3 SECURITY AND DATA PROTECTION
SECURITY AND DATA PROTECTION “No system is 100% safe. You have to do lots of due diligence and regular stress testing. But it’s the downstream people and behaviour issues that are the greater risk, and harder to guard against.” HRIS head
A fundamental aspect of demonstrating digital competence is to be able to keep data secure – information held for and about customers, and about your own organisation and its employees. Yet the past year has seen an accumulation of instances where major companies’ systems have been compromised.
3.1 The threats are changing Until recently, organisations’ major security concerns have revolved around • commercial espionage, especially state-sponsored • external criminals • disgruntled or criminal employees • hacking enthusiasts, hitherto usually having no significant agenda. The range of threats is now expanding from mainly data theft to malicious damage of an organisation’s capacity to operate and its reputation. Newer sources of threat include • protest and anti-business groups • cyber-warfare units of states (sometimes masquerading as protest groups) • state espionage agencies extending their scope of surveillance • inter-company hostilities – commercial companies making cyber-attacks. The world of cyber-threats is shadowy. It is often hard to identify the source of threats, the purpose, the extent of damage, or even whether one has been hacked at all. Estimates vary widely, but all point towards a large number of organisations having had their systems hacked and data stolen, and many not realising it. Security experts regularly demonstrate how easy it is to breach the security barriers of boardrooms, banks and other institutions. Against all this, organisations must manage various tensions, such as • ensuring security while also enhancing user-friendliness and mobile working • encouraging people to exchange ideas and information freely while also being able to track movements • reaching a mature understanding with employees about what is secret and what is transparent and shareable
State vs commerce The cyber-attack against Sony Pictures in late 2014 laid bare weaknesses in corporate internet security and major shortcomings in how a government and companies work together to respond to attacks. The response to the attack was marked by, among other things, confusion, miscommunication, panicky decisions and conflicting objectives. In this instance the US government sought to protect a company, but in other respects the state and industry are at distinct odds. Examples include • escalating tensions over data privacy between the UK and US governments on the one hand, and technology companies on the other • state agencies and police forces allowed to undertake widespread hacking and surveillance activities, some illegal, within commercial companies. Europe-based data storage centres – ostensibly beyond the reach of US and other state agencies – have become a favoured option for many businesses and a selling point for vendors, particularly in the context of adoption of cloud-based services. Yet increasingly the US and UK governments are seeking cross-border controls – putting them at odds with mainland Europe governments. At stake is whether any system, software programme or communication device used by companies and their employees has a ‘back door’ in it that can be exploited by a third party, be it government, criminal or competitor.
• working similarly with contingent workforces, project and business partners, and customers. Failure to strike a sensible balance undermines the benefits of investing in smart systems that facilitate greater collaboration, innovation and productivity. Where does your HR function feature in this debate?
11