ManpowerGroup GC Speaks Out on Human Error: How to Mitigate It
A Conversation Between Christopher P. Skroupa, Skytop Editor-in-Chief, and Richard Buchband, Senior Vice President, General Counsel and Secretary of ManpowerGroup Inc. / September 7th, 2021
Mr. Richard D. Buchband has been Senior Vice President, General Counsel and Secretary of ManpowerGroup Inc. since January 2013. Mr. Buchband leads Manpower Inc.’s overall legal strategy and function, as well as managing corporate governance and securities. He served as Chief Legal Officer at ManpowerGroup Inc. He served as General Counsel and Senior Vice President of Juno Online Services, Inc. since February 1998 and served as its secretary. Mr. Buchband was responsible for oversight of legal and human resources policies. He served as Vice President, Senior Corporate Counsel and Secretary of Orbitz, Inc. He served as Vice President of Juno from January 1997 to February 1998. He served as Associate Counsel of DESCO, LP from September 1995 to January 1997. Prior to September 1995, he was a corporate and transactional lawyer in New York. Mr. Buchband graduated magna cum laude with an A.B. from the Woodrow Wilson School of Public and International Affairs at Princeton University and received J.D. from Columbia Law School.
Christopher Skroupa: Concept of human error – what does it mean for cyber risk? How is employee error part of the picture?
Richard Buchband: Leadership teams, and the boards of directors that oversee them, have become increasingly focused on enterprise risk management. At the top of the ERM list for many companies is cyber-risk – the threat that your internal systems could be infiltrated or compromised by third parties intent on disruption, mischief, or political or financial gain. As an example, one need look no further than the Colonial Pipeline ransomware attack in May 2021, in which one of the country’s leading oil pipeline companies acceded to a $4 million ransomware demand in order to regain control of its network.
To combat these risks, companies rely on increasingly sophisticated defense mechanisms designed to quickly detect and respond to unusual activity, and to limiting the potential impact or damage.
A critical part of a successful data protection framework is to minimize the possibility of human error. Distracted employees can unknowingly execute malicious software, or fall prey to various social engineering or “phishing” campaigns that are disguised as legitimate business communications. These can take many forms. But the good news is that thoughtful employee awareness programs can significantly reduce the risk of “user error.”
Christopher Skroupa: What are the types of employee error that are the cause of cyber breaches?
Richard Buchband: Certain types of careless behavior are so well-known as to be barely worth repeating: Keeping passwords on sticky notes, using identical passwords on multiple applications, using public WiFi connections to log into company networks, and neglecting to install security updates. Yet, lapses like these still occur, and they still create significant vulnerabilities for organizations.
However, a more pernicious threat comes from various types of social engineering, or “phishing”. Here, bad actors will impersonate legitimate business contacts, in an effort to dupe unsuspecting users into opening an attachment, or clicking on a link, that will install malicious software onto company assets. The risk? Ransomware, data exfiltration, reputational damage and regulatory fines. In another paradigm, they may impersonate a senior executive in your organization, and direct the finance or accounts payable team to wire funds in support of a fictitious business opportunity….right into a bank account they control.
It wasn’t too long ago that such phishing campaigns were clumsy affairs, lacking the look and feel or even the correct grammar of legitimate business correspondence. That has changed. The bad actors are getting much better, and they will often successfully “spoof” your external vendors – or even your internal colleagues – in an effort to gain trust and access.
In our experience, employee awareness makes an enormous difference. Employees at different levels of seniority and experience, with different cultural backgrounds and working in different countries, may not all have a common level of suspicion around emails and data security. We have developed an anti-phishing program to assist employees with spotting suspicious emails. And we test on this regularly. Similarly, we have re-configured our email solutions, to make it easy for users to flag spam and report questionable emails immediately to our Security Team for investigation and remediation. And we are continuously maturing our internal controls, as well as our monitoring capabilities, in an effort to improve our protective capabilities.