HR should own “people factor” of cyber security

Nearly half (47%) of HR departments do not know when their cyber security was last considered and only 22% have reviewed the people aspects of their organisation’s cyber security ion the past year.

This is according to the 2017 Jelf Employee Benefits Survey, which also found that only 17% of the employers believed that the “people factor” risk was being sufficiently dealt with by their organisation. One in five (21%) employers said they were actively working on improving such security concerns.

Last month’s ransomware attack that wreaked havoc in nearly 100 countries and majorly disrupted the UK’s National Health Service, highlights the potential financial and reputational damage of cyber-crime to business.

A recent IBM report suggested that 60% of all such attacks were the result of insider activity, either through unintentional negligence or malicious intent.

Steve Herbert, head of benefits strategy at Jelf Employee Benefits, said: “These findings are both rather surprising and worrying. It is widely accepted that one of the biggest risks in cyber security is centred on employees, be that because of inadvertent mistakes or direct criminal activity.

“It therefore follows that human resources professionals have a key role to play in managing and mitigating this risk. It is no longer sufficient to expect this problem to be owned by the IT team alone.”

Herbert strongly urged HR departments to “own” the people factor inherent in cyber risk with strong systems and protocols from the date of employment onwards.

“We would also encourage HR teams to ensure that their choice of employee benefits platform is both robust and secure, and to undertake a regular review of all password protocols,” he added. “In addition we would suggest a detailed audit of any automated employee data flow between payroll, HR, and employee benefit providers to identify and resolve potential weaknesses before they become a problem.”

Jelf’s research was based on 185 responses.