risky business protecting hr data in today’s hacker prone world
TRANSCRIPT
H E A L T H W E A L T H C A R E E R
R I S K Y B U S I N E S S : P R O T E C T I N G H R D A T A I N T O D A Y ' S H A C K E R -P R O N E W O R L D
Dr. Katherine JonesPartner & Director of ResearchTalent Information Solutions
© MERCER 2016 2
T O P I C S W E W I L L A D D R E S S T O D A Y
I N S I D E A N D O U T S I D E
T H E I S S U E A T H A N D
S O F T W A R E , S E C U R I T Y , A N D
T H E C L O U D
W H E R E T E C H N O L O G I S T S
F I T
• What vendors provide their customers
• Where are the threats?
• What vendors tell us• It’s a major business issue
• It is likely here to stay
© MERCER 2016 3
H O W B I G I S T H E P R O B L E M ?
SOURCES: CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES/MCAFEE, NET LOSSES: ESTIMATING THE GLOBAL COST OF CYBER CRIME (2014) ; WORLD ECONOMIC FORUM, GLOBAL RISKS 2015 (2015) ; SYMANTEC INTERNET SECURITY THREAT REPORT; PONEMON 2012, 2013 COSTS OF CYBER CRIME STUDY; THE GLOBAL STATE OF INFORMATION SECURITY® SURVEY 2014;THE BETTERLY REPORT CYBER/PRIVACY INSURANCE MARKET SURVEY 2013; CYBERSECURITY MARKET REPORT BY MARKETSANDMARKETS, JUNE 2012.
116SUCCESSFUL ATTACKS PER
WEEK
23%INCREASE IN
ATTACKS YEARLY, SINCE
2010
9MPER BUSINESS, WITH AVERAGE ANNUAL COST
RISING 17% YEARLY 400B
CYBER CRIMES COSTS THE
GLOBAL ECONOMY OVER
The most recent Global Risks report ranks
cyberattacks as one of the top 10 risks most likely to
cause a global crisis.
Cyberattacks were ranked as the top risk for which
North American respondents felt their countries were
least prepared.
© MERCER 2016 4
C Y B E R R I S K I S A R A C E W I T H O U T A F I N I S H L I N E …
81% of large businesses in the United Kingdom suffered a cybersecurity breach during the past year.
The average cost of breaches has nearly doubled since 2013.
© MERCER 2016 5
C Y B E R R I S K : I T ’ S N O T J U S T F O R I T A N Y M O R E
BOARD-LEVEL GOVERNANCE
EVERYONE, INCLUDING HR
PREVENTION AND RECOVERY
Requires engagement of the full executive leadership team to address.
Requires comprehensive, multi-dimensional approach addressing people, processes and vendors.
Prevention tactics including response and recovery plans.
© MERCER 2016 6
T H E E X T E N T O F T H E I S S U EI M P L I C A T I O N S F O R H R
SOURCE: DHL/CISCO, INTERNET OF THINGS IN LOGISTICS (2015)
50bconnected devices in the world by 2020 – 6.5 devices for every person on the planet – many in the workplace, all hackable.
IMPLICATIONS FOR HR
• Think “permanent enterprise risk” not “isolated IT event.”
• Plan your workforce cybersecurity strategy
• Know your people
• Educate
• Monitor sentiment
© MERCER 2016 7
W H A T A B O U T I N S I D E R S ?
ACCIDENTALUnawareNegligent
RENEGADEKnows and ignores
Tech-savvy
MALICIOUSMalcontents
Seek revengeSeek $$
SabotageEspionage
© MERCER 2016 8
W H E N I N S I D E R S A T T A C K
49%Current
Employees 51%Former Employees
SOURCES:WHY HACKERS COULD CAUSE THE NEXT GLOBAL CRISIS RAJ BECTOR, CLAUS HERBOLZHEIMER, AND SANDRO MELIS, , AND ROBER. SOURCE: KEENEY, M. , CAPPELLI , D. , KOWALSKI, E. MOORE, A. , SHIMEALL, T. AND ROGERS, S. (2005) INSIDER THREAT STUDY: COMPUTER SYSTEM SABOTAGE IN CRITICAL INFRASTRUCTURE SECTORS, PITTSBURGH, PA CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE/ UNITED STATES SECRET SERVICE. T PARISI .CYBER RISK HANDBOOK 2015, MARSH & MCLENNAN COMPANIES, 2015.
© MERCER 2016 9
W H A T R E S E A R C H T E L L S U S A B O U T I N S I D E R A T T A C K S
1. Most likely triggered by a negative work-related event
2. Most perpetrators had acted out at work previously
3. Planned their activities in advance
SOURCE: KEENEY, M. , CAPPELLI , D. , KOWALSKI, E. MOORE, A. , SHIMEALL, T. AND ROGERS, S. (2005) INSIDER THREAT STUDY: COMPUTER SYSTEM SABOTAGE IN CRIT ICAL INFRASTRUCTURE SECTORS, PITTSBURGH, PA CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE/ UNITED STATES SECRET SERVICE.
© MERCER 2016 10© MERCER 2016 10
GETTING STARTED
© MERCER 2016 11
G E T T I N G S T A R T E D
SOURCE: CLOSING THE DOOR TO CYBERATTACKS: HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLAUS HERBOLZHEIMER, OLIVER WYMAN
• What data needs protection?
ANALYSE THE INFORMATION
• Create “what if” damage scenarios
• Ascertain your appetite for risk
• Measure gap between current and desired states
DEVELOP INFORMATION
SECURITY REQUIREMENTS
• Plan and execute a risk mitigation strategy
“MIND THE GAP”
© MERCER 2016 12
F O R M U L A T I N G A N I N T E R N A L W O R K F O R C E C Y B E R S E C U R I T Y P L A N
Educating
• Annual compliance training– Secure work areas– Security when
traveling– Secure email
procedures– Avoiding phishing
• Foster a culture in which it is “safe” to raise concerns
Monitoring Sentiment
• Track employee/contractor sentiment
• Be proactive on potentially negative work issues:– Mergers/acquisitions– Layoffs– Restructuring – Even performance reviews
• Use data analytics software to scan email and social media posts to flag “disgruntled” employees
© MERCER 2016 13© MERCER 2016 13
WHERE TECHNOLOGISTS F IT IN:WHAT VENDORS TELL US
© MERCER 2016 14
P E R C E N T O F C U S T O M E R S A S K I N G A B O U T S E C U R I T Y M E A S U R E S T H A T M A Y I M P E D E H A C K I N G I N T O T H E I R H R S Y S T E M S
L e s s t h a n o n e - t h i r d O n e - t h i r d t o t w o - t h i r d s M o r e t h a n t w o - t h i r d s
1 1 %
3 3 %
5 6 %
© MERCER 2016 15
B U T D O T H E Y A S K ? D O C U S T O M E R S S E E K V E N D O R H E L P I N E S T A B L I S H I N G T H E I R C O R P O R A T E D A T A S E C U R I T Y P R A C T I C E S ?
N e v e r S o m e t i m e s O f t e n
22% 67% 11%
© MERCER 2016 16
A R E V E N D O R S A S O U R C E O F I N F O R M A T I O N O N T H E P O T E N T I A L F I N A N C I A L I M P L I C A T I O N S O F A C Y B E R A T T A C K O N C U S T O M E R S ’ H C M E N V I R O N M E N T ?
67% 22% 11%
No YesWe provide general f inancial impact data based on public
information (other research or aggregate data)
YesWe provide a detailed
assessment/analysis based on a variety of cl ient-specific
factors
© MERCER 2016 17
D O V E N D O R S P R O V I D E C U S T O M E R T R A I N I N G T H A T A D D R E S S E S C Y B E R S E C U R I T Y ?
No, our customers have never requested this type of training
No
Sometimes, but only if a customer requests it
Yes, we often provide this type of training
22%
33%
22%
22%
© MERCER 2016 18© MERCER 2016 18
SOFTWARE, SECURITY AND THE CLOUDWHAT VENDORS PROVIDE THEIR CUSTOMERS
© MERCER 2016 19
T H A T W A S T H E N , T H I S I S N O W …
2 0 0 5
Is my data safe in the Cloud?
2016Is my data secure
from hackers in the Cloud?
© MERCER 2016 20
V E N D O R E N C R Y P T I O N O F C U S T O M E R H R / T A L E N T D A T A I N T H E C L O U D
Data encryption for HR data at rest
Data encryption for HR data in transit
Data encryption for HR data in transit from mobile devices
67%
89%
89%
22%
11%
11%
11%
Built and enforced within our HR/talent application Built as a standard option, but use is optional by clientOur company does not offer Available as a third-party add-on
© MERCER 2016 21
S E C U R I T Y S U P P O R T I N H R I S S Y S T E M S
Biometric IDs – retina scan
Biometric IDs - fingerprints
Dual level authentication
Strong alphanumeric password (lowercase and uppercase letters, numerals, and special characters)
Regularly scheduled password changes
11%
22%
33%
33%
33%
78%
56%
22%
11%
11%
11%
11%
33%
67%
67%
Built and enforced within our HR/talent application Built as a standard option, but use is optional by clientOur company does not offer Available as a third-party add-on
© MERCER 2016 2222
M A N A G E M E N T O F C U S T O M E R H R / T A L E N T D A T A I N T H E C L O U D
Assets are formally managed consistent with the client organization’s risk strategy throughout removal, trans-
fers, and disposition
Integrity checking mechanisms are used to verify software, firmware, and information integrity
Data is destroyed according to the customer’s policy
0.125
0.125
0.125 75.0%
87.5%
75.0%
12.5%
0.125
Rarely Sometimes Frequently Always Don't Know
© MERCER 2016 2323
W H A T V E N D O R S S A Y T H E Y A L W A Y S D O … .
A vulnerability management plan is developed and im-plemented
Incident Response, Business Continuity and recovery plans are in place and managed
Incident alert thresholds are established
Information is shared consistent with response plans
Malicious code scanning is performed
Monitoring for unauthorized personnel, connections, devices, and software is performed
Unauthorized mobile code scanning is performed
100%
100%
89%
89%
89%
67%
44%
© MERCER 2016 24© MERCER 2016 24
CONCLUSIONS
© MERCER 2016 25
Y O U C A N D O T H I S : M I S T A K E S T O A V O I D
Mistakes Reality
It can’t happen to you.
It’s IT’s problem.
Yes, it can. Even though you may think your data is not all that important, it can be used maliciously. Take risk seriously.
Cybersecurity includes people, policies, and procedures. It is as much a governance problem as a technical one.
© MERCER 2016 26
Y O U C A N D O T H I S : F I V E M I S T A K E S T O A V O I D
Mistakes Reality
Ignoring network architecture.
Rely solely on anti-virus technology.
You do need to understand and update your network. Do you know where your critical data is?
Less than 40% of attacks today involve malware. “Perimeter security” alone is insufficient –
© MERCER 2016 27
Y O U C A N D O T H I S : M I S T A K E S T O A V O I D
Mistakes Reality
Failure to monitor the endpoints.
Once through the perimeter– what damage can be done? This is the proactive part —constantly looking for aberrant behavior.
© MERCER 2016 28
C O N C L U S I O N
Vendors
• Help your customers:– Understand the
importance of cybersecurity
– Understand what you do and how it can help them
– Educate them on their responsibilities for their own data safely
Companies
• Work with your Vendors:– Ask questions: know exactly
what your vendor provides and what those implications are for you
• Ascertain your own Risk Tolerance:– Plan your cybersecurity
strategy accordingly
© MERCER 2016 29
DR. KATHERINE JONESPartner and Director of Research
Email: [email protected]: @katherine_jones
Q&A
© MERCER 2016 30