Putting human resources at the heart of cyber security The UK government considers cyber security as a tier-one national security priority alongside international terrorism, with an annual cost of around £27 billion. Yet research shows that 96 per cent of all cyber crime could be addressed through adherence to the basic security policies that already exist in many organizations. In order for these policies to be effective, however, employees must understand their value and demonstrate their commitment to improved security by consistently applying them in the way they think and behave. Human resources directors can play a key role in keeping organizations safe in cyberspace by: Taking ownership of the security risk posed by employees Most employees assume that cyber security is a technical issue and it is not until after a successful attack that they start taking personal responsibility for security. Attitudes like this make an organization vulnerable. To improve their chances of success, hackers are now searching out the organizations that are likely to be less aware of the cyber threat: those that have not been attacked yet, such as smaller companies or those with a lower public profile. HR has a vital role to play in educating employees about the impact their attitudes and behavior have on the organization’s security. Ensuring that security measures are practical and ethical Controls can stop people acting in a way that places the organization at risk, but they must be consistent with the way people behave and think. For example, randomly generated passwords are hard to crack, but most people have to write them down, which defeats their purpose. Monitoring can allow organizations to examine what employees are doing but often raise questions of trust and cross the boundary between private life and business. The HR team is best placed to advise on whether policies are likely to work and whether they are appropriate. Identifying employees who may present a particular risk Breaking into a network takes minutes. However, finding and safely extracting what they want may take criminal’s months or even years of research and planning. To shorten this process, cyber criminals are getting help from insiders (whether knowing or manipulated) in more than half of all advanced attacks. Attackers use social media to identify a useful target and to create a relationship with them. They target people with a pre-disposition to break security controls such as those with strong views, who do not react well to authority. They look for a trigger event, which will break the employee's psychological contract with their employer – such as a demotion, change in role, redundancy or dismissal. Employees who take action against their employer are most likely to do so within 30 days of such an event. This gives the HR team a chance to intervene, including taking steps to increase monitoring and deter them. Managing an employee's exit with a view to security is also one of the most critical of all the contributions the HR team can make. PA has worked with the UK government’s Centre for the Protection of National Infrastructure (CPNI) to help define, develop and deliver new national guidance on managing people, physical and cyber risk. The guidance will ensure the UK is at the forefront of enabling organizations across its national infrastructure to reduce counterproductive behavior. The Article expresses that monitoring can allow organizations to examine what employees are doing for prosecution but on the flip side this often raise questions of trust and cross the boundary between private life and business. Is monitoring workers within an organization doing more harm then deterring cyber attack by creating its own HR issue of violation of privacy?