CHRO Community Conversation explores HR's role in cybersecurity

Cybersecurity expert Nathan Desfontaines explained why HR should work more closely with IT.

It is often said that people are the weakest link in cybersecurity. With the current mix of working from home, modified office spaces and (financial) stress, criminals can use social engineering to target workforces. This has been evidenced by the ever-increasing frequency of data breaches where human error often being either a cause or catalyst.

This was the topic for discussion in this week’s CHRO Community Conversation, which was hosted in partnership with Workday.  CHRO SA MD Joël Roerig introduced Cybersec’s Nathan Desfontaines, who led the discussion on the human component of cybersecurity and why IT is not the only department that should feel worried or responsible.

“The CEO of Experian SA recently argued that his company was ’in no way, shape, or form’ hacked, but that a clever criminal convinced them to part with their data. Nathan later created a social media post explaining that this indeed qualified as a hacking incident. According to Nathan, hacking is not only the result of a technical vulnerability,” said Joël. 

Nathan then proceeded to provide an overview of the threats that HR leaders need to be aware of given the extent to which employee errors, negligence or ignorance can leave a company vulnerable to major financial and reputational damage caused by cybercrime.

Nathan said there has been an increase in cyberattacks in the last 12 months, including the City of Johannesburg's website, which was hacked with ransomware with the aim of extorting the city for BitCoin payments. There were also a number of breaches among banks and internet service providers, which suffered a denial of service attacks and data breaches in the same week that the COJ experienced its breaches.

“Liberty announced that they had been breached and a large amount of data had been exfiltrated and that this was followed by a ransom note. There have also been victims in the healthcare sector where South Africa's second-largest private hospital operator in SA, Life Healthcare Group, announced that, while in the midst of the Covid-19 outbreak, it had been victims of an attack,” said Nathan, adding that data had overtaken oil as the world’s most valuable resource. 

That is why there has been an increase in social engineering which,  by definition, is the use of deception to manipulate individuals into divulging confidential or personal information.

Why would that happen to us?

Nathan said that, while companies were well-protected with firewalls and intrusion prevention systems, they aren’t geared for the phone call to the HR or finance department, saying that had completely blindsided a lot of companies who had great tech but were nevertheless still vulnerable to their employees falling victims to relatively rudimentary attacks.

Said Nathan: “Over a decade ago, companies were targets of viruses, worms and trojans, and over time  That quickly evolved into very sophisticated attacks like ransomware attacks. That led to companies spending heavily to protect themselves against sophisticated cyber attacks. However, while we were all gearing up for the digital war, to ensure that organisations have the right tech, tools, and capability to withstand even the most sophisticated of attacks, it seems that cybercriminals began targeting the low-hanging fruit – employees.

Nathan said it is often the case that people and, by extension, organisations, wait to suffer a breach before they take cybersecurity as seriously as they should. That happens because people tend to think an attack is unlikely to happen because 'why would somebody attack me? I'm just an average Joe'. Nathan said that attitude exists, not only in people's corporate environments but also in their personal capacities. And that mentality of not investing in security because of the perceived unlikelihood of an attack is a huge weakness that cybercriminals exploit.

Collaborate more closely with IT

“In the cybersecurity community, we say there are two types of companies. One is a company that has been hacked and is aware of it, and the type that has been hacked and not aware of it. And the important point to note about the latter is that ignorance is not security.”

The second reason why cybersecurity is not top-of-mind in many organisations is that there are mixed messages. Providers of cybersecurity solutions sell them as a silver bullet that will solve all a client’s concerns. As a result, organisations and individuals alike believe that once they purchase that particular solution, they have converted the bases and no longer have to worry about cyber threats.

During the breakaway sessions, HR leaders had the opportunity to share experiences and ideas with one another around the steps they are taking to ensure their people are educated about their responsibility to prevent cybercrime. They also discussed the vulnerabilities created by working from home and how HR leaders can collaborate more effectively with their IT counterparts to prevent cybercrime.

Phumzile Hlatswayo, head of human capital at Altron Bytes Systems Integration, agreed with a lot of what Nathan had said. She explained that, while most organisations had done very well when it comes to human capital partnering with finance, few had the same relationship between human capital and IT.

“Personally, I try to have a close relationship with IT. Whether we are introducing a learning platform or a rewards system, I partner with finance from a budget and sustainability point of view, but I also partner with IT colleagues to make sure that there is seamless integration and to ensure there is security,” said Phumzile. “As part of our cybersecurity culture, we have verification processes for all staff members that log onto our system. They received a verification code much like the one-time pin that banks send when you try to make transactions through internet banking.”

It’s culture conversation

Sats Oosterhuizen, the deputy CIO of Group Shared Systems at Discovery, who joined the conversation on behalf of Discovery CHRO Tswelo Kodisang, highlighted the importance of having a culture of security or cybersecurity. 

“Without that, your organisation is already at a disadvantage. It's just like ethics. If your organisation does not have a strong culture on honesty and ethical behaviour you are likely to get people committing fraud,” said Sats, adding that the challenge HR needs to be made aware of is that all their systems contain sensitive data. Therefore, HR leaders should collaborate more by including IT from the beginning, the moment they get these new applications.

“Add that to the fact that HR operates in a market where there is a proliferation of shadow IT in the sense that our HR colleagues use a variety of apps without going through any kind of security vetting, and that is extremely dangerous. I know that sometimes, IT comes across as a function that stonewalls progress and innovation but there is a responsibility on both sides to be more vigilant. Any application that is driven by HR will have sensitive data in it and, because of that, we have to take more precautions.”

Tsebo Solutions Group CHRO Elanie Kruger said she was glad that the conversation shined a spotlight on cybersecurity and the role that HR leaders have to play in fortifying it. 

“If you think about it, the common thread across all the data touchpoints in an organisation is people. And while we are often so focused on protecting and creating awareness among customers, I do think there is a lot more we can do from the employee perspective. Like many other HR interventions, we have to do more than approaching cybersecurity from a compliance perspective. We have to change the culture by instilling awareness from the induction stage of the employee life cycle.”

Nathan closed the discussion saying that the cybersecurity community had overestimated the impact that working from home would have on the number of attacks saying “we prepared for armageddon when we realised that there would be an increase in remote working.” However, expectations far exceeded reality in terms of what that meant for businesses because there simply had not been as many breaches as anticipated. Nathan said, however, that this could simply mean that, "either the breaches have happened but are yet to be identified as organisations currently monitoring and reporting capabilities do not have required visibility; or there is possible an inherent level of inherent security by means of workforce distribution."

“Maybe we haven't realised those reaches yet, meaning we could only start seeing their impact happening as more employees return to offices.”