Worried about how cyber-secure your HR policies are? Fear not – Dan Medina is here with some advice.
Reading time: 4 minutes.
Guarding so much sensitive information, the human resources department of any organisation is a juicy target for cybercriminals. All the financial and personal information, including National Insurance numbers, dates of birth, bank details and home addresses it holds makes an HR department a magnet for malicious actors.
But when the vault with your most important and sensitive data about current and prospective employees is also one of the easiest access points for hackers, the margin for error in your security strategy is practically non-existent.
Recruitment agencies and HR departments are constantly bombarded with emails and attachments from aspiring talent, making them an ideal target for hackers and cybercriminals. Staff cannot avoid opening emails and attachments from people they do not know.
This means the job description of a recruiter is no longer just about attracting able candidates; recruiters must be cyber-conscious, spotting threats before their organisation’s infrastructure is compromised.
Nowadays we’re seeing an action as simple as opening a CV having the potential to completely devastate an organisation.
A prime example was the variant of the Petya ransomware, GoldenEye, a campaign in 2017 that distributed ransomware through malicious email attachments aimed at HR departments via fake job applications. This was a specific effort to abuse the fact that HR employees must open emails and attachments from unknown sources.
While many companies have room for improvement in their threat-prevention plans, they must also turn their focus to their employee’s awareness of the dangers associated with email correspondence. Here are some ways HR executives can keep their company safe from a cybercriminal’s go-to weapon while keeping the wheels in their department turning.
While it seems like one of the basics, ensuring your HR team is properly vetted is one of the most important first steps a company can take to secure its information.
HR professionals should be of the highest character and integrity given that they will handle the most sensitive employee data and be involved in some of the most complex organisational issues such as recruiting, promoting, and even firing of staff. There should be extra scrutiny for those charged with working through and handling the data for the most intimate of situations in an organisation.
Training, vigilance and good communication with information security team
While many HR employees don’t have a cybersecurity background, they do play a crucial role in thwarting cyber-attacks. They need to be aware of and practise fundamental principles of information security such as being attentive of suspicious grammar, texts and URLs, and not opening emails that raise concerns.
They also need to be diligent about alerting their information security teams when correspondence is viewed as suspicious. In fact, it is critical that the HR and information security teams have well-established, open communication channels so that everyone is aware of their role and responsibility when an incident occurs.
Not only are HR staff the last line of defence against attacks targeted through their department, but they are also empowered to train employees and implement cybersecurity policies in the company as a whole. Knowing how to spot suspicious activity, and training and enforcing other employees to do the same will help immensely.
Implement effective tools
While it’s important for HR personnel to be vigilant, investment in the most advanced tools for securing the perimeter company is also critical. Although most organisations have numerous security products in place, older technologies like anti-virus are only effective to a certain point.
It’s well established that detection-based products like AV frequently fail when faced with the most elusive, advanced persistent threats. Even technologies like sandboxes are seen as increasingly porous, with new variants of malware designed to be ‘sandbox aware’.
With clear limitations on what both security software and humans can detect, new methods of defence like file-regeneration technology are coming to the fore.
Rather than trying to identify and block the ‘known bad’ which, aside from being increasingly ineffective, also results in a high number of ‘false positives,’ file-regeneration technology creates safe, clean and visually identical copies of files. This alleviates the pressure on HR staff and recruiters to spot malicious documents, allowing them to open every file with confidence and remain focused on their work.
Understand third party risks
If an organisation is using a recruitment or staffing agency, it’s imperative to conduct an assessment of the agency you’re working with. Just as the broader organisation may evaluate its supply chain, partners and integrators, there needs to be some level of assessment with a recruiting or staffing agency.
As with any third party, there is inherent risk in an agency operating on behalf of an organisation and gaining access to sensitive information.
We must all accept now that HR is one of the most vulnerable departments within any organisation precisely because one of its primary functions is to constantly receive and open files and documents from unknown senders.
By understanding the risks involved in this and implementing each of the best practices outlined above, HR departments can be better equipped to deal with malicious activity and help protect the crown jewels of their organisation, including all that sensitive information about employees.
About the author
Dan Medina is director of strategic and technical engagement at Glasswall Solutions.