In 2017, the HR director should get involved in cyber-strategy

Business Case | According to Jean-François Faye, Industrial Director at Verlingue, in the face of malicious acts, data piracy, misuse of rights, etc., cyber-security is a chain and its strength depends on the joint involvement of the legal, IT and HR functions.


What statistics do you have on cyber-risks?

Jean-François Faye: In its 2016 survey, the World Economic Forum puts cyber-risks in the risk top-ten. The cost to the world economy of cyber-attacks is estimated at $445bn, including $3bn for France. By 2020 the figure could reach $2,000bn due to an acceleration of cyber-attacks i.e. a five-fold increase in impact. The main risk exposure is in-house: a study by IBM Security indicates that 60% of attacks come from staff, former employees and suppliers.


How can you explain that the main risk is not a technological one?

Jean-François Faye: In the 1990s, Richard Courcy, a Canadian, defined the information system as an organised set of resources that allows you to collect, store, process and distribute information and which is composed of two sub-systems, a social, therefore human system and the other one technical. People have false ideas on cyber-risks. All the analysts agree that even with the best system in the world, if it is not configured correctly, there is a danger of human flaws. Risk exposures come to a large extent from within the organisation. This is why the HR director should be at the centre of managing cyber-risks.


Isn’t this an issue that concerns general management or legal affairs management more than the HR function?

Jean-François Faye: You are right, the cyber-risk concerns all general management, starting with the CEO and the management committee. Cyber-security is like a chain and its strength depends on its weakest link. It is therefore necessary to mobilise several functions within the company: legal affairs, IT, operations, line managers but also the HR director, who is co-architect of cyber-strategy but also the one who puts it into practice.


What are the main risks to which companies are exposed?

Jean-François Faye: One can imagine, for example, the misuse of IT access rights by staff members or disgruntled suppliers out to harm the company by extracting information of a commercial or personal nature so as to reveal this to the public or sell it on to competitors. Last June, we learned that a mutual society for government employees had been the victim of a cyber-attack. An employee had used their access rights in an inappropriate way. As a result, the personal data of many police officers were released on the Internet. Today, a disgruntled employee may decide to take revenge against their employer using a method that is simple and no more complicated than downloading a file. With digitalisation, a company is at the mercy of a malicious act, sabotage, espionage, extortion and piracy. These attacks concern today 13% of SMEs and 26% of mid-market companies.


What are the impacts on a company that is victim of a cyber-attack?

Jean-François Faye: The company may be undermined not only in the month which follows the cyber-attack but also in the years to come: its reputation could be affected by a media campaign, it may suffer loss of trade, suffer lasting damage to its production system or may be affected from a regulatory point of view or in the eyes of its clientele.


What must the company do in the face of such threats?

Jean-François Faye: The starting point of any action plan is to define a security policy by building a repository. Depending on the business sector, agri-food or banking, the company does not face the same type of risk. The company must also set up a security organisation, integrating all components such as risk management. It must implement a system of governance that brings together all its activities, then define a security plan, often based on an audit, with targeted training and a business continuity plan in the event of a risk occurrence. Human and financial resources must therefore be allocated.


In practical terms, what do you advise as an action plan for HR directors?

Jean-François Faye: The management of access rights is one of the vital links as regards security. Firstly, a procedure for arrivals and departures should be put in place. In reality, it is quite common that a year after their departure from the company, the employee still retains at least three access rights to the information system. In many cases, the rights have not been deleted. And when a staff member moves jobs, he/she is granted new rights and the old ones are not deleted. Restricting data access to the right person is not a complicated process and is easy to implement. There is also a need to train and educate staff on these issues.


How do companies view the cyber-attack problem?

Jean-François Faye: Companies are beginning to show concern. I see a beginning of awareness. Nowadays, HR directors at Verlingue come to us not just on questions about personal insurance cover. Nevertheless, it is still not a very common issue. And yet, we must begin to take steps because the European General Data Protection Regulation (GDPR) comes into effect in the spring of 2018 which means that corporate data security will need to be strengthened.