Published on March 16, 2016
1. H E A L T H W E A L T H C A R E E R R I S K Y B U S I N E S S : P R O T E C T I N G H R D A T A I N T O D A Y ' S H A C K E R - P R O N E W O R L D Dr. Katherine Jones Partner & Director of Research Talent Information Solutions
2. © MERCER 2016 1 T O P I C S W E W I L L A D D R E S S T O D A Y I N S I D E A N D O U T S I D E T H E I S S U E A T H A N D S O F T W A R E , S E C U R I T Y , A N D T H E C L O U D W H E R E T E C H N O L O G I S T S F I T • What vendors provide their customers • Where are the threats? • What vendors tell us• It’s a major business issue • It is likely here to stay
3. © MERCER 2016 2 H O W B I G I S T H E P R O B L E M ? SOURCES: CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES/MCAFEE, NET LOSSES: ESTIMATING THE GLOBAL COST OF CYBER CRIME (2014); W ORLD ECONOMIC FORUM, GLOBAL RISKS 2015 (2015); SYMANTEC INTERNET SECURITY THREAT REPORT; PONEMON 2012, 2013 COSTS OF CYBER CRIME STUDY; THE GLOBAL STATE OF INFORMATION SECURITY® SURVEY 2014;THE BETTERLY REPORT CYBER/PRIVACY INSURANCE MARKET SURVEY 2013; CYBERSECURITY MARKET REPORT BY MARKETSANDMARKETS, JUNE 2012. 116SUCCESSFUL ATTACKS PER WEEK 23%INCREASE IN ATTACKS YEARLY, SINCE 2010 9MPER BUSINESS, WITH AVERAGE ANNUAL COST RISING 17% YEARLY 400B CYBER CRIMES COSTS THE GLOBAL ECONOMY OVER The most recent Global Risks report ranks cyberattacks as one of the top 10 risks most likely to cause a global crisis. Cyberattacks were ranked as the top risk for which North American respondents felt their countries were least prepared.
4. © MERCER 2016 3 C Y B E R R I S K I S A R A C E W I T H O U T A F I N I S H L I N E … 81% of large businesses in the United Kingdom suffered a cybersecurity breach during the past year. The average cost of breaches has nearly doubled since 2013.
5. © MERCER 2016 4 C Y B E R R I S K : I T ’ S N O T J U S T F O R I T A N Y M O R E BOARD-LEVEL GOVERNANCE EVERYONE, INCLUDING HR PREVENTION AND RECOVERY Requires engagement of the full executive leadership team to address. Requires comprehensive, multi- dimensional approach addressing people, processes and vendors. Prevention tactics including response and recovery plans.
6. © MERCER 2016 5 T H E E X T E N T O F T H E I S S U E I M P L I C A T I O N S F O R H R SOURCE: DHL/CISCO, INTERNET OF THINGS IN LOGISTICS (2015) 50bconnected devices in the world by 2020 – 6.5 devices for every person on the planet – many in the workplace, all hackable. IMPLICATIONS FOR HR • Think “permanent enterprise risk” not “isolated IT event.” • Plan your workforce cybersecurity strategy • Know your people • Educate • Monitor sentiment
7. © MERCER 2016 6 W H A T A B O U T I N S I D E R S ? ACCIDENTAL Unaware Negligent RENEGADE Knows and ignores Tech-savvy MALICIOUS Malcontents Seek revenge Seek $$ Sabotage Espionage
8. © MERCER 2016 7 W H E N I N S I D E R S A T T A C K 49% Current Employees 51% Former Employees SOURCES:W HY HACKERS COULD CAUSE THE NEXT GLOBAL CRISIS RAJ BECTOR, CLAUS HERBOLZHEIMER, AND SANDRO MELIS,, AND ROBER. SOURCE: KEENEY, M., CAPPELLI, D., KOW ALSKI, E. MOORE, A., SHIMEALL, T. AND ROGERS, S. (2005) INSIDER THREAT STUDY: COMPUTER SYSTEM SABOTAGE IN CRITICAL INFRASTRUCTURE SECTORS, PITTSBURGH, PA CARNEGIE MELLON UNIVERSITY SOFTW ARE ENGINEERING INSTITUTE/ UNITED STATES SECRET SERVICE. T PARISI.CYBER RISK HANDBOOK 2015, MARSH & MCLENNAN COMPANIES, 2015.
9. © MERCER 2016 8 W H A T R E S E A R C H T E L L S U S A B O U T I N S I D E R A T T A C K S 1. Most likely triggered by a negative work-related event 2. Most perpetrators had acted out at work previously 3. Planned their activities in advance SOURCE: KEENEY, M., CAPPELLI, D., KOW ALSKI, E. MOORE, A., SHIMEALL, T. AND ROGERS, S. (2005) INSIDER THREAT STUDY: COMPUTER SYSTEM SABOTAGE IN CRITICAL INFRASTRUCTURE SECTORS, PITTSBURGH, PA CARNEGIE MELLON UNIVERSITY SOFTW ARE ENGINEERING INSTITUTE/ UNITED STATES SECRET SERVICE.
10. © MERCER 2016 9 © MERCER 2016 9 GETTING STARTED
11. © MERCER 2016 10 G E T T I N G S T A R T E D SOURCE: CLOSING THE DOOR TO CYBERATTACKS: HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLAUS HERBOLZHEIMER, OLIVER W YMAN • What data needs protection? ANALYSE THE INFORMATION • Create “what if” damage scenarios • Ascertain your appetite for risk • Measure gap between current and desired states DEVELOP INFORMATION SECURITY REQUIREMENTS • Plan and execute a risk mitigation strategy “MIND THE GAP”
12. © MERCER 2016 11 F O R M U L A T I N G A N I N T E R N A L W O R K F O R C E C Y B E R S E C U R I T Y P L A N Educating • Annual compliance training – Secure work areas – Security when traveling – Secure email procedures – Avoiding phishing • Foster a culture in which it is “safe” to raise concerns Monitoring Sentiment • Track employee/contractor sentiment • Be proactive on potentially negative work issues: – Mergers/acquisitions – Layoffs – Restructuring – Even performance reviews • Use data analytics software to scan email and social media posts to flag “disgruntled” employees
13. © MERCER 2016 12 © MERCER 2016 12 WHERE TECHNOLOGISTS FIT IN: WHAT VENDORS TELL US
14. © MERCER 2016 13 P E R C E N T O F C U S T O M E R S A S K I N G A B O U T S E C U R I T Y M E A S U R E S T H A T M A Y I M P E D E H A C K I N G I N T O T H E I R H R S Y S T E M S 11 % 3 3 % 5 6 % L e s s t h a n o n e - t h i r d O n e - t h i r d t o t w o - t h i r d s M o r e t h a n t w o - t h i r d s
15. © MERCER 2016 14 B U T D O T H E Y A S K ? D O C U S T O M E R S S E E K V E N D O R H E L P I N E S T A B L I S H I N G T H E I R C O R P O R A T E D A T A S E C U R I T Y P R A C T I C E S ? 22% 67% 11% N e v e r S o m e t i m e s O f t e n
16. © MERCER 2016 15 A R E V E N D O R S A S O U R C E O F I N F O R M A T I O N O N T H E P O T E N T I A L F I N A N C I A L I M P L I C A T I O N S O F A C Y B E R A T T A C K O N C U S T O M E R S ’ H C M E N V I R O N M E N T ? 67% 22% 11% No Yes We provide general financial impact data based on public information (other research or aggregate data) Yes We provide a detailed assessment/analysis based on a variety of client-specific factors
17. © MERCER 2016 16 D O V E N D O R S P R O V I D E C U S T O M E R T R A I N I N G T H A T A D D R E S S E S C Y B E R S E C U R I T Y ? 22% 33% 22% 22% No, our customers have never requested this type of training No Sometimes, but only if a customer requests it Yes, we often provide this type of training
18. © MERCER 2016 17 © MERCER 2016 17 SOFTWARE, SECURITY AND THE CLOUD WHAT VENDORS PROVIDE THEIR CUSTOMERS
19. © MERCER 2016 18 T H A T W A S T H E N , T H I S I S N O W … 2 0 0 5 Is my data safe in the Cloud? 2016 Is my data secure from hackers in the Cloud?
20. © MERCER 2016 19 V E N D O R E N C R Y P T I O N O F C U S T O M E R H R / T A L E N T D A T A I N T H E C L O U D 67% 89% 89% 22% 11% 11% 11%Data encryption for HR data at rest Data encryption for HR data in transit Data encryption for HR data in transit from mobile devices Built and enforced within our HR/talent application Built as a standard option, but use is optional by client Our company does not offer Available as a third-party add-on
21. © MERCER 2016 20 S E C U R I T Y S U P P O R T I N H R I S S Y S T E M S 11% 33% 67% 67% 11% 22% 33% 33% 33% 78% 56% 22% 11% 11% 11% Biometric IDs – retina scan Biometric IDs - fingerprints Dual level authentication Strong alphanumeric password (lowercase and uppercase letters, numerals, and special characters) Regularly scheduled password changes Built and enforced within our HR/talent application Built as a standard option, but use is optional by client Our company does not offer Available as a third-party add-on
22. © MERCER 2016 21 M A N A G E M E N T O F C U S T O M E R H R / T A L E N T D A T A I N T H E C L O U D 21 Assets are formally managed consistent with the client organization’s risk strategy throughout removal, transfers, and disposition Integrity checking mechanisms are used to verify software, firmware, and information integrity Data is destroyed according to the customer’s policy 12.5% 12.5% 12.5% 12.5% 75% 87.5% 75.0% 12.5% Rarely Sometimes Frequently Always Don't Know
23. © MERCER 2016 22 W H A T V E N D O R S S A Y T H E Y A L W A Y S D O … . 22 100% 100% 89% 89% 89% 67% 44% A vulnerability management plan is developed and implemented Incident Response, Business Continuity and recovery plans are in place and managed Incident alert thresholds are established Information is shared consistent with response plans Malicious code scanning is performed Monitoring for unauthorized personnel, connections, devices, and software is performed Unauthorized mobile code scanning is performed
24. © MERCER 2016 23 © MERCER 2016 23 CONCLUSIONS
25. © MERCER 2016 24 Y O U C A N D O T H I S : M I S T A K E S T O A V O I D Mistakes Reality It can’t happen to you. It’s IT’s problem. Yes, it can. Even though you may think your data is not all that important, it can be used maliciously. Take risk seriously. Cybersecurity includes people, policies, and procedures. It is as much a governance problem as a technical one.
26. © MERCER 2016 25 Y O U C A N D O T H I S : F I V E M I S T A K E S T O A V O I D Mistakes Reality Ignoring network architecture. Rely solely on anti-virus technology. You do need to understand and update your network. Do you know where your critical data is? Less than 40% of attacks today involve malware. “Perimeter security” alone is insufficient –
27. © MERCER 2016 26 Y O U C A N D O T H I S : M I S T A K E S T O A V O I D Mistakes Reality Failure to monitor the endpoints. Once through the perimeter– what damage can be done? This is the proactive part — constantly looking for aberrant behavior.
28. © MERCER 2016 27 C O N C L U S I O N Vendors • Help your customers: – Understand the importance of cybersecurity – Understand what you do and how it can help them – Educate them on their responsibilities for their own data safely Companies • Work with your Vendors: – Ask questions: know exactly what your vendor provides and what those implications are for you • Ascertain your own Risk Tolerance: – Plan your cybersecurity strategy accordingly
29. © MERCER 2016 28 DR. KATHERINE JONES Partner and Director of Research Email: katherine.jones @mercer.com Twitter: @katherine_jones &
30. © MERCER 2016 29
... today’s hackers ... you can to protect your precious business data from them. Your network, ... from the protection of your network security.
Top 10 Steps To Protecting Your Organizations Privacy Data. ... data, your business ... package deployed on a general-purpose server prone to hackers or ...
Occupation Makes for Risky Business. Arvind Ganesan ... Protecting Rights, ... Human Rights Watch | 350 Fifth Avenue, ...
... How to Keep Your Passwords, Financial & Personal Information Safe ... risky habit in terms of data protection. ... prone to hackers if you're ...
Managing risk and creating value in a ... making business less risky and more ... We used the data available from DataStream of FTSE ...
Fundamentals of Information Systems Security/Information Security and ... Information security means protecting information (data) ... Today's Security ...
flexible data protection schemes. Today’s data ... Improved data protection means reduced business ... non-IT staff—which is risky and error-prone.
Computerworld covers a wide range ... mobile, storage, servers and data ... Microsoft may be hoping to gain a little on frontrunners iOS and Android in the ...
FRONTLINE investigates the role of hackers and ... FRONTLINE illuminates a virtual world where ... personal data with 4 hackers and 14 ...