Home > HR > Rising cyber-crime and why you need strong HR policies

Rising cyber-crime and why you need strong HR policies

Release Date

14 February 2014

Recent hacks into the websites of the Reserve Bank, Australian Federal Police and Crimestoppers are high-profile examples of the general increase in security breaches that has affected Australian organisations. They demonstrate the need for employers to have robust and regularly updated policies covering security of information and use of technology, such as mobile communication devices at work.
 
A global survey released recently by management consulting firm Ernst & Young (EY) reported that 40 per cent of the Australian organisations surveyed said the number of security incidents within their businesses had increased during the past year. This survey has now been conducted for 16 years, and about 1900 executives (including 90 in Australia) participated in the 2013 survey.
 

Most businesses are increasing security steps

 
The vast majority (88%) of businesses are increasing their investment in cyber-security precautions, with almost 80 per cent of the Australian respondents stating that their current provisions did not fully meet the needs of the business. Security budget allocations were likewise increasing.
 
Another trend has been for information security responsibility to move higher up the organisation, with 70 per cent reporting that it was now ‘owned’ at the highest level. It is becoming increasingly common for information security functions to report directly to either the CEO or Board, usually on a quarterly basis.
 
But lack of budget a major problem
 
Inadequate security protection budgets were a more serious issue in Australia than elsewhere, with 73 per cent of organisations claiming it was their biggest barrier to security, compared to the global average of 65 per cent. Budget increases of 5 per cent or more for 2014 were common, with one-half of all respondents intending to implement an increase of at least 5 per cent, with security innovation and emerging technologies being priority areas. Despite this, a majority, as noted above, still believed that these increases would not be enough to keep up with developments and trends.
 
A media release issued by EY Australia claimed that the gap between the level of information security measures organisations have in place and what they actually need to have is widening. Use of social media and mobile communication devices at work were identified as particular current problem areas. It added that organisations are tending to focus too much on dealing with current issues, and not enough on emerging issues.
 
 

What threats are coming next?

 
The US EY website identifies several technology developments that are either ‘around the corner’ or ‘on the horizon’. These are in addition to current issues such as smartphones, tablets, social media and software applications.
 
Around the corner
 
  • Big data — the exponential volume and complexity of data under management
  • Enterprise application store — associated costs versus increased productivity of employee requests for applications
  • Supply chain management — how external stakeholders (eg customers, suppliers, vendors, contractors and partners) impact on security
  • Cloud service brokerage — how brokers manage cloud security, privacy and compliance issues
  • ‘Bring your own cloud’ — personal cloud infrastructures that can be owned, managed and operated by an organisation, a third party or both, which may exist on or off-site, and which concern data and applications access that only cloud owners manage.
     
On the horizon
 
  • In-memory computing — data storage in the main random access memory instead of complicated databases, allowing real-time analysis of high-volume data
  • Internet of things — for example, embedded sensors, image recognition technologies, which are used in security programs but will more often will be applied to day-to-day life activities
  • Digital money — related regulations and legislation needed to address fraud and money laundering issues relating to mobile money services
  • Cyber havens — where countries provide data hosting without onerous regulations.
     

Recommended strategies

 
EY Australia recommends that businesses implement the Top Four Strategies to Mitigate Targeted Cyber Intrusions of the US Defence Signal Directorate:
 
  • application whitelisting
  • patch applications
  • patch operating systems
  • minimising the number of users with domain local administrative privileges.
     
The report also recommended that higher priority be given to the following steps:
 
  • upgrading security awareness and training
  • threat intelligence and vulnerability management programs, because these identify where cyber-threats are and where future cyber-attacks may be coming from
  • identity and access management programs.
     
However, leadership, accountability, governance and robust HR and security policies are also required, not just technology and IT precautions. The report claims that 80 per cent of the solution is non-technical.
 

Implications for HR

 
The above survey results and technology predictions highlight the importance of conducting regular reviews of your HR policies relating to information security and use of technology, especially concerning the distinction between work and personal use. Policy contents are likely to go out of date quickly, and will probably need to be regularly updated. Each time there is an update, employees will need to be notified of the changes and retraining may be necessary.

For more information on Workplace relations, issues and best practice head to www.workplaceinfo.com.au

Contact Us

Call Us on 1800 505 529
Submit Enquiry