Safe and secure
12 April 2018
This article was featured in the May 2018 issue of the magazine.
As the threat of cyberattacks on UK businesses increases, freelance writer and editor Kavitha Sivasubramaniam looks at the role of employers in ensuring that company data is adequately protected
As one of the leading criminal threats to the economy, a cyberattack is an offensive strike against computer networks or systems, usually anonymously released from one or more computers. Malicious code is used to target and compromise data, resulting in cybercrimes including identity and information theft.
The Cyber Security Breaches Survey 2017 (https://bit.ly/2pFfADc) from the Department for Digital, Culture, Media and Sport revealed that just under half (46%) of all organisations have identified at least one cyber security attack or breach within the last twelve months, including 38% of micro-firms, 52% of small companies and 66% of medium-sized firms.
Cyberattacks happen every day, both on a personal level and at an organisation level, and according to government research more than half (54%) of the UK’s biggest 350 companies now identify cyber threats as a top risk to their business. Despite this, the FTSE 350 Cyber Governance Health Check Report 2017 (https://bit.ly/2wgwMoR) further revealed that more than two-thirds (68%) of boards had not received training to deal with a cyber incident.
The aforementioned annual report, which provides insight into how the UK’s largest firms deal with cyber security, also found that one in ten function without a response plan in place to deal with a cyber incident and less than a third (31%) of boards are provided with comprehensive information about cyber risks.
...one in ten function without a response plan in place to deal with a cyber incident...
The cost of crime
With estimates suggesting cyberattacks could be costing UK companies billions of pounds each year, there is no doubt that cyber security should be a key consideration for any business in order to identify areas of exposure that could potentially be exploited.
“Ensuring an organisation has a strong security posture is now the cost of doing business and increasingly organisations are required to demonstrate their posture while operating as part of a supply chain or tendering for new contracts. This is even more evident within the revised data protection regulation, when operating as a controller or processor of personal data,” explains Andrew Collins, chief operating officer at Omnicyber Security, provider of cyber security and online compliance.
Key threats
Omnicyber Security’s incident response team are most commonly required to address three types of attacks: ransomware attacks; exploitation of websites through known vulnerabilities; and misconfiguration of IT networks.
“Large businesses currently go to great lengths and costs to protect their systems and data. Any breach of their data would be costly, damaging to their brand and reputation and would have knock on implications for their employees or customers,” says Paul Rains, director at Transact HR Ltd and business partner for the People Solutions Company.
For employers, their key concerns will be, data theft, potential disclosure of personal data, loss of access to data, loss of use of data and damage to data.
Rains says: “Without the ability to process accurate data businesses will fail. They will fail to pay their employees, fail to pay their creditors, fail to collect money owed from their debtors and fail to pay their taxes. Threats could also damage or stop business websites, email systems and local/wide area networks.”
Worryingly, a survey of more than 1,000 respondents commissioned by IT products, managed services and solutions provider Probrand found that British firms are not performing basic tasks that could make their company data more secure. For example, less than a quarter change passwords for key online accounts and services when an employee leaves employment – meaning former staff members could be continuing to access confidential information.
...employees have a key role to play in keeping data safe...
Preventative measures
The good news is that employers can take preventative steps to keep their data secure.
“An organisation needs to understand the key risks within their business and build a ‘defence in depth’ security strategy,” explains Collins. “This can be adopted gradually and iteratively to limit both cost and disruption to the business. Often organisations will prioritise operational efficiency over security.”
In terms of payroll processing, Rains suggests employers do the following:
-
Keep any hardware (workstations/laptops/mobile devices/printers) and operating software up to date.
-
Ensure all payroll/human resources (HR) data for processing is ideally continuously backed up so that it can be restored back to the point of failure or, if that is too costly, ensure it is backed up at least daily.
-
Keep virus software up to date.
-
Regularly review who is and is not let through internal firewalls.
-
Consider which web browsers to let employees use. Some are better for protection than others; however, they may also conflict with some self-service portals. l Limit employee browsing to trusted and secure websites.
-
Consider closing VPN (virtual private network) access outside working hours.
-
Enforce the change of HR/payroll systems password every three months and ensure the password is of sufficient length and strength to deter hackers.
-
Educate through a continuous awareness program HR/payroll staff of the importance of data security and the dos and don’ts.
-
Carry out penetration testing on HR/payroll software every six to twelve months. If the business doesn’t own the software, the host or provider should do the test instead.
-
Encrypt data on mobile/portable devices.
-
Consider adding additional questions to log into self-service portals.
-
Perform rigorous employment checks on staff who work with HR/payroll systems and those who are DBAs (i.e. doing business as operational rather than legal names). The Morrisons data theft incident which led to employees suing the retailer identified that internal staff should also be considered.
A shared responsibility
It must not be forgotten that employees have a key role to play in keeping data safe too.
The Probrand survey also found that nearly half (46%) use the same password for everything at work. In addition, a quarter admitted to using an easily discovered piece of information as the basis of their password, such as date of births and spouses’ names.
“Employees can be a critical line of defence against attacks that are delivered via emails,” says Collins. “Employers should conduct relevant and annual training (as a minimum) to reinforce a conscious and diligent culture. This should be extended to data privacy awareness and training which will become mandatory when the data protection bill becomes legislation in May this year.”
Rains says every staff member should always act responsibly as follows.
-
Keeping logins and passwords safe and secure.
-
Not sharing logins or passwords.
-
Not providing their email address to organisations they do not know or have not vetted.
-
Refraining from sending personal data in email attachments if it is not encrypted or without a security password.
-
Refraining from using portable memory/USB sticks/CD drives.
-
Limiting the use of their own personal laptops or tablets for accessing self-service portals only.
-
Protecting mobile devices with a password or fingerprint recognition.
-
Checking who the sender of an email is before clicking on inviting email links. Hackers may initially disguise the sender’s email address so that it looks genuine, but by clicking on it the real email address is revealed. Many people have been fooled by bogus tax refunds emails which looked like they come from HM Revenue & Customs (HMRC) but the email sender is not from HMRC’s domain.
-
Not opening .exe or .zip files attached to emails unless they are 100% confident of the source of the email.
-
Not opening MS Office/365 files (e.g. Word/Excel) unless they are 100% confident of the source of the email.
-
Being aware of any one in the HR/payroll/IT team acting suspiciously, and reporting it to a manager.
Insurance
Cyber insurance: managing the risk (https://bit.ly/2xjAj3f), a whitepaper published by BDO in August 2017, found that businesses are continuing to spend up to four times more on insuring other company assets, such as property and equipment, than on cyber insurance – despite an increasingly widespread belief that their cyber assets are in fact up to 14% more valuable.
Rains believes insurance to mitigate a risk is normally a good idea. “The activity of payroll processing is deemed a higher risk by most insurers. Premiums for a small- to medium-size enterprise [SME] start relatively cheap but increase based on the number of employee records you process. Providing you act in a professional manner regarding the safety of your data insurance gives you peace of mind that you can pay any ransom and get some compensation for any data breach fines/penalties, individual claims against you, damage to systems and software and any business interruption costs,” he says.
Collins too believes that cyber insurance is a valid way to transfer risk when the cost of securing an asset is too high, suggesting SMEs with a turnover under £20 million consider the Cyber Essentials Scheme (https://bit.ly/1hkkmdz), which is a government-backed initiative to help businesses protect themselves from everyday online threats. As part of undertaking and passing this certification employers can apply for free insurance which will cover organisations up to £25,000.
However, Rains warns that simply having insurance will not prevent an attack from happening. “My concern here, is that it might end up like car insurance where fake accidents claims are common. In this case will it encourage hackers and more cyberattacks because these criminals will know we are insured so they will get their ransom money,” he adds.
Third-party support
According to Collins, technology alone will not provide a silver bullet to security and finding budget for an in-depth security programme can be costly without an immediate return on your investment. “Work with a third party to validate your risk,” he says. “A good consultant will first take the time to understand your business and then prioritise where your budget should be allocated and used to the greatest effect.”
Rains agrees that third parties who you share data with as an outsourcer or as a customer can help by providing you with a secure and safe method of transferring data like HMRC or BACS do. “Transferring time and attendance [T&A] data from an external T&A system using email, emailing lists to third-party creditors, emailing pension data in a csv [comma separated value] file or a spreadsheet to a pension provider or sending or receiving payroll data on a spreadsheet to/from a payroll bureau is not a safe method,” he explains, adding that secure, password protected file transfer protocol sites are required to transfer data in and out.
Getting it wrong
According to Rains, the most obvious danger of getting cyber security wrong is having your processing data held to ransom. “That’s a scary thought if you are just about to run your payroll and your systems are breached and your processing data is held to ransom,” he says, adding that it is for this reason the incoming General Data Protection Regulation is so important. “We need to make sure we take better care of our data because there are unscrupulous people out there who now see our data as a commodity and a way to get rich quick.”
Other dangers include damage to or permanent loss of data, damage to internal systems or networks and websites.
...most obvious danger of getting cyber security wrong is having your processing data held to ransom
Looking to the future
So, with the threat of cyberattacks ever increasing, is cyber security an issue that will ever go away? Unfortunately for employers, this looks unlikely.
“Data is already a commodity and a currency. The more data that is produced the more likelihood that this will become more of a problem,” says Rains.
Data is shifting from in-house systems to cloud solutions, although this does mean the data is less safe – in some cases quite the reverse. But the impact of any potential cyberattack will be greater for any hacker, and the bigger the impact, the bigger the potential ransom, he explains.
“It is very easy even now to buy ransomware on the dark web. You can buy it as ‘ransom as a service’ so you do not even need IT skills. You pay a fee upfront to use the software and then you take any ransom collected usually in Bitcoins,” Rains adds.
So, while ensuring cyber security may seem like a daunting task, the most astute employers will accept that doing so is an absolute necessity.