What can HR do to protect against the rising tide of data breaches and cyber-attacks?

Posted: 22/08/2024

Recent guidance from the Information Commissioner’s Office (ICO) has shown substantial increases in breaches of employee data (at a five-year high to 2023), with ransomware attacks specifically showing the biggest rise. 

Many recent breaches were aided by human error or recklessness from employees, with some rare cases caused by malicious intent from those within a business. It is now, more than ever, vital that HR works closely with IT to minimise the risk for businesses of data breaches and cyber security attacks.

Recent high profile data breaches to household names include:

• In 2018, Manchester United Football Club experienced a data breach of names, addresses and payslips of around 167 employees. Many of these workers recently presented a claim to the High Court against the club for up to £100,000.
• In December 2022, the Guardian newspaper had to close its UK offices for several months after a ransomware attack.
• Royal Mail suffered a cyber incident in January 2023, impacting its international letters and parcel services.
• The BBC, Aer Lingus, British Airways, Capita and Boots (amongst other major organisations) were targeted by a major cyber-attack in 2023 compromising personal data, addresses and bank details. A similar incident happened at the Police Service of Northern Ireland.
• Greater Manchester Police also saw a data breach occur when a company that makes its ID cards was subjected to a ransomware attack. This breach was particularly concerning given the impact that revealing police officers’ identities could have on undercover operations.
• The Armed Forces payroll system was hacked this year, exposing personal data of employees at the Ministry of Defence.
• More than 25,000 current and former BBC employees had their pension details exposed in a data breach this year. The manner of the breach was not disclosed but it was stated that the information had been copied from an online data storage service.

What are the common causes of data breaches?

Human error plays a big role. Sending an email to the wrong recipient or clicking ‘reply all’ by mistake are easy things to do. If the email contains sensitive information, such as a response to a particular employee’s medical report, then this can lead to a serious breach. 

Staff may be tricked into clicking an unsafe link which exposes the organisation to malware. If those in your supply chain are hacked, then this can make it even harder to recognise a socially engineered fake demand from a key client for urgent payments, or confidential files. The rise in deepfake technology means that fake phone calls and even fake video calls can appear genuine. This poses a much greater risk that staff unwittingly assist bad actors pretending to be their bosses or clients to steal data or money.

The rise of remote working poses further risks. Using personal devices and/or public Wi-Fi is less secure when compared to working on a company device within the office. Breaches can occur when staff log in at, for example, a café, without using a virtual private network (VPN). Additionally, if someone’s personal account has a virus, then logging into personal emails or social media accounts on a work computer can expose it to the same virus.

Employers also need to guard against deliberate acts. A BP employee was dismissed after her husband overheard her talking about a proposed acquisition of a business by BP in 2022, and then used the information to invest in the target company, making £1.3 million in unlawful profits from insider trading. Mr Louden pleaded guilty to criminal charges and his wife, who was not aware that he was doing this, has since commenced divorce proceedings. 

The same issues apply to hard copy documents containing personal or sensitive data. If left out, or lost, then this can cause just as much damage.

Additionally, some employees have their own criminal motives in mind. In 2014, Mr Skelton, a disgruntled senior IT auditor at Morrisons, downloaded pay records for 100,000 Morrisons employees and posted them on a file sharing website. Mr Skelton was sentenced to eight years’ imprisonment for various breaches of data protection legislation, and a claim was raised by the victims against Morrisons. 

What are the risks to an employer?

The case against Morrisons went to the Supreme Court. It held that Morrisons was not vicariously liable for Mr Skelton’s actions, as they were not ‘closely connected’ enough with what his role at Morrisons required him to do. However, if the facts were slightly different, the outcome could have made Morrisons liable for the breach. In human error cases (or where there were signs of the individual being at risk of disclosing personal data, such as repeated failures), vicarious liability is more likely to be established.

Even for seemingly innocent human error cases, the ICO can issue fines for up to €20 million, or 4% of annual worldwide turnover, if there were insufficient safeguards. Employees can also claim damages for the distress suffered from unauthorised disclosure of their personal data. 

What should HR do?

If a data breach occurs, the ICO will check whether there was clear guidance on how to report the mistake. It is better to identify the breach immediately in order to minimise the damage. HR’s role in steadying the ship can focus on creating a culture where staff feel able to report such an error. Disciplinary action may be relevant where mistakes have been made, but a heavy-handed approach can sometimes make staff cover up future breaches out of fear of reprisals. This inevitably makes matters worse.

Some key solutions that HR can consider are:

• Software can be added to ask the user to double check the recipient before emails are sent, or it can delay emails leaving the account, to give time to recall the message in cases where the error is immediately obvious.
• Access to personal accounts might be blocked on the company servers to minimise cross contamination where the personal accounts of staff have been compromised.
• There should be an easy way to dispose of confidential information securely at the employer’s workplace. Policies should also minimise hard copy documents being taken out of the office, and could ban working on public transport or in cafés.
• Passwords and software should be regularly updated, and two factor authentication and encryption of documents with especially sensitive personal data can be added. 

With all of the above points on policy and procedure, however, the ICO can still find flaws in a business’s approach if staff are not regularly trained on the issues to avoid and measures in place. Short but regular updates on risks to cyber security can go a long way to ensuring that staff are aware of their role. 

HR has a valuable part to play in trying to ensure that these problems are minimised and should work closely with IT so that the measures in place support staff education on avoiding risks. While IT can plug any holes to reduce further damage by highlighting spam and updating staff on what to do when a breach occurs, HR can steer the culture towards collaboration, in a collective effort to boost data security and navigate the waves of cyber-attacks businesses now face.

Return to news headlines