With the
number of high-profile security disasters increasing, it is imperative that
human resources departments run the appropriate systems to keep the good guys
in and the baddies out
If security
managers dwelled on the disasters that could result from breaches to their
information systems they would hardly dare get out of bed in the morning. Few
are willing to admit to embarrassing incidents, but a Department of Trade and
Industry survey this year showed that 60 per cent of companies had suffered a
breach in the past two years, at an estimated average cost of £16,000 each.
Hackers can
learn the organisation’s innermost secrets, as happened to Microsoft recently,
or simply gate crash its web site to protest about fuel prices (HSBC). The
break-ins do not even have to be intentional: on-line customers of both
Powergen and Barclays stumbled across other people’s account and credit card
details by accident.
High-profile
external penetrations catch the headlines, but companies are actually more
vulnerable on the inside. According to a recent CSI/FBI survey disgruntled
employees cause more than 80 per cent
of problems, a figure often confirmed by other studies.
“The number
of individuals in a position to steal large sums of money is limited but what
many companies don’t realise is that the real jewels are their intellectual
property, which can easily be left on an e-mail or floppy disk,” says Chris
O’Donoghue, director of the Risk Advisory Group.
Employers
can now also be held personally liable under the Data Protection Act for any
misuse of information on staff or customers. Since details are commonly held on
computers in the form of employee files, its CVs and transaction records, that
represents a potential
danger.
“One of the
big things that has changed in the past five years is that information has
spread much more widely across the organisation,” says Dave Johnson, business
future manager at Rebus. “That puts the focus on security much more than
before, particularly for people handling subjects like performance appraisal or
recruitment, who have to take great care that the information is kept private
and confidential.”
The battle
against leaks and embarrassments is being fought on two fronts. Suppliers of
computer systems can provide dedicated solutions to maintain their integrity,
in the form of firewalls, passwords, encryption, and other security devices.
But first and foremost this is an HR issue, the experts acknowledge. No amount
of technical wizardry will work unless employees co-operate, and managers must
take account of a number of factors.
The first
requirement is to think about what you are trying to protect. A common mistake,
according to security experts, is to install a range of protection devices
without any clear idea of the problems that may be present. A thorough audit
will indicate what information is most precious and where it is located, and
identify the source of any potential threat.
“The
important thing is to have a security policy that covers the whole company,”
says Sally Livermore, HR product manager at Meta4, which specialises in
employee self-service. “When you are installing a new system you need to provide
guidelines on issues such as data protection, privacy, ownership, and
accountability, together with a policy on passwords.”
Once the
rules have been decided they need to be communicated to the company. “Employees
should be able to answer two key questions: what is the organisation’s security
policy and what are the consequences to me if I do not follow it closely?” says
Mike Graves, European marketing manager of HP’s Internet Security Division.
Identifying
the issues at an early stage will help to ensure that appropriate security measures
are built into any new system installation.
Create a
security conscious climate
Security is
largely a matter of guarding against human error, such as forgetting to log off
or leaving passwords lying around.
Failure to
lock away back-up tapes can lead to theft of every piece of valuable
information a company may have, so managers need to guard against laxity.
“You need
to do the housekeeping,” emphasises Hugo Fair, director of Software for People.
“A lot of people take security seriously while they are working on the
selection and specification of a system, but don’t apply it in practice.”
That can
mean setting a good example. “Too often employees complain about weak security
but are told not to worry,” says David Fleming, senior consultant at Security
Design International (SDI).
“We know of
a manager who leaves his files open on the desk for everyone to see, and if he
does that why shouldn’t anyone else?”
Research
shows that security failures in many cases occur during change of programmes
that involve a transition to new processes and information systems, Fleming
says. “Sometimes, quite minor changes have enormous effects, so before you
carry them out check that training has been done to make users aware of the
necessary procedures.”
Carry out regular screening
An
organisation that fails to vet employees makes itself especially vulnerable,
and HR’s role is pivotal in minimising the threat from potentially troublesome
individuals. However, this may bring it into conflict with line managers who
will be peeved if the individual they have picked for the job turns out to be a
potential security risk, points out the Risk Advisory Group’s O’Donoghue.
IT
consultants working on short-term contracts are a particular danger, he points
out, since their loyalties may often be to themselves rather than to the
organisation. “It is negligent not to screen them as rigorously as you do your
own staff, yet often not even the most basic checks are supplied. The
assumption is often that the agency has done that, which is often not the
case,” he says.
Employers
need to be rigorous about taking up references from educational establishments
and previous jobs, says Richard Hitchens, director of Personnel Risk
Management. Unexplained gaps in the employment record might suggest a criminal
record, which can not be discovered by third-party checks.
He adds,
“It’s a sad fact of life that people’s circumstances and motivations change,
and new temptations come along. The only way to guard against problems is to
review the person’s history.”
Access control
Controls
should relate to the need, for instance by permitting some employees to both
read and write to files that others can only read. Software for People’s Fair
says, “With something relatively sensitive such as performance appraisal, a
line manager should not be able to see data for other departments’ besides
their own, but be able to update their own team. Or there might be a function
that enables an HR user to modify job histories but not create a new one.”
Authorisation
levels can filter out information unobtrusively, he adds, so that a person will
not be aware that there is a field missing from their screen that is
visible to
a colleague with wider access.
Passwords
are often treated as an unnecessary nuisance, and it is important to hammer
home the message that they matter. Keep to a minimum the number of passwords an
individual has to remember, SDI’s Fleming suggests: he knows a case of an
employee being given as many as 25.
A
five-character word like “mouse” can take a hacker as little as an hour to
crack whereas one of seven characters and digits would take 20 years. However,
it can also be harder to remember, which some employees resolve by sticking a
note next to their screen.
User management
According
to IDC, as many as 60 per cent of passwords in large organisations cannot be
matched to a legitimate user. HR needs to be sure at all times who needs to
access systems, taking account of temporary staff, part-timers, contractors and
consultants, as well as regular employees, and revoke authorisation where it is
no longer needed.
That is
especially important in large organisations where staff turnover is rapid. “A
company such as Vodafone has a huge number of contract staff working on a
weekly basis and it can be difficult to keep track,” says Colin Bradley, sales
director of security consultancy HarrierZeuros. “If an employee leaves without
their accounts being deactivated anyone can use their ID to do silly things
without being discovered.”
Most suppliers
advocate linking security measures to the role rather than the individual. “You
create a permission list that contains the security rights associated with a
particular activity,” explains Steve Curtis, European technology consultant at
PeopleSoft.
“If I move
from being a technical specialist to a recruiter, the access I need for that is
changed, but I retain authorisation that I require to access systems in my
other roles as a manager and as an employee. This provides a security layer
that no user can bypass.”
Monitor e-mail traffic
E-mail
represents special security problems, since it can be the source of viruses,
unsolicited messages, and pornography, as well as the means of disseminating
sensitive commercial information, personal details about staff or customers, or
even libel about other companies.
Within the
company it can be used to harass others with sexual, racial or disability-based
abuse and an employer that fails to take action in such cases is committing a
statutory offence. More general cases of bullying can result in a constructive
dismissal claim.
These are
not hypothetical dangers but the basis of much ongoing court action, warns
Tamzin Matthew, a solicitor at the law offices of intellectual property
specialists Marcus J O’Leary.
In one case
an employee admitted to serious shortcomings within the company in a private
e-mail that the recipient then posted on a bulletin board. In another, an
individual sent an e-mail with extreme religious content to everyone in the
company, provoking a flood of responses that blocked the system.
One hazard
that goes largely unrecognised is that e-mail serves as evidence of an exchange
of promises, amounting to a contract. A disaffected outgoing member of staff
can abuse that, for instance by ordering a lorryload of pencils that the
company would be liable for.
Protect employee information
Technology
has changed the way CVs are created, stored and disseminated. This presents an
increasing danger both for individuals and organisations, which are liable
under the Data Protection Act for misuse resulting from leaks.
Until now
there has been little regulation of the Internet traffic in CVs but this could
change.
Phil
Jennings, managing director of job site GraduateBase.com, says it will not send
CVs on-line without providing an audit trail. That enables job seekers to know
exactly to whom the information is going and to receive an assurance that it
will be deleted once used, as will soon be required by EU law.
“HR has to
be very careful about sending a CV to other companies, because they don’t know
where it is going to end up,” he says. “This applies particularly in the case
of individuals who are already in work: you can imagine what would happen if
someone’s CV ended up on their bosses desk.”
Use appropriate technology
HR systems
commonly include encryption as a standard feature. “With our Professional
Personnel software you have an option where the manager presses a button and
anyone trying to hack in from outside would get garbage,” says Robert Wyeth,
sales director of InfoSupport.
Specialist
software can help in a number of other ways. One programme based on artificial
intelligence can build profiles of users and monitor their behaviour, alerting
management when someone logs on to systems at unusual times.
User
management systems can help ensure that redundant authorisation passes are
withdrawn when employees change roles or leave.
Another
range of products monitors
e-mail
traffic by alerting managers to outgoing messages that contain sensitive words
or phrases.
A variety
of protection devices are available to guard web traffic. And biometrics
technology supplied by companies such as Neurodynamics can provide alternative
or extra layers of security to passwords by matching fingerprints, eyes, faces
or voices.
However, it
is important to find a balance between too little and too much security,
suggests Elron Software managing director Justin Fry. His company markets
templates that help restrict the use of the Internet for time-wasting, risky or
inappropriate purposes. But he is conscious that to discourage Internet usage
could be counterproductive.
“You need
to align your business priorities to your Internet usage,” he says. Ideally
organisations will design a policy that maximises the rights of the individual
at the same time as minimising the risks.”
That view
is shared by Rebus’s Johnson: he recalls one HR role in the past where he was
constantly having to get permission for the reports he needed, until it dawned
on his boss that he needed a higher clearance level.
“It’s a
balancing act: you want to secure the systems against unauthorised access yet
you want to keep them open enough for staff to get the information they want,”
says Johnson.
10 top
tips
Develop a security policy and ensure that
every employee is aware of it.
Review your security policies from time to
time: circumstances will change, bringing with them new kinds of threat.
Encourage good security practice by setting a
good example.
Make sure that employees create effective
passwords and take measures to keep them private.
Secure the role rather than the
individual, updating frequently to ensure that access is terminated when employees move on.
Vet
employees as far as
possible before they come into the company, particularly temps and short-term
consultants.
Monitor e-mail and tell employees what types
of material they may not send out of the company.
Understand how technology can help, but use it
selectively to cover identifiable risks rather than create blanket bans.
Don’t
try to save money
by not purchasing an appropriate security tool: a preventable breach could cost
five times as much to repair.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
Monitoring
devices can provide
useful general information as well as protection, so it is worth performing
regular audits.
