Cybersecurity: Using your employees as the first line of defence

Employment Law Column - 21 February 2017

"As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know." - Donald Rumsfeld, US Secretary of Defense, 2002.

What poses the greatest cybersecurity risk to your business?  Is it cyber vigilantes trying to make the world a better place, like the so called "Impact Team" who stole user data from the extramarital affair-enabling website Ashley Madison in 2015?   

Or does your cybersecurity risk come from cyber criminals looking to exploit your business' weaknesses, like UK retailer Sports Direct experienced in September 2016, when a security hole in its staff portal was breached and the personal details of many of its 30,000 employees were stolen? 

While focusing on external cyber-threats, what many organisations don't consider are the cybersecurity risks posed by their own employees — the "known unknowns" of a business.     In mid-2015, Woolworths was the subject of an accidental data leak when an email containing a spreadsheet with the details of thousands of Woolworths' customers and a link to vouchers worth A$1,308,505 was inadvertently circulated by an employee to over 1000 people.   

Accidental data breaches are not restricted only to the private sector.. In November 2014, an Australian government employee accidentally sent an email containing the personal details of 31 world leaders attending the G20 Leaders' Summit, including Barack Obama, Vladimir Putin, Angela Merkel and David Cameron, to an unintended recipient.  Of course, this is probably not a concern for the current Leader of the Free World, as his personal details and musings are already publicly available: see Twitter handle "@realDonaldTrump"…

There's even a cyber-threat for the nautically inclined: "spear-phishing" occurs when a person creates a convincing email which appears to be from a reputable source.  However, when an employee opens the email, a virus is released and the employer's computer system becomes infected as a result.  This is becoming more prevalent, as cyber criminals target businesses' employees and attempt to coerce or manipulate them to reveal confidential information, or grant access to internal systems.

However, while employees can present a significant cyber-risk to employers, they can also be a business' greatest cyber-security asset and a strong first line of defence.  So, what can you do at the very minimum to ensure your employees are a help and not a hindrance to your cybersecurity?

  1. Provide employee training to assist in recognising and reporting potential cyber threats (including spear-phishing attempts).
  2. Develop and implement a thorough cybersecurity policy, outlining the requirement for employees to not install third party applications on their work computers, to maintain strong passwords, and to delete suspicious emails, among other things.
  3. Develop and implement a strong social media security policy to prevent confidential information being accidentally, or intentionally, posted online, and to avoid criminals being able to build detailed profiles of employees for the purpose of exploiting this information in spear-phishing campaigns.

Avoid being the next business to make headlines due to a data breach. Make sure you have measures in place to look after your cybersecurity, and to ensure that your employees won't be the ones causing you any cyber-headaches!


This article is part of a regular employment law column series for HRM Online by Workplace Relations & Safety partner Aaron Goonrey and Lawyer Luke Scandrett.  It was first published in HRM Online on 21 February 2017. The HRM Online version of this article is available here.



Further information

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.