulnerability for companies protecting themselves from cyber attacks. The survey revealed that 79% of organisations agreed that remote working had adversely affected their cybersecurity and increased the burden on security teams.
According to Frost & Sullivan, over the next eight years, the earth will have a complex network of 200 billion devices, averaging over 20 connected devices per human. As a result, the next decade – with pervasive connectivity, artificial intelligence (AI), quantum computing, and next-generation approaches to security management will continue to pose increased security challenges.
According to the latest report by Gartner, cyber security is turning into a social phenomenon. Investor interest, public pressure, employee demands, and governmental regulations are strengthening the incentives for organisations to track and report cybersecurity goals and metrics within their Environmental, Social and Governance (ESG) efforts as a business requirement.
Customers are also increasingly expressing concern and interest in the cybersecurity posture of the organisations they conduct business with.
Gartner research shows that 88% of boards regard cybersecurity as a business risk rather than solely a technical IT problem. 13% of boards have responded to this by instituting cybersecurity-specific board committees overseen by a dedicated director.
Virtually every organisation relies on digital services in some way, but where there is technology, there is risk. Therefore it has become increasingly critical for organisations to develop new methods to protect themselves from cyber attacks.
Cyber Security in the UK
The UK Government's Cyber Security Breaches Survey 2021 found that four in ten businesses (39%) and a quarter of charities (26%) experienced a cyber security breach or attack in the previous year. The most common were phishing attacks (for 83% and 79%, respectively), followed by impersonation (for 27% and 23%). The financial effects of these breaches can be considerable: the average cost for all organisations in the past 12 months is estimated to be £8,460, and for medium and large businesses, it's higher, at £13,400.
UK Cyber Certification Schemes
The Cyber Essentials (CE) qualification is a certification scheme developed by the UK Government and industry to help protect organisations against common online attacks and represents the UK government's minimum baseline standard for Cyber Security in the UK. It provides an independently certified mechanism for organisations to demonstrate to their customers, internal stakeholders, investors, insurers and others that they have taken these essential precautions.
The Cyber Essential Plus (CE+) is a higher level of assurance. It involves completing the online assessment followed by a technical audit of the systems that are in scope for Cyber Essentials. This includes a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users.
The benefits of Cyber Essentials and Cyber Essentials Plus
Achieving Cyber Essentials or Cyber Essentials Plus certification helps organisations to protect themselves against the vast majority of common cyber attacks and provides significant commercial advantage:
- Protects against approximately 80% of the most common cyber attacks. This is important because vulnerability to simple attacks can identify you as a target for more in-depth unwanted attention from cyber criminals and others.
- Certification demonstrates to your business partners, regulators and supplies that you take your commitment to cyber security seriously.
- Increases your chances of securing business by boosting your reputation and assuring customers you have cyber security measures in place.
The Cyber Essentials Plus certification is the audited version of the CE standard, which demonstrates to customers and other third parties that the required controls are indeed in place and working.
Whilst customer requirement is often the reason for companies to obtain the CE+ certification, it provides you with a better picture of your organisation's cyber security status:
- Are your device and software inventory up-to-date?
- Are you confident no end-of-life (EOL) systems are in use?
- What about endpoint and perimeter protection for remote workers? Have you updated your policies and processes to reflect the new reality of the increased proportion of employees moving to remote work? Is your Software Restriction Policy in place? Are your Buy Your Own Devices (BYODs) protected?
The NCSC (National Cyber Security Centre) has reviewed what influence Cyber Essentials has on cyber security attitudes and behaviours. It found:
- 93% of certified organisations are confident that they are protected against common, Internet-based cyber attacks;
- 61% of certified organisations say they are more likely to choose suppliers with Cyber Essentials or Cyber Essentials Plus certification; and
- Certified organisations are more likely to implement cyber security controls beyond the scheme's five controls and are more aware of the risks posed by cyber attacks.