A recent Associated Press article reported that in a quarterly meeting of CEOs across the country, President Biden highlighted “evolving intelligence” that Russia is considering launching cyberattacks against “critical infrastructure targets” across the U.S.; Biden told business leaders that they have a “patriotic obligation” to tighten up their systems to prevent such attacks.
While the role of an organization’s technology team is critical here, there are many equally imperative things HR leaders should be doing to help employees understand what they can do individually to help prevent such an attack, as well as what the broader organization needs to do to prepare if such an attack occurs.
What actions should organizations take and what is HR’s role?
Here's an article I wrote last year that covers the immediate steps HR should take as the threat of such an attack becomes more likely, orginally titled, Cyber Threats in the Age of Hybrid Work: What HR Leaders Should Do Now:
Trust, urgency, confusion, and fear—these are the things cyber criminals live for and abuse to gain access to an organization’s systems, software, and hardware and potentially shut down the entire operation.
Think for a moment about the world in which we currently live, where so much changes every day and most of our employees are working from an environment outside the corporate office firewall. Urgency, confusion, and fear are rampant—the perfect storm for hackers to gain access, lock your systems, and demand a hefty non-traceable Bitcoin ransom.
No organization is immune. In a recent article published by Forbes, it was noted that the year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, governments, and individuals across the globe. In addition, the sophistication of threats increased from the application of emerging technologies such as machine learning, artificial intelligence, and 5G, and especially from greater tactical cooperation among hacker groups and state actors.
Even organizations that offer products to help recover from ransomware attacks, like cyber insurance carriers and data backup vendors, were not safe. Many companies gave into those demands despite having backups, even though paying a ransom did not guarantee a full recovery of data. In many cases, the full extent of the attack has not been disclosed, but the impact of exposed data, downtime, and disruption is clear.
And just to add a little more insult to the injury, hackers are typically in an organization’s systems for OVER 200 DAYS before shutting access down—enough time to gain all the information they need to ensure they will get paid.
Many organizations lean heavily on the IT team to ensure systems are as safe and protected as possible—but IT often focuses primarily on the systems aspect of an attack, not so much on the people. This is where HR leadership becomes exceedingly important.
But what can HR leaders do? How can their actions help to prevent these attacks?
A culture of trust
If a high level of trust in leadership is not a component of your organizational culture, the organization is at a much higher risk of a breach.
For example, do your employees believe that they can approach any of your leaders and let them know they may have been pulled into a suspicious email exchange without fear of reprisal or denigration? If they feel that there is a chance of being called out in a negative light—whether 1:1 or more broadly—you have a problem.
Check your latest engagement or pulse survey scores, the data collected via stay or exit interviews, and the organization’s reputation on sites like Glassdoor. All will paint a picture of whether your culture is one with a foundation of trust.
Remember—one small interaction with a cybercriminal could mean entry to your organization’s entire system. A culture of trust in which employees trust that they can tell their manager and/or IT about a potential breach is most important first and foremost—or chances are the breach will be missed.
Many organizations have been forced to create a pandemic incident response plan over the past 18 months, or at a minimum update an existing one, so we should be pretty good at this. Now is the time to flex that muscle and apply it to the possibility of a cyber-attack.
Things to consider for your cyber-attack incident response plan include:
- Does the organization have an incident response plan specifically for ransomware/cyber-attacks?
- Do employees know what to do, who to contact, and how to contact them in case of an attack?
- If email is down or should not be used due to an attack, is there a backup communication channel to alert employees and let them know what to do?
- What is the message that will be communicated to employees to ensure compliance and minimize fear?
- If you have contract workers/gig employees on your system, how will they be contacted?
- Are there things contract/gig workers need to do things differently than your employees and if so, what are these things?
- Have you created and confirmed your organization’s points of contact? Ideally, this is NOT an individual person. What if they leave or transition to another department? Consider instead a help line number and/or email alias to report suspicious activity that reaches an incident response team.
- Is your plan accessible to all employees outside of your intranet/internal system? Have you encouraged employees to save it somewhere other than on their work laptops?
If the system is locked down and access to the plan is not available… well, let’s just agree this is not an ideal situation.
Practice makes perfect
Just as we regularly practice fire drills, it is imperative that your cyber-attack incident response plan is practiced too. Without this practice, everyone impacted will be scrambling to figure out what to do and it’s likely that even more damage will be done. Ideally, employees have practiced enough that if an attack happens, employee response can be planned and intentional.
In his book Outliers, Malcolm Gladwell suggests that once a person has practiced his or her craft for 10,000 hours, they enter a threshold of genius through which fame and fortune become tangible possibilities. While fame and fortune may not be the goals here, practicing the plan at least once per quarter will be a good start—and likely more than what you’re doing now.
Identification of possible attacks before they become a problem should also be part of this practice. Cyber attackers have become increasingly creative in how they access the networks of organizations; it’s rarely an email from a Nigerian prince asking for money (though that still exists). Instead, given that the attackers have likely been in your system for months by the time they encrypt it, they can create and send communications that look and feel just like something that would be sent legitimately.
HR leadership should consider partnering with IT to create and utilize these scenarios to ‘pressure check’ the system and make sure everyone knows how to identify possible problems and what to do if they become actual problems.
The idea of communicating a message repeatedly isn’t new. Rooted in advertising and marketing, the term effective frequency is used to define the number of times a person needs to hear an advertising message before responding to it. Experts have different ideas of what that magic number is; however, most famous is probably the “Rule of Seven,” which suggests consumers need to hear a message seven times before they will consider taking action.
In the case of helping employees learn what an attack might look like and what to do about it if they experience suspicious activity, HR leaders must partner with IT to communicate often.
In addition, using various communication modalities (rather than always relying on email) is an effective way to get your key messages across.
Think about the following forums to include in your organization’s cyber communication campaign, and don’t be afraid to use more than one at once:
- All-hands meetings.
- Email messages from your CEO/HR leadership stressing the importance of this focus.
- Physical job aids such as a sticker to put on each employee’s laptop—with instructions on what to do and who to call in case of an attack.
- New employee/contractor orientation. Expectations of all workers in such an attack should also be included in new employee/contractor onboarding so all employees are prepared as quickly as possible.
- Hire an expert. This is a worthy enough trend to consider bringing in an expert to present pertinent information to your employees and to answer questions. The more educated your employees are, the less likely an attack will succeed—or if it does succeed, the more likely the damage will be minimized.
With the significant increase in cyber-attacks around the globe, it is imperative that HR leaders shift their thinking from seeing the potential of an attack as solely an IT responsibility and instead start viewing this as a people challenge that can only be solved with strong partnership between HR and IT teams. HR certainly has a huge role to play.
There’s (literally) no time like the present.
Kari Naimon is a Senior Research Analyst at i4cp.