中文
中文
 
MEMBERSHIP     TRAINING     EVENTS & PROGRAMMES     SERVICES     PROFESSIONAL STANDARD     ABOUT US    

The HR Function has a Strategic Role to Play in Maintaining Cybersecurity Defences - By the Hong Kong Internet Registration Corporation Limited

  Download PDF
Publish Date: 2023-06-16

Key Takeaways:

 

  • The pivot to work from home (WFH) has made it more challenging for organisations to protect themselves from cybersecurity threats, and cybersecurity protocols should include the use of software tools such as two-factor authentication, VPN, and tools to manage passwords.

  • With the rise of AI tools, cybercriminals are using generative artificial intelligence to create convincing phishing campaigns. It is recommended to establish clear protocols outlining the permissible use of AI tools and to ensure they are regularly updated to keep pace with the latest cybersecurity threats.

  • Cybersecurity awareness and training programmes need to be periodically updated and offered to employees at regular intervals, and a people-centric approach that focuses on motivating employees to care about cybersecurity is recommended.

Spotlight 2023 Q2 Cybersecurity

As well as playing an integral role protecting organisations from cyberattacks, the HR function is also one of the most targeted functions by cybercriminals.

While the IT department can put cybersecurity technology controls in place to protect the organisation, the HR function can play a primary role ensuring that cybersecurity education is woven into the culture of the organisation.

Ensuring cybersecurity awareness programmes fit with an organisation's specific cybersecurity needs is vital to providing the right training for staff. 

To be effective, employee cybersecurity training programmes need to be interactive and engaging.

Amid a rapidly evolving cybersecurity threat landscape, when it comes to protecting an organisation from cyberattacks, the HR function has a vital role to play, notes Arktos Lam, Cyber Security Manager with the Hong Kong Internet Registration Corporation Limited (HKIRC). For example, as the business function with a wide range of inflection points to external sources, the HR function is both a target for cybersecurity attacks as well as an “access gateway” for cybercriminals.

Lam emphasises that the risk of a cyberattack is always present. There are no holidays or days off, he says. While cybercriminals use advanced technology to probe network inflection points for weakness and vulnerabilities, they also seek to exploit human weaknesses to gain access to data, devices, systems and networks. “The HR function holds sensitive employee information such as personal data, addresses, phone numbers and bank account details, which are valuable targets for cybersecurity criminals,” Lam says. Since HR practitioners need to open emails and attachments from unknown sources as part of their work, the HR function is often targeted by cybercriminals in phishing attacks. 

Lam explains that phishing attacks can come in many different forms; common examples include emails from fake job applicants which include malware attachments, which could be in the form of a CV. Malware attachments within malicious emails can be disguised as documents, PDFs, e-files and voicemails, which are not only capable of stealing information, but also provide unauthorised access to an organisation’s sensitive data, destroy data or extort ransom from the victim. Phishing emails sent to the HR function can also take the form of an employee pretending to be a member of staff requesting changes to be made to his or her employment records. Noting how cybercriminals have become more emboldened and resourceful, Lam points out that “bad actors” are using smarter techniques to trick employees into leaking sensitive data or downloading malicious attachments. An increasingly frequent ploy involves conducting research on a specific individual — such as an organisation’s senior executive — in order to create an attack that can be difficult to distinguish from a real email. 

   "As AI tools become increasingly ubiquitous, cybercriminals are leveraging generative artificial intelligence to craft highly convincing phishing campaigns tailored to the language of the intended recipients. Instead of prohibiting staff from using AI tools, establishing clear protocols outlining which tools can be used and how they can be utilized is recommended. "

- Arktos Lam, Cyber Security Manager, Hong Kong Internet Registration Corporation Limited  

 

The cyber threat landscape has become more complex

As the world of work continues to evolve in the aftermath of the COVID-19 outbreak, Lam notes how the the pivot to work from home (WFH) and remote working has made it more of a challenge for organisations to protect themselves from cybersecurity threats. “The attack surface has increased,” he says. While previously, organisations had the majority of their staff working from an office where cybersecurity efforts could be focused on a contained corporate network, staff now log-in from home or other remote locations using different devices and network connections. This requires organisations to establish WFH cybersecurity protocols to prevent sensitive data from being compromised. Lam recommends that cybersecurity protocols should include the use of software tools such as two-factor authentication, VPN (virtual private networks) and tools to manage passwords. To create a secure environment, even when staff are using their own home Wi-Fi network, it is important for the HR function to train users to only use work-related tools and accounts for messaging, emailing, video calls or any other form of communication. 

Meanwhile, as AI tools become more prevalent, cybercriminals are using generative artificial intelligence (GPT) — the language model that underlies AI applications such as ChatGPT, to create convincing phishing campaigns in the language of the targeted audience. Consequently, tell-tale signs of fraudulent messages such as bad grammar and spelling become less obvious. While AI tools can be used to intercept or help to detect cybersecurity threats, Lam cautions that AI tools must be regularly updated to keep up with the latest cybersecurity threats. Furthermore, instead of prohibiting staff from using AI tools, Lam recommends establishing clear protocols outlining which tools can be used and how they can be utilised.  Access should correspond to necessity, Lam advises.

Cybersecurity is everyone’s responsibility

To build preparedness and strengthen resilience to phishing and other forms of cybersecurity attacks, Lam proposes increasing user awareness and personnel education. This requires close collaboration between the HR function, the IT function and the organisational buy-in. Regardless of role or seniority, Lam believes by educating staff across the organisation makes it easier for individuals to be aware of cybersecurity risks, and therefore, be aware of the importance of adhering to security controls and data privacy processes.

When developing employee cybersecurity training programmes, Lam recommends focusing on a people-centric approach rather than a one-size-fits-all approach.  “A people-centric approach focuses on what matters most—motivating employees to care about cybersecurity,” Lam says. This can be achieved by tailoring training with bite-sized, interactive, digital or video programmes which are suited to different job roles. For example, setting up a fake phishing attack relevant to the role of the employee. To offer a realistic scenario, a salesperson might get different phishing emails than a back-office customer support employee. “Providing training that looks and feels like the content they consume every day engages people,” Lam says. Incorporating competitive challenges into training programmes can also help to motivate employees and build team spirit. For instan
Back