HR’s role in minimising data breaches

If you think the link between data breaches and HR is tenuous, think again. The Office of the Australian Information Commissioner (OAIC)* has just released its notifiable data breaches report for the period 1 October to 31 December 2018, and it makes for sobering reading. The report shows that human error remains a major contributing factor for breaches – indicating both carelessness on the part of employees, and a need for better training.

*Similar statistics are not available for New Zealand, which currently falls into a group of countries in which breach reporting is not mandatory. However, the NZ Government has indicated that a mandatory requirement to report data breaches will be part of a new Privacy Bill. These changes are expected to be implemented sometime in 2019.

Regardless of geographical location, there is a fundamental need for employers to better educate and train employees about such risks when considering OAIC’s findings.

There were 262 notifications in the last quarter – a slight increase since notifications became mandatory in February 2018. Of these reports, 3% were due to system faults, 33% were attributed to human error, and 64% to malicious or criminal attacks. Malicious attacks are defined as those deliberately intended to exploit vulnerabilities for financial or other gain.

However, it’s the high percentage attributable to human error that is cause for concern. The OAIC said many of the incidents were a result of employees clicking on a phishing email or disclosing passwords. Twenty-seven percent of those which were defined as being a result of human error involved the sending of an email to a wrong recipient or posting mail to an incorrect recipient.

The primary type of information disclosed in all breaches were contact details such as names, addresses and phone numbers, followed by financial details. Some 46 of the cases related to disclosure of tax file numbers.

The collection and use of personal data has become a significant issue for organisations in the past 2 years, not only due to a number of high-profile data breaches but also due to new regulations. For example, from 25 May 2018, Australian and New Zealand businesses have had to comply with the General Data Protection Regulation (GDPR) if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.

Law firm Lavan[1] suggested it’s time to bust the myth that breaches were the responsibility of IT specifically or systems more generally.

Lavan’s analysis of the latest OAIC data breach statistics stated: “The problem is self-evidently a whole of business problem. It requires a whole of business solution, including education, training and monitoring, not just the provision of a good IT system. The IT system won’t prevent human error.”

What can HR do?

For HR leaders, collaboration with internal and external experts is one important way to reduce human-related security risks. HR is, in many ways, in the frontline – especially as recruitment and payroll are personal data-intensive areas. Here are 3 proactive suggestions:

  1. Bolster employee awareness. While hackers are a clear and present danger, as the latest statistics suggest, another less heralded danger comes from within: your own employees. While some of these incidents are malicious or involve criminal collusion, the vast majority are related to simple, preventable mistakes. Employees may innocently click a link or download malware because they lack the knowledge to identify a threat. While 80% of Australian businesses (73% of New Zealand businesses) have training in place to prevent a cyber breach, only 4 in 10 businesses in both countries are very confident in these measures as a key line of defence.[2]

It’s recommended that security awareness training sessions should be repeated on a regular basis as the positive effects fade away over time. Also, phishing simulation campaigns should be a routine exercise in order to:

  • Keep a general level of security awareness and vigilance
  • Identify new employees (e.g. new hires, contractors, vendors) with challenges to withstand social engineering attempts
  • Identify existing members of staff who may require further education
  • Raise staff awareness of new types of phishing emails they are likely to receive.
  1. Smarter policies and position descriptions. This is where HR’s focus has traditionally been: policy enforcement and compliance. This is still critical, but it won’t change behaviour – that can only be achieved with regular, mandatory training. Still, individuals should be aware of the need to protect sensitive information. HR may need to collaborate internally or externally with IT consultants on how to bring documentation up to date. If your position descriptions do not address information security, they may need to be revised to include:
  • Acceptable technology use
  • Password format and changes
  • Employee ethics
  • Data protection responsibility and practices
  1. Crisis management planning. For any organisation that falls victim to a security incident, restoring operations quickly can minimise revenue loss and maintain client loyalty. While business continuity is typically an organisation-wide effort, HR may be called upon to support efforts to educate employees on crisis behaviour and analyse the “people” side of disaster recovery.

From reactive to proactive

Today’s data-centric world requires organisations to be vigilant across 3 areas: people, processes and technology. While all 3 are critical, the “people” element is the trickiest to navigate. Afterall, even the best processes and systems are susceptible to the actions – both purposeful and accidental – of people. Training and awareness around data usage, privacy and cybersecurity should form the frontline of defence for all organisations to guard against data breaches.

ELMO Course Library offers over 400+ eLearning courses covering a range of topics including compliance, soft skills and productivity training. A number of courses cover the GDPR and State / Territory-based privacy legislation. These include:

Australia

  • Cyber Security Awareness
  • The European Union General Data Protection Regulation (GDPR)
  • Information Privacy Awareness (ACT)
  • Information Privacy Awareness (NT)
  • Information Privacy Awareness (Qld)
  • Information Security Management
  • Personal Information Protection (Tas)
  • Privacy Awareness
  • Privacy and Data Protection Awareness (Vic)
  • Privacy and Personal Information Protection (NSW)
  • Recordkeeping Awareness (WA)

New Zealand

  • Cyber Security Awareness (NZ)
  • Privacy Awareness (NZ)

To learn how ELMO Course Library can help your employees keep their skills and knowledge sharp, now and into the future, contact us.

[1] https://www.lavan.com.au/advice/cyber-and-data-protection/notifiable-data-breaches-the-latest-statistics-are-in-human-error-continues

[2] Aura Information Security Survey, November 2018

Learn more about how ELMO can help your organisation.
Learn more about how ELMO can help your organisation.