M&S, Harrods, and Co-op have all recently been victims of cyber-attacks. How can HR help prevent one at your company?
A few weeks ago, my wife got a concerned call from her mother. She was not able to buy a rotisserie chicken from M&S. The chickens were there, cooked and ready to eat. The problem was that the M&S systems were not able to print the tickets with the all-important barcode. This was bad news for my mother and father-in-law’s planned meal and even worse news for M&S. Later that day, the story broke that M&S had been the victim of a cyber-attack. Since then, further news has come that Harrods and the Co-op have also recently been victims of similar attacks.
Why are we talking about this? Have Narrow Quay HR had a radical rebrand to become IT specialists? No, the reason is that we want to think about the role of HR in preventing attacks and then in dealing with the consequences of them.
What is the role of HR in preventing attacks?
Whilst the IT team obviously play an important role in trying to prevent attacks, the Verizon 2025 Data Breach Investigations Report, stated that 60% of breaches involved a human element. It’s therefore important that staff are trained in spotting and avoiding potential attacks. Many attacks come as a result of members of staff inadvertently clicking on a link in an email which then allows the virus to enter an IT system.
HR teams can assist with designing training to help ensure that policies have been read and understood and that employees don’t just take a ‘tick-box’ approach to say that they have read them. Things to think about when designing this training might include:
- ensuring the training explains why there are data security policies in place, what the risks are of a cyber-attack and the role staff play in helping to prevent one occurring.
- refresher training: given the importance of this training, you should consider requiring all employees to attend refresher training every so often to keep the message in the forefront of their minds. Your employees need for instance to understand the importance of approaching emails with a healthy degree of scepticism and caution.
- reporting mechanisms: staff must understand the need to swiftly report any concerns they have. If for example they have inadvertently clicked on a link, speed is vital in dealing with it, computers might need to be isolated, systems shut down and so the sooner that IT are alerted the better.
- no blame culture: mistakes can and do happen so it’s important that organisations foster a culture where employees who may be embarrassed by their possible mistake still speak up as soon as possible, without fear of negative consequences.
The attack has got into your systems – what can HR do then?
So despite the organisation’s best efforts, the virus is in your systems. What happens next? While the focus is likely to be on IT’s efforts, it’s important to remember to keep staff informed, of what is happening. You don’t need to give them every single detail, but remember that it’s likely to be an uncertain time for them and you want to avoid them getting their news from possibly ill-informed media or social media messages. You’ll also need to think about whether it’s possible for them to still work from home while you are dealing with the IT challenges. Once the immediate threat has been resolved, HR can support with reflecting on lessons learned and devising adaptations to training and policies, to avoid the likelihood of future occurrence.