Cyber Security Consultancy: People

 

Introduction

The workforce is trusted. Roles are defined, systems are secure, and business is thriving. Everything feels under control – that is, until the incident happens…

A senior employee, with privileged access, has a serious grudge. One day, they take action. Sensitive payroll data, including names, bank details, and salaries, was leaked online. Headlines follow. Legal action starts. Reputational damage is taking place right in front of your eyes. People are always going to be your greatest asset. But there are also risks to consider.

This introduction is based on a real-life story of an insider threat, where nearly 100,000 employees had their personal data exposed. In this article, we focus on the theme of people, referencing a case study and providing general guidance and recommendations.

 

What is meant by People?

People relate to the support provided for staff (including contractors) and the associated culture. It relates to the understanding of risk, following policies, and handling of data. It includes training and managing insider threats. Empowering people to reduce human error and strengthen an organisation’s cyber resilience.

 

Example Case Study 

• • Organisation: WM Morrisons Supermarkets Plc 
  • Incident: A senior internal auditor, disgruntled after disciplinary action, deliberately leaked payroll data of nearly 100,000 employees, including names, bank details, salaries, and national insurance numbers. The data was posted online and sent to media outlets.
  • Financial Implications: The breach is reported to have cost Morrisons over £2 million to rectify. 
  • How it Links to the theme of People:
    • Insider threat – the importance of vetting, monitoring, and behavioural awareness
    • Staff awareness and training – the importance of educating staff on data handling and reporting concerns
    • Access control – the case study demonstrates the risks of access to sensitive data
• Source Information: https://www.bbc.co.uk/news/uk-england-42193502?link_location=live-reporting-story

 

General Guidance

• Staff awareness is key 
• Manage insider risks
• Ensure onboarding and offboarding processes protect sensitive data
• Ensure awareness training includes contractors 

 

Resulting Recommendations

1. Keep it simple and secure
2. Use a risk assessment and your risk appetite to help drive the requirements for your organisation
3. Deliver regular cyber awareness training 
4. Include contractors in training exercises and document attendance
5. Limit access rights based on job responsibilities and monitor for misuse
6. Implement starters, leavers and movers procedures
7. Seek guidance and support from an IASME Certification Body and Certified Information System Security Professional (CISSP) – such as RB Consultancy Ltd

 

How We Help

At RB Consultancy Ltd, we support organisations by:

• Providing templates, guidance and experience to support
• Explaining what security measures are available and how they can help
• Collaborating to implement controls to support the requirements
• Assessing and issuing certifications – such as Cyber Essentials and Cyber Assurance
• Contact us for consultancy and certification support

 

Conclusion

People are at the heart of every organisation. Employees are vital to organisational success; however, they can present a risk. The Morrisons case study shows how a single insider threat can lead to catastrophic events and reputational damage. Embedding cyber security into everyday operations can build trust and reduce weaknesses. 

RB Consultancy Ltd helps organisations understand the importance of people – we support the implementation of key requirements and help build cyber resilience. We are an IASME Certification Body and NCSC Assured Service Provider who provides services to empower and protect organisations. Holding CISSP and ISO 27001 lead implementer certification, you can Contact Us for assistance with cyber security resilience.

 

 

This blog is written by Remo Belisari, Managing Director of RB Consultancy Ltd. He is an experienced cyber security professional and cyber advisor. Remo holds certifications in CISSP, ISSAP, ISO 27001, Cyber Essentials, and IASME Cyber Assurance. He has many years of experience in IT and cybersecurity. He has supported organisations worldwide. His work includes helping a Fortune 500 company in the USA and over 100 organisations across the UK. The views in this blog are his own. They do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliates. The content is for general information only.