cybersecurity: risky business: aaa moving from sorry to ...€¦ · using your unique url for...
TRANSCRIPT
aaa
Dr. Katherine Jones
26 October, 2016
C Y B E R S E C U R I T Y : M O V I N G F R O M S O R R Y T O S A F E
Risky Business: Managing HR Data in Today’s Hacker-Prone World
© MERCER 2016 1
B R O U G H T T O Y O U B Y
© MERCER 2016 2
H O U S E K E E P I N G
Credit Questions Topic
© MERCER 2016 3
E A R N I N G C R E D I T S
Be watching using YOUR unique URL
for login
Stay on the webinar, online for the entire
duration
Certificates delivered by
email no later than
12/16/16Ascentis Corporation is recognized by SHRM to offer Professional Development Credits (PDCs) for the SHRM-CPSM or SHRM-SCPSM. This program is valid for 1.0 PDCs for the SHRM-CPSM or SHRM-SCPSM. For more information about certification or recertification, please visit www.shrmcertification.orgThe use of this seal confirms that this activity has met HR Certification Institute's® (HRCI®) criteria for recertification credit pre-approval. Recertification Credit Hours Awarded: 1 Specified Credit Hours: HR (General) recertification credit hours toward aPHR™, PHR®, PHRca®, SPHR®, GPHR®, PHRi™, SPHRi™ recertification through HR Certification Institute's® (HRCI®). For more information about certification or recertification, please visit the HR Certification Institute website at www.hrci.org.
© MERCER 2016 4Options, approvals
T O D A Y ’ S F E A T U R E D S P E A K E R
Nancy has over 25 years of employee health and wellness benefits experience, including 11 years at Mercer, several years as a partner at another major global HR consulting firm, key leadership at a wellness start-up, wholly-owned by a major health system and leading global wellness at a F500 company.
Nancy KingslandHealth and WellnessPRO
Prior to his role, Amit was a Heath and benefits consultant where he helped clientson various topics such as the Affordable Care ace (ACA) Regulations, annual market trends and benefit strategies.
Amit LounganiDr. Katherine Jones
• Partner and Director of Research.• Leads a charter to develop thought leadership about
all areas of human capital management and the technologies that support it.
• Katherine is also a veteran analyst in the high-tech market.
• Masters and Doctorate degrees from Cornell University.
DR. KATHERINE JONESPartner and Director of Research
© MERCER 2016 5
T O P I C S W E W I L L A D D R E S S T O D A Y
I N S I D E A N D O U T S I D E
T H E I S S U E A T H A N D
E M P L O Y E E S :E D U C A T I O N A N D
S T A F F I N G
T E C H N O L O G Y P R O V I D E R S
• Staffing issues• Teaching vigilance:
• Where are the threats? • What vendors tell us• It’s a major – and growing ˗ business issue
• It is likely here to stay• The Global Response
© MERCER 2016 6
aaa
THE ISSUE AT HAND
© MERCER 2016 7
$500 BillionAnnual cost to the global economy of cyber crime
90%Of large
corporations report breaches
221% increase in time to resolve over the last 4 years
© MERCER 2016 8
4X Cyber crime cost from 2013 to 2015
$2.1 trillion Global cost of data breaches by 2019
WEF:: much cyber crime is undetected (industrial espionage) so costs really higher
20% of small-mid sized businesses have been cyber crime victims (Microsoft)
© MERCER 2016 9
500 million accounts stolen
117 million email & password combinations stolen
55 million personal records
“BREACH OF YAHOO SCALE ARE THE SECURITY EQUIVALENT OF ECOLOGICAL DISASTERS”
© MERCER 2016 10
aaa
10
© MERCER 2016 11
aaa
PEOPLE: INSIDE AND OUT
© MERCER 2016 12Source: McAfee Labs Threats Report, August 2015
C H A N G I N G A T T A C K E R P R O F I L E S
© MERCER 2016 13
aaa
© MERCER 2016 14
aaa
© MERCER 2016 15
D A T A B R E A C H E S
15
48% -- Malicious or Criminal Attack
27% -- System Glitch
25% -- Human Error
N = 383
Source: 2016 Cost of Data Breach Study:Global Analysis. Benchmark research sponsored by IBMIndependently conducted by Ponemon Institute LLC June 2016
48%
27%
25%
© MERCER 2016 16
aaa
INSIDE THE ORGANIZATION
© MERCER 2016 17
C R I T I C A L I T Y O F C Y B E R S E C U R I T Y
Source: Source: Rewarding the Risk Preventors: Getting Cyberstaffing Right. Katherine Jones, Mercer Select Intelligence, 2016.
© MERCER 2016 18
F I N D I N G C Y B E R T A L E N T
Source: Rewarding the Risk Preventors: Getting Cyberstaffing Right. Katherine Jones, Mercer, 2016.
© MERCER 2016 19
O R G A N I S A T I O N S F E L T T H E Y W E R E …
0% 10% 20% 30% 40% 50% 60% 70% 80%
Resourced/sized (people) to meet the tasks and challenges ahead
Financed to meet the tasks and challenges ahead
Skilled in post-breach recovery practices
Skilled to immediately identify attempted data breaches
Sourced to build a flexible staffing model with the right mix of staff,consultants (external vendors) and contractors
Organized to meet the tasks and challenges ahead
47%
56%
67%
68%
73%
75%
Source: Rewarding the Risk Preventors: Getting Cyberstaffing Right. Katherine Jones, Mercer, Select Intelligence, 2016.
© MERCER 2016 20
aaa
EMPLOYEES:EDUCATION AND STAFFING
© MERCER 2016 21
W H A T D O E S A N I N T E R N A L C Y B E R T H R E A T L O O K L I K E ?
© MERCER 2016 22
K N O W Y O U R I N S I D E R S
ACCIDENTALUnawareNegligent
RENEGADEKnows and ignores
Tech-savvy
MALICIOUSMalcontents
Seek revengeSeek $$
SabotageEspionage
© MERCER 2016 23
W H E N M A L I C I O U S I N S I D E R S A T T A C K
49%Current
Employees 51%Former Employees
SOURCES:WHY HACKERS COULD CAUSE THE NEXT GLOBAL CRISIS RAJ BECTOR, CLAUS HERBOLZHEIMER, AND SANDRO MELIS, , AND ROBER. SOURCE: KEENEY, M. , CAPPELLI , D. , KOWALSKI , E . MOORE, A . , SHIMEALL, T. AND ROGERS, S . (2005) INSIDER THREAT STUDY: COMPUTER SYSTEM SABOTAGE IN CRIT ICAL INFRASTRUCTURE SECTORS, P ITTSBURGH, PA CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE/ UNITED STATES SECRET SERVICE. T PARISI .CYBER RISK HANDBOOK 2015, MARSH & MCLENNAN COMPANIES, 2015.
© MERCER 2016 24
W H A T R E S E A R C H T E L L S U S A B O U T I N S I D E R A T T A C K S
1. Most likely triggered by a negative work-related event
2. Most perpetrators had acted out at work previously
3. Planned their activities in advance
SOURCE: KEENEY, M. , CAPPELLI , D. , KOWALSKI , E . MOORE, A . , SHIMEALL, T. AND ROGERS, S . (2005) INSIDER THREAT STUDY: COMPUTER SYSTEM SABOTAGE IN CRIT ICAL INFRASTRUCTURE SECTORS, P ITTSBURGH, PA CARNEGIE MELLON UNIVERSITY SOFTWARE ENGINEERING INSTITUTE/ UNITED STATES SECRET SERVICE.
© MERCER 2016 25
F O R M U L A T I N G A N I N T E R N A L W O R K F O R C E C Y B E R S E C U R I T Y P L A N
Educating
• Annual compliance training– Secure work areas– Security when
traveling– Secure email
procedures– Avoiding phishing
• Foster a culture in which it is “safe” to raise concerns
Monitoring Sentiment
• Track employee/contractor sentiment
• Be proactive on potentially negative work issues:– Mergers/acquisitions– Layoffs– Restructuring – Even performance reviews
• Use data analytics software to scan email and social media posts to flag “disgruntled” employees
© MERCER 2016 26
aaa
TECHNOLOGY PROVIDERS: WHAT RESEARCH TELLS US
© MERCER 2016 27
S E C U R I T Y S U P P O R T I N H R I S S Y S T E M S
11%
33%
67%
67%
11%
22%
33%
33%
33%
78%
56%
22%
11%
11%
11%
Biometric IDs – retina scan
Biometric IDs - fingerprints
Dual level authentication
Strong alphanumeric password (lowercase and uppercaseletters, numerals, and special characters)
Regularly scheduled password changes
Built and enforced within our HR/talent application Built as a standard option, but use is optional by client Our company does not offer Available as a third-party add-on
© MERCER 2016 28
V E N D O R E N C R Y P T I O N O F C U S T O M E R H R / T A L E N T D A T A I N T H E C L O U D
67%
89%
89%
22%
11%
11%
11%Data encryption for HR data at rest
Data encryption for HR data in transit
Data encryption for HR data in transit from mobiledevices
Built and enforced within our HR/talent application Built as a standard option, but use is optional by client Our company does not offer Available as a third-party add-on
© MERCER 2016 29
O N L Y 5 6 % O F C U S T O M E R S A S K A B O U T S E C U R I T Y M E A S U R E S T H A T M A Y I M P E D E H A C K I N G I N T O T H E I R H R S Y S T E M S
Do vendors explain financial ramifications?
29
11%
67%
22%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Often
Sometimes
Never
But do customers ask?
0 10 20 30 40 50 60 70
No
Yes, we provide general financialimpact data based on public
information (other research oraggregate data)
Yes, we provide a detailedassessment/analysis based on avariety of client specific factors
67
22
11
© MERCER 2016 30
D O V E N D O R S P R O V I D E C U S T O M E R T R A I N I N G T H A T A D D R E S S E S C Y B E R S E C U R I T Y ?
22%
33%
22%
22%
No, our customers have never requested thistype of training
No
Sometimes, but only if a customer requests it
Yes, we often provide this type of training
© MERCER 2016 31
aaa
CYBER “TO DO”
© MERCER 2016 32
Y O U C A N D O T H I S : M I S T A K E S T O A V O I D
Mistakes RealityIt can’t happen to you.
It’s IT’s problem.
Yes it can. Even though you may think your data is not all that important, it can be used maliciously. Take risk seriously.
Cybersecurity includes people—policies, procedures. It is as much a governance problem as a technical one.
© MERCER 2016 33
R E V I E W Y O U R D A T A
SOURCE: CLOSING THE DOOR TO CYBERATTACKS: HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLAUS HERBOLZHEIMER, OLIVER W YMAN
• What data needs protection?
ANALYSE THE INFORMATION
• Create “what if” damage scenarios
• Ascertain your appetite for risk
• Measure gap between current and desired states
DEVELOP INFORMATION
SECURITY REQUIREMENTS
• Plan and execute a risk mitigation strategy
“MIND THE GAP”
© MERCER 2016 34
R E V I E W Y O U R P R O C E S S E S• Consider threats from insiders in risk assessments• Dedicate specific budgets and resources for insider-threat countermeasures • Execute background checks on all new hires• Track access and use of highly sensitive/confidential accounts • Audit unusual online behavior• Deactivate sensitive systems access following employee termination
© MERCER 2016 35
P L A N F O R T H E D I G I T A L H R F U T U R E
SOURCE: DHL/CISCO, INTERNET OF THINGS IN LOGISTICS (2015)
50 bi l l ionconnected devices in the world by 2020 – 6.5 devices for every person on the planet – many in the workplace, all hackable.
IMPLICATIONS FOR HR
• Think “permanent enterprise risk” not “isolated IT event.”
• Plan your workforce cybersecurity strategy
• Know your people
• Educate
• Monitor sentiment
© MERCER 2016 36
aaaCONCLUSION:
TOOLS TO START WITH
© MERCER 2016 37
T O P 1 0 P R I O R I T I E S F O R A D D R E S S I N G C Y B E R R I S K : C H E C K L I S T F O R H R
© MERCER 2016 38
C O N C L U S I O N
• Ascertain your own Risk Tolerance:– Review your data and your processes– Plan your cybersecurity strategy accordingly
• Work with your Vendors:– Ask questions: know exactly what your
vendor provides and what those implications are for you
– Educate your workforce!– Monitor times of workforce stress
© MERCER 2016 39
&
Please enter your questions in the
“Questions” section
of your GoToWebinar panel
© MERCER 2016 40
E A R N I N G C R E D I T S
Be watching using YOUR unique URL
for login
Stay on the webinar, online for the entire
duration
Certificates delivered by
email no later than
12/16/16Ascentis Corporation is recognized by SHRM to offer Professional Development Credits (PDCs) for the SHRM-CPSM or SHRM-SCPSM. This program is valid for 1.0 PDCs for the SHRM-CPSM or SHRM-SCPSM. For more information about certification or recertification, please visit www.shrmcertification.orgThe use of this seal confirms that this activity has met HR Certification Institute's® (HRCI®) criteria for recertification credit pre-approval. Recertification Credit Hours Awarded: 1 Specified Credit Hours: HR (General) recertification credit hours toward aPHR™, PHR®, PHRca®, SPHR®, GPHR®, PHRi™, SPHRi™ recertification through HR Certification Institute's® (HRCI®). For more information about certification or recertification, please visit the HR Certification Institute website at www.hrci.org.
© MERCER 2016 41
I N T E R E S T E D I N A G U E S T P A S S ?
selectintel.mercer.com/guest/
Code: CYBERHR
© MERCER 2016 42
A S C E N T I S H C M• Ascentis offers:
• Applicant tracking• HRIS• Talent Management• Payroll• Timekeeping
• All Ascentis solutions encrypt and secure data in-transit between client and server.
• With Ascentis you can:• Automate recruiting• Process payroll in real-time• Employee-benefits automatically calculated• Streamline professional development
© MERCER 2016 43
O n - D e m a n d W e b i n a r sWeb ina rsWATCH FROM ANYWHERE. AT ANYTIME. AT NO COST
© MERCER 2016 44
800.229.2713
CONTACT US
© MERCER 2016 45