News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise with us

Information security is a HR problem

New legislation and compliance guidelines focus on IT security as a critical governance, risk and compliance issue. And it falls to HR to help mitigate the risks.

Information security has become a global battlefield, with attackers becoming increasingly sophisticated. Cyber crime is one of the fastest-growing areas of crime today and the most common target is enterprise information.

Staying ahead of potential attacks and mitigating the risks is now as much the responsibility of business management as it is of the IT department. And business management must ensure that all staff are trained and aware of the potential information security risks, making information security partly the responsibility of HR and training executives.

People are still the weakest link

Local information security experts note that people are still the weakest link in information security strategies.

Henry Peens, the MD of Yelloworx Information Security, said: "The ignorance factor is immense. Management cannot just assume that all staff are IT- and security-savvy." Peens has been involved in implementing new Symantec Staff Security Awareness training modules at local enterprises in recent months and said that the pre-training assessment ratings that are being seen are exceptionally low. "On average, we are seeing staff have an information security knowledge rating of between 18% to 22%. This came as a surprise to their IT departments."

The assessment questionnaire covered issues as basic as who staff should report security breaches to, said Peens - and many did not know.

"HR needs a better understanding of the information security issues and the training that is available to help the company avert these threats," said Peens.

Cyber forensics

Another area in which HR needs to focus on information security is cyber forensics. In cases in which employees have committed crimes using company networks and data, the ability to prosecute depends on the availability of evidence within the systems. Cyber forensic specialist Danny Myburgh, the head of Cyanre, said that South African enterprises are hampering their ability to prosecute cyber-based crimes against them, due to a lack of forensic readiness.

"In the past eight months, we've seen a sudden increase in the number of local individuals and organisations targeting local companies for industrial espionage. The spyware in use is very sophisticated and appears to focus on company communications, including email communications, Internet usage and online chat," he said.

The main targets for this spyware, Myburgh said, are senior management, finance departments, R&D and sales. Cyanre's investigations reveal that spyware is most often introduced into the target system by "thumb drive thugs" - employees who knowingly install it using a memory stick or mobile device.

Myburgh said: "In around 75% of cases that we investigate, we find there was inside involvement - usually deliberate."

Forensic readiness is crucial to successful investigations and prosecutions, said Myburgh. "Enterprises need to conduct audits of their systems and processes to ensure that if there is a breach, their systems are configured to allow a successful investigation. Often, you will find too many people have the system administrator password, for example, or their system recording is not switched on. Organisations need to look at forensic readiness as part of their overall risk management and corporate governance. They must focus on 'can we determine after the event who did what on the system, and how we prove it?'."

Awareness and effort by every employee in the company

Combating cyber crime and reducing risks to the company's data and reputation depends on awareness and effort by every employee in the company. Andrew Potgieter, business unit manager of Westcon Security, said that more focus is needed on security awareness at an individual level. "This is particularly true in the bring-your-own-device era, when enterprise information and personal information reside on the same mobile devices."

The information at risk is not only customer contact details and financial results, he pointed out. Serious reputational risk could occur if an email containing a random comment found itself in the wrong hands; or if communications relating to a pending merger or acquisition went public, for example.

Potgieter said: "Enterprises have a responsibility to their shareholders and customers to secure information, and it is the responsibility of business management and HR to create awareness and deliver the necessary training."

ITWeb Security Summit

HR and training managers will have the opportunity to discover the latest information security threats facing enterprises, and what solutions and staff training tools are available, at the annual ITWeb Security Summit at the Sandton Convention Centre from 7 to 9 May, 2013. The conference, to be addressed by the world's top cyber security experts, will also include a solutions expo and workshops aimed at both business management and information security specialists.

For more information about the ITWeb Security Summit, go to www.securitysummit.co.za.

Let's do Biz