Middle East businesses paying more attention to risk of cyber-crime by employees
Author: Kirsty Tuxford | Date: 13 Jul 2016
HR can prevent attacks from within by providing effective conflict resolution
Organisations are becoming more concerned with the threat of cyber-attacks, according to a new study by Deloitte.
But the survey, Agenda priorities across the region, found that fewer than half the directors interviewed in countries across the region had a plan in place to deal with the threat.
HR can play a major role in prevention of cyber-crime, as research published in Harvard Business Review in 2014 shows that more than 20 per cent of high-impact cyber-attacks on organisations come from insiders with access to computer systems.
“The hiring process in the GCC is often informal,” said Stephen Brooks FCIPD, director at Oxford Strategic Consulting. “People may be hired through friends, relatives and social contacts without any reference checking or vetting. Although this may be an acceptable way of identifying candidates, it is still vital before allowing them into the heart of the organisation and accessing its systems, to check that they are who they say they are and that they have the experience and qualifications they claim. This not only protects the organisation from potential cyber-attacks but also helps to assess whether the candidate is competent to do the job.
“HR has a critical role to play in protecting the organisation by taking up references and checking on qualifications. The same should apply to contractors, particularly IT contractors who often have privileged access to sensitive IT systems. HR should demand to see proof that suppliers have vetted employees who perform sensitive roles,” he added.
HR’s role in protecting the company does not end with pre-employment reference checks, said Brooks. HR can also play an important role in protecting the company from employees who go rogue. “Research by the FBI in the US shows that most rogue employees were previously loyal but became rogue as a result of an unresolved grievance against the company or its managers,” said Brooks. “HR can help reduce this risk by developing effective grievance procedures that enable employee to raise grievances and find solutions. If HR is on the ball they will also know which employees have grievances and so present a higher risk.”
Digby Bennett, regional sales director and board member at China Systems Middle East, is experienced at staying on top of threats to company software. “It is well known that effective attacks come from within an organisation,” he said. “Organisations should be careful about automatically trusting long-standing employees. ABC principles should be applied: Accept nothing; Believe no one; Check everything. There have been a number of incidents in the region of people who appeared trustworthy, and who have been employed for a considerable time in a trusted position, committing large frauds.”
The challenge for HR is to make employee monitoring ethical and non-intrusive. “Monitoring cannot be too intrusive, but it does need to be done,” said Bennett. “Sometimes it is better to broadcast the policies and inform staff that a process is in place, as this naturally acts as a deterrent. It is better to hold a number of people accountable, as this allows for cross-checking. Cyber protection policies are naturally invasive, but as it’s digital, you can scan for exceptions, such as key words in digital message exchanges or unusual patterns in payment methods. While this can be expensive, the savings will clearly outweigh the cost of a breach, including the costs associated with reputational damage,” he added.